AS6517 - Reliance Globalcom -- routing three more hijacked blocks

[Ronald F. Guilmette]

Has anybody ever succeeded at sending any e-mail to the
 address?  It doesn't seem to
work for me. I just get undeliverable bounces.

I'd like to, you know, at least inform them about all of these hijacked
routes that _they_ are announcing, but I guess I need to do that via
smoke signal or something.

Well, anyway, here's three more hijacked blocks that they (AS6517)
are routing.  This is in addition to the 75 such blocks I've already
reported.  (I guess that makes 78 hijacked blocks for them, in total.)


198.99.245.0/24NET-198-99-245-0-1
(wjhoreni.com - domain registered 2009-10-30)

198.151.138.0/24   NET-198-151-138-0-1
(crescentnets.com - registered 07-09-2010, in the
Cayman Islands)

207.45.56.0/21 NET-207-45-56-0-1
(crescentnets.com - see above)


Name server dump of the above blocks, illustrating snowshoe spam domains:
--
198.99.245.2
ns1.heypamperedpet.com
heypamperedpet.com
ns1.bestpamperedpooch.com
bestpamperedpooch.com
ns1.pamperedpetgift.com
pamperedpetgift.com
ns1.superpamperedpooch.com
superpamperedpooch.com
ns1.pamperedpethouse.com
pamperedpethouse.com
ns1.littlepamperedpooch.com
littlepamperedpooch.com
ns1.pamperedpethaven.com
pamperedpethaven.com
ns1.pamperedpethomes.com
pamperedpethomes.com
ns1.pamperedpetbeds.com
pamperedpetbeds.com
ns1.pamperedpoochpatrol.com
pamperedpoochpatrol.com
ns1.pamperedbellapooch.com
pamperedbellapooch.com
ns1.pamperedpetinc.com
pamperedpetinc.com
ns1.pamperedpetmotel.com
pamperedpetmotel.com
ns1.pamperedpetllc.com
pamperedpetllc.com
ns1.pamperedpoochworld.com
pamperedpoochworld.com
ns1.yourpetexpo.com
yourpetexpo.com
ns1.thepetbond.com
thepetbond.com
ns1.thespoiledspouse.com
thespoiledspouse.com
ns1.spoileddoggies.com
spoileddoggies.com
ns1.pamperedanimal.com
pamperedanimal.com
ns1.thewelfarefund.com
thewelfarefund.com
ns1.animalwelfarejournal.com
animalwelfarejournal.com
ns1.animalwelfarealliance.com
animalwelfarealliance.com
ns1.richwelfare.com
richwelfare.com
ns1.companionbailout.com
companionbailout.com
ns1.poochproductsguide.com
poochproductsguide.com
ns1.poochadvocate.com
poochadvocate.com
ns1.socialwelfaretrust.com
socialwelfaretrust.com
ns1.prosperouswelfare.com
prosperouswelfare.com
ns1.childwelfarereview.com
childwelfarereview.com
ns1.wjhoreni.com
wjhoreni.com
198.99.245.3
ns2.heypamperedpet.com
heypamperedpet.com
ns2.bestpamperedpooch.com
bestpamperedpooch.com
ns2.pamperedpetgift.com
pamperedpetgift.com
ns2.superpamperedpooch.com
superpamperedpooch.com
ns2.littlepamperedpooch.com
littlepamperedpooch.com
ns2.pamperedpethaven.com
pamperedpethaven.com
ns2.pamperedpetbeds.com
pamperedpetbeds.com
ns2.pamperedpoochpatrol.com
pamperedpoochpatrol.com
ns2.pamperedpetinc.com
pamperedpetinc.com
ns2.pamperedpetmotel.com
pamperedpetmotel.com
ns2.yourpetexpo.com
yourpetexpo.com
ns2.pamperedpethouse.com
pamperedpethouse.com
ns2.thepetbond.com
thepetbond.com
ns2.pamperedpethomes.com
pamperedpethomes.com
ns2.pamperedanimal.com
pamperedanimal.com
ns2.thewelfarefund.com
thewelfarefund.com
ns2.pamperedbellapooch.com
pamperedbellapooch.com
ns2.animalwelfarejournal.com
animalwelfarejournal.com
ns2.pamperedpetllc.com
pamperedpetllc.com
ns2.animalwelfarealliance.com
animalwelfarealliance.com
ns2.pamperedpoochworld.com
pamperedpoochworld.com
ns2.richwelfare.com
richwelfare.com
ns2.thespoiledspouse.com
thespoiledspouse.com
ns2.spoileddoggies.com
spoileddoggies.com
ns2.companionbailout.com
companionbailout.com
ns2.poochproductsguide.com
   

