New hijacking - Done via via good old-fashioned Identity Theft
Ronald F. Guilmette
rfg at tristatelogic.com
Wed Oct 6 11:14:46 UTC 2010
[[ Note: There are three more apparently hijacked blocks that are related
to the 75 specific blocks I am reporting on herein. I'll be reporting
on those other three blocks later on, but right now I just want to keep
it simple and report on just the ones relating to directnet.net. ]]
So anyway, presented below, as Rod Serling would have said, "... for your
approval..." you will find a collection of 75 separate IP blocks, all of
which appear to have been hijacked in one big gulp.
One /21, plus seventy four /24s.
This case was done, quite neatly, the good old fashioned way.... apparently
by trivial identity theft. (And I should say that no fault whatsoever
accrues in any way to ARIN in this case. They were not even involved in
the slightest, since all of the relevant WHOIS records have remained utterly
unchanged throughout this entire hijacking.)
The identity theft:
A company that was responsible for one /21 block and 74 separate /24
blocks (all of the latter of which had been originally allocated for
various U.S. elementary schools, middle schools, and high schools)
apparently went out of business. In due time, the company's domain
name (directnet.net) came up for sale. It was purchased for $4,000,
sometime between May 31, 2010 and June 13, 2010:
http://www.dnjournal.com/archive/domainsales/2010/20100623.htm
Subsequently, the domain name was transferred to an anonymizing
registrar in the Cayman Islands. Sometime before or after that
purchase, whoever had purchased the directnet.net domain convinced
the fine folks at Reliance Globalcom Services, Inc., (AS6517) to
announce routes to 100% of this rather cleverly hijacked IP space.
(See complete IP block list attached below.)
Sometime after that, the IP blocks in question began to fill up with
snowshoe name servers and snowshoe spam domains.
The entire set of relevant ARIN WHOIS records for the hijacked IP blocks,
along with the new WHOIS record for the newly re-registered directnet.net
domain, and also a listing of the snowshoe domains and name servers that
have been created in, or moved into these hijacked IP blocks are all
avaliable here:
http://www.47-usc-230c2.org/hijacked-schools/
Although it is impossible to be absolutely certain who engineered this
clever hijacking, some of the evidence available to me at this time
suggests that a particular company listed on Spamhaus' ROKSO list may
possibly have either either had a hand in engineeering the hijacking, or
else may possibly have benefitted from it, after the fact, i.e. obtaining
IP space which they could then sub-lease to their space-hungry customers.
Certainly, fine folks at Reliance Globalcom Services, Inc. could tell
us who is paying them to connect these hijacked blocks to their network,
but I rather doubt that they are actually going to come clean and do
that.
Regards,
rfg
Hijacked blocks:
204.194.184.0/21
205.196.1.0/24
205.196.14.0/24
205.196.28.0/24
205.196.29.0/24
205.196.30.0/24
205.196.31.0/24
205.196.32.0/24
205.196.33.0/24
205.196.34.0/24
205.196.35.0/24
205.196.36.0/24
205.196.37.0/24
205.196.38.0/24
205.196.40.0/24
205.196.41.0/24
205.196.42.0/24
205.196.43.0/24
205.196.44.0/24
205.196.45.0/24
205.196.46.0/24
205.196.47.0/24
205.196.49.0/24
205.196.51.0/24
205.196.52.0/24
205.196.53.0/24
205.196.54.0/24
205.196.55.0/24
205.196.56.0/24
205.196.57.0/24
205.196.58.0/24
205.196.59.0/24
205.196.60.0/24
205.196.61.0/24
205.196.62.0/24
205.196.67.0/24
205.196.68.0/24
205.196.69.0/24
205.196.71.0/24
205.196.72.0/24
205.196.73.0/24
205.196.75.0/24
205.196.76.0/24
205.196.96.0/24
205.196.97.0/24
205.196.99.0/24
205.196.100.0/24
205.196.101.0/24
205.196.102.0/24
205.196.103.0/24
205.196.104.0/24
205.196.105.0/24
205.196.106.0/24
205.196.107.0/24
205.196.108.0/24
205.196.109.0/24
205.196.111.0/24
205.196.112.0/24
205.196.113.0/24
205.196.114.0/24
205.196.115.0/24
205.196.116.0/24
205.196.161.0/24
205.196.162.0/24
205.196.163.0/24
205.196.164.0/24
205.196.165.0/24
205.196.192.0/24
205.196.193.0/24
205.196.194.0/24
205.196.196.0/24
205.196.197.0/24
205.196.198.0/24
205.196.199.0/24
205.196.200.0/24
More information about the NANOG
mailing list