AS11296 -- Hijacked?

George Bonser gbonser at seven.com
Fri Oct 1 06:34:16 UTC 2010



> -----Original Message-----
> From: Ronald F. Guilmette [mailto:rfg at tristatelogic.com]
> Sent: Thursday, September 30, 2010 10:48 PM
> To: nanog at nanog.org
> Subject: Re: AS11296 -- Hijacked?
> ================================================================
> 63.247.172.3
> 	ns1.tooplacedomain10tht.info
> 63.247.172.4
> 	ns2.tooplacedomain10tht.info
> 63.247.181.3
> 	ns1.steadyvolumebandw57.info
> 63.247.181.4
> 	ns2.steadyvolumebandw57.info
> 63.247.185.19
> 	ns1.magnumfourcompkriel.info
> 63.247.185.20
> 	ns2.magnumfourcompkriel.info

...

I would take more of an Occam's razor approach.  If you have an AS that
is supposedly an ISP in North Carolina or Ohio or wherever and first of
all have only one way into their network (are they an ISP or are they
simply reselling someone else's service?) and none of that connectivity
traces back to their region of operation, and particularly where their
name has been bought by or merged with someone else and that someone
else is not announcing their AS and address blocks, then that is
certainly cause for suspicion.    "Hijacking" of defunct resources is
probably a widespread activity.  Finding the hijacked resources of
companies that liquidated in fairly public fashion is probably easier
than finding resources for a company that has been "laundered" through
several mergers over several years where the current company doesn't
even realize that they "own" the resources of a company bought by a
company they bought because of personnel turnover involved with layoffs
and such.

To the general population of this list:  Have you worked for a company
that has liquidated?  Are those Internet resource registrations still in
whois?  Maybe you should inform ARIN so those resources can be
reclaimed.  I did that when I noticed that a company I once worked for
that evaporated still had resources in the database.  That is just
ASKING for someone to announce those resources and nobody is probably
going to blink an eye because the upstreams rarely check to see if the
entity they are talking to are actually authorized to announce that
space.  You tell them the ASN and net blocks, the two jibe, upstream
says OK.  

How much address space is being wasted in this way?

G







More information about the NANOG mailing list