AS27626, AS6061, AS10392, AS11296 - Hijacks Gone Wild!

Ronald F. Guilmette rfg at
Fri Oct 1 07:14:22 UTC 2010

[[ NOTE:  This information is being made available to information content
   providers, or others, as part of the technical means to restrict access
   to material with may be deemed by some to be obscene, lewd, lascivious,
   filthy, excessively violent, harassing, or otherwise objectionable, in
   accordance with 47 USC 230(c)(2)(B). ]]

Whew!  Now that I got THAT out of the way...

I _had_ planned on dribbling out this info, one AS at a time, because I
thought that might yield a slightly more ponderous effect, but since
another big batch of this info was already made (semi-)public today on
another mailing list I'm on, there doesn't seem to be any real point in
dragging this out anymore.

So here is the whole enchalada...  at least with respect to THIS whole
interconnected mess.  (Yes, there are others.  We'll get to them.  Be

AS27626, aka Joytel of Jacksonville, Florida, would appear to be at the
heart of a rather sizable AS and IP block hijacking campaign, the likes
of which, in my experience, the net has never before seen.  I mean the
total amount of IP space that's been jacked may be smaller than some
past big-time hijacks, but this one takes the cake, I think, for the
number of separate different IP blocks involved... a number which has
actually even been growing stedily over the past week.  (These turkeys
appear to be in a race to corner the market on abandoned IP blocks.

In addition to a metric buttload of jacked blocks being announced by
Joytel ltself, AS27626, (see below) there are _three_ other ASes that
also appear to be jacked, and each of these also appears to be separately
announcing routes to yet more jacked IP blocks.  But all of these machinations
appear to be to be tied together, if in no other way, then at least by
the common thread of the same single common snowshoe spamming company
(in Victoria, BC) being the primary (but probably not the only) ultimate
beneficiary of all of this hijacking.

I have already reported here on two of these other ASes, i.e. AS11296 and
AS10392.  I now report on a third apparently hijacked AS, i.e. AS6061.  See
details below.

Note that the routes that were being announced by AS11296 have already
been withdrawn, but the old route announcements are still listed below,
for the sake of completeness.

Additionally, I am reporting here on three somewhat stealthy IP blocks
that appear to have been legitimately obtained by Joytel... two on Level3
and one on Cogent... all of which appear to me to be infested with/by
_some_ snowshoe spammer.  (Perhaps someone or something other than the 
previously mentioned company in Victoria, BC.  I haven't actually checked
that yet, one way or the other.)

As indicated below, the various blocks that I've annotated as "jacked"
are in fact, and exclusively, very old, and most probably abandoned
IP blocks.  That's why they were chosen, specifically, i.e. because it
was thought that nobody would miss them, and nobody would even notice
that they had been ``liberated''.  And that probably would have been
true, if it were not for the fact that some of them were then filled up
with snowshoe spam domains.  As I mentioned previously, spamming is
THE most public of crimes.  It's hard to make any money at it unless
you are annoying millions of people at a time, and thus alerting them
to your presence.  And when you do that, you are going to draw attention
to yourself, big time.

I'm not going to even make any sort of suggestion to people, this time,
as to what they might want to do with all of the information below, since
people gave me a hard time when I did that before.  So I'll just leave it
as this:  You are all clever people here.  Use your imagination.

I have included below a very partial NS dump for one of the blocks being
announced by AS10392 that shows some of the snowshoe pattern there.  If
people want to see the complete NS dumps for all of the blocks listed below,
so that they can independently verify the snowshoey-ness of all this stuff,
then ask and you shall receive.

One last thing... AS11296 (Interpath) was (is?) only connected to the net
via AS27524 (Xeex).  Since it is no longer announcing any routes, this is
moot, and a non-issue at this time.  Everything else you see below all
represents open issues.

I would like to especially beg, plead, and cajole any customers of AS3491,
aka Beyond The Network America, Inc. who may be reading this to PLEASE
contact your provider and demand an answer to this simple question:  WTF
do they think they are doing by peering with AS6061 and AS10392, and who
the bleep is actually writing them monthly checks for that?

Beyond The Network America, Inc. needs to answer for this too, since they
are unambiguously facilitating this ongoing crime.

As regards to the ongoing situation with AS27626, aka Joytel, you can
readily see here who is keeping _them_ alive and connected:

AS3356  -- Level3
AS33132 -- FPL FiberNet, LLC

If you are a customer of either of these providers, or even a peer, I do
encourage you to contact them, and ask them WTF they are thinking.  I, for
one, sure would like to know.


AS27626 (, Jacksonville, FL):     NET-24-230-0-0-1	jacked - empty     NET-68-67-64-0-1	legit -- GoRack, LLC (Jacksonville, FL)    NET-192-100-5-0-1     jacked - empty   NET-192-100-88-0-1	jacked - empty  NET-192-100-134-0-1	jacked - empty  NET-192-100-143-0-1   jacked - empty  NET-192-101-177-0-1	jacked - empty  NET-192-101-187-0-1	jacked - empty   NET-192-235-32-0-1	jacked - empty    NET-198-13-16-0-1	jacked - empty    NET-198-14-16-0-1	jacked - empty  NET-198-143-128-0-1	jacked - empty   NET-198-183-32-0-1	jacked - mucho snowshoe ns   NET-198-210-32-0-1	jacked - empty   NET-198-241-64-0-1	jacked - mucho snowshoe ns   NET-198-252-64-0-1	jacked - empty   NET-199-34-128-0-1	jacked - empty    NET-199-46-32-0-1	jacked - empty    NET-199-84-64-0-1	jacked - empty  NET-199-198-140-0-1	jacked - empty    NET-204-48-64-0-1	jacked - empty  NET-204-107-208-0-1	jacked - just two spammer ns'es    NET-205-144-0-0-1	jacked - mucho snowshoe ns  NET-206-224-160-0-1	jacked - empty   NET-206-227-64-0-1	jacked - empty   NET-208-93-220-0-1    Actually does belong to Joytel!     NET-216-49-0-0-1	jacked - empty   NET-216-245-64-0-1	jacked - empty

AS6061 (Datalytics, Inc - connected only via AS3491 -- Hijacked AS?):   NET-198-187-64-0-1	  jacked - mucho snowshoe ns   jacked - mucho snowshoe ns   jacked - empty
                jacked - empty  NET-209-201-128-0-1  jacked - empty  jacked - empty  jacked - empty  jacked - empty  jacked - empty  jacked - empty  jacked - empty  jacked - empty

AS10392 (GlassCity Internet, Inc. - connected only via AS3491):   NET-192-171-64-0-1	jacked - some snowshoe  NET-204-137-224-0-1   jacked - empty    NET-205-164-0-0-1	jacked - mucho snowshoe ns	jacked - empty	jacked - empty	jacked - empty 1 6
     1 6

AS11296 (Interpath - Routed only via AS27524 Xeex aka NR Software/Nishant Ramachandran):,+Receives+$81+Million+Investment+From...-a086466936   NET-63-247-160-0-1	jacked - empty
					-- -- all MXes DoA   NET-199-241-64-0-1	jacked - snowshoe ns @
					-- no email!   NET-206-226-64-0-1	jacked - snowshoe ns @206.226.96.{2,3} -- Grand Cayman 11-20-2009

Legitimate semi-stealth allocations:

Joytel on Level3: (snowshoe)
Joytel on Level3: (snowshoe)
Joytel on Cogent: (snowshoe)

More information about the NANOG mailing list