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Rich Kulawiec]

On Wed, Oct 06, 2010 at 10:14:27PM +, Sven Olaf Kamphuis wrote:
> (keep in mind, each sender gets a unique password from the receiver,
> this can be stored in the address book along with the email address
> itself).

I'd like to see the I-D which explains how this is going to work,
with particular attention to (a) how the passwords will be exchanged
without using email (b) how it's going to handle the O(N^2) scaling and
(c) how it's going to work in an environment with at least a hundred
million compromised systems -- that is, systems that are now owned by
the enemy, who thus also owns the contents of all the address books
stored on them...including all the passwords.  I think once these
issues are addressed it will be only a small matter of implementation
to convince everyone to swiftly move to a different protocol for mail.

---rsk

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Ben McGinnes]

On 7/10/10 6:28 AM, Eric Brunner-Williams wrote:
> On 10/6/10 10:34 AM, Owen DeLong wrote:
>>
>> Number resources are not and should not be associated with domain
>> resources at the policy level. This would make absolutely no sense
>> whatsoever.
> 
> hmm. ... "are not" ... so the event complained of ... didn't happen?

The key issue here is more the "should not" aspect, which I agree with,
but that these records are frequently used by netops to verify a
request.  There really needs to be a greater standardised level of due
diligence regarding advertisement requests that checks more than whether
a request is coming from a seemingly legitimate email address.


Regards,
Ben



signature.asc
Description: OpenPGP digital signature

RE: New hijacking - Done via via good old-fashioned Identity Theft

[George Bonser]

> -Original Message-
> From: Heath Jones 
> Sent: Wednesday, October 06, 2010 3:24 PM
> To: nanog@nanog.org
> Subject: Re: New hijacking - Done via via good old-fashioned Identity
> Theft
> 
> Wouldn't it have to be illegal before punishments could be determined?
> Isn't this kind of key to the whole issue of fighting spam?? (Is there
> even a point if you cant nail them for it?)

This conversation isn't really about spam.  It is about being able to
obtain the number resources of a defunct organization by masquerading as
that organization by registering an identical business entity or
operating name.  So foo.com has legitimately obtained number resources.
Foo.com goes broke and those resources are no longer in use.  Joe Blow
registers an operation he calls foo.com and claims the right to use
those number resources.  I don't care if those resources are being used
for spam or giving away free money to the needy, that is beside the
point.  The issue as I see it is to raise awareness that just because
foo.com wants to announce resources and just because that WHOIS says
those resources belong to foo.com, it doesn't mean that the two are the
same foo.com

Having an organization come to you wanting to announce a /18 of network
space (that was allocated 10 years ago) and their domain was only
created a week ago might be a clue.

G

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Randy Bush]

> We get people calling our noc numbers pretty often trying to report
> abuse for other people's networks...  that is always fun
>> not directly related, but i get occasional harrassing calls from
>> mental/emotional children who are using whois.  it's amusing but
>> basically pathetic.

no, i mean classic children's behavior pretending they are the police or
whatever.

randy

RE: Facebook down!! Alert!

[John van Oppen]

The only way in which I can see facebook as required for operations is when one 
is hosting apps that must interact with the facbook API.   Facebook is a site 
we keep an eye on from our NOC simply because it is important to a lot  our 
larger transit customers due to them having apps that require facebook API 
access.   We tend to also get calls from the .edu sites we service when it has 
outages.

That being said, facebook outages are not really an internal problem for us and 
it would seem odd to trust bussness proccesses  to free social network site.

John / AS11404

-Original Message-
From: Dan White [mailto:dwh...@olp.net] 
Sent: Wednesday, October 06, 2010 2:24 PM
To: david raistrick
Cc: nanog@nanog.org
Subject: Re: Facebook down!! Alert!

On 06/10/10 17:05 -0400, david raistrick wrote:
>my point is that facebook has moved beyond being a pure content 
>provider, and (much like, say, google) provide both content AND 
>service.   I have dependancies on facebook's (as do many many others 
>who perhaps dont yet hire folks who even know what nanog is but 
>someday will) services. without them, my teams can't work and my 
>employeer loses signiicant figures of revenue per day.

Why can't your teams work? Do they have email? I'm trying to imagine what
operational scenarios are involved between the technical staff in a company
that depend on Facebook being up, unless you're working for Facebook.

Even if I were not email inclined, I'd set up a local XMPP server do to my
communication.

>so facebook is very much operationally relevant for my network, and 
>that these mixed content/service providers will be more and more 
>relevant as time goes on and we as a community should figure out how 
>to deal with their transition from pure content to perhaps some day 
>pure service.

How we deal with it is to create a viable distributed version of it.

-- 
Dan White

RE: Scam telemarketers spoofing our NOC phone number for callerid

[John van Oppen]

We get people calling our noc numbers pretty often trying to report abuse for 
other people's networks...  that is always fun

John van Oppen  / AS11404

-Original Message-
From: Randy Bush [mailto:ra...@psg.com] 
Sent: Wednesday, October 06, 2010 3:16 PM
To: Matthew Huff
Cc: ' (nanog@nanog.org)'
Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid

not directly related, but i get occasional harrassing calls from
mental/emotional children who are using whois.  it's amusing but
basically pathetic.

randy

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Sven Olaf Kamphuis]

-
Exactly when and where did RIR whois databases gain any legal status as
an authoritive source of information, rather than just an internal tool
for network operators? (as far as i see, the rirs are legally nothing more 
than a collective of network operators, not an authority in any way).


-
Exactly when and where did RIR whois entries, or rather the lack thereof
prohibit any other use of those ranges (as in: blatantly announcing them, 
not having a registered AS number or someone elses AS number).


-
Exactly since when and where did IP addresses become property?
(Ok, there are some court verdicts identifying them as "personal details" 
(although they identify a node on a network, not a person ;)


-
If they are indeed personal details, they are not allowed to be in public 
whois in the first place without the consent of the end-end-end user

(privacy laws)


And furthermore, if you want to stop spam on that shitty old SMTP 
protocol, i suggest you stop wasting time on blacklisting ips,


and start working on a standard to issue all your "buddies" with a unique 
password so your mailserver accepts their mail and nobody elses.


EVERY MODERN PROTOCOL (skype, msn) does it -that- way, and -that- works.

for which it is required that:
1: a standard header is created thats discared on forwards
"Password: "

2: mailinglists, online shops, etc, anyone who does not have your 
businesscard with a unique password on it, add a field for this.


(keep in mind, each sender gets a unique password from the receiver, this 
can be stored in the address book along with the email address itself).



-




You "Spam fighters" have effectively KILLED smtp by:
- blacklists
- your anti open relay crap
- motivating eyeball isps to block port 25
- graylisting makes it so damn slow nobody wants to use it anymore anyway

all of this has resulted in:

SMTP no longer being used on the actual workstations
Therefore not operating in a p2p and real-time fashion

and did you manage to stop spam? -> NO, you just managed to make it 
completely un workable and unreliable.


did you manage to make people choose other protocols such as Skype and 
MSN: yes! (if email was still used in a p2p fashion people would not 
-need- instant messengers in the first place, as their wintendo computer 
would just talk smtp and store directly to the inbox)


Imap, pop2, pop3 and all that other crap could have been skipped.



--
Greetings,

Sven Olaf Kamphuis,
CB3ROB Ltd. & Co. KG
=
Address: Koloniestrasse 34 VAT Tax ID:  DE267268209
 D-13359   Registration:HRA 42834 B
 BERLINPhone:   +31/(0)87-8747479
 Germany   GSM: +49/(0)152-26410799
RIPE:CBSK1-RIPEe-Mail:  s...@cb3rob.net
=
 C3P0, der elektrische Westerwelle

=

Confidential: Please be advised that the information contained in this
email message, including all attached documents or files, is privileged
and confidential and is intended only for the use of the individual or
individuals addressed. Any other use, dissemination, distribution or
copying of this communication is strictly prohibited.




On Wed, 6 Oct 2010, Ronald F. Guilmette wrote:



In message ,
Heath Jones  wrote:


Certainly, fine folks at Reliance Globalcom Services, Inc. could tell
us who is paying them to connect these hijacked blocks to their network,
but I rather doubt that they are actually going to come clean and do
that.


Ron, I haven't been following this anti-spam stuff much since it went
political with ARIN but I do have a few quick questions (relating to
US law and spam).

1) Is spamming from within the US criminal activity?


Sadly, it appears not.

In many cases it is however actionable.  (And in other cases involving
actual criminal activity, e.g. as prohibited by 18 USC 1030, `Fraud and
related activity in connection with computers', it may, I think, be
considered as an aggravating factor in determining punishments.)


What constitutes spam in that case?


Are you asking what I think?  Or what the majority of netizens think?
Or are you asking what U.S. courts think?

Those are three different answers.


2) If you could justify the incoming spam as a DOS, is that criminal
activity? Could you justify it as a DOS?


Yes.  No.


3) Is providing ARIN with bogus information just to get around their
processes criminal activity?


In this case, nobody provided ARIN with *any* bogus information, ever.
(So your question is utterly irrelevant to this particular case.)


4) Is obtaining disused IP space / AS allocations from assigned
entity, and not updating ARIN criminal activity?


In this particular case, nobody appears to have ``obtained'' IP space
from the various High Schoo

Re: Facebook down!! Alert!

[Bret Clark]

On 10/06/2010 06:08 PM, Tammy A. Wisdom wrote:

This thread proves too me yet again that nanog is the internets equivalent of a 
giant panty raid.  This isn't the outages list&  I am rather annoyed that we 
must discuss junk social media sites such as facebook.  Just because you are 
panicing does not mean that the thousands of people on this list give a flying rats 
ass that facebook is down!
Can we please discuss relevant topics such as running networks? (for instance 
NOT @#...@#$ing FACEBOOK!)
This list over the last year has just gone soo far downhill that I am most 
likely going to unsubscribe from it as I don't get any technical benefit from 
the garbage that is discussed on this list 99.999% of the time.

--Tammy

   


I've always looked at the nanog list representing issues up to layer 4 
of the OSI model; mostly layer 3/4. Maybe a new mailing list could be 
made called the North American Network Applications Group 
(nanag)...there might be a pun there :).


Bret

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Heath Jones]

>>1) Is spamming from within the US criminal activity?
>
> Sadly, it appears not.
>
> In many cases it is however actionable.  (And in other cases involving
> actual criminal activity, e.g. as prohibited by 18 USC 1030, `Fraud and
> related activity in connection with computers', it may, I think, be
> considered as an aggravating factor in determining punishments.)

Wouldn't it have to be illegal before punishments could be determined?
Isn't this kind of key to the whole issue of fighting spam?? (Is there
even a point if you cant nail them for it?)


>>What constitutes spam in that case?
>
> Are you asking what I think?  Or what the majority of netizens think?
> Or are you asking what U.S. courts think?
>
> Those are three different answers.

With regards to US court.


>>2) If you could justify the incoming spam as a DOS, is that criminal
>>activity? Could you justify it as a DOS?
>
> Yes.  No.

Ok.


>>3) Is providing ARIN with bogus information just to get around their
>>processes criminal activity?
>
> In this case, nobody provided ARIN with *any* bogus information, ever.
> (So your question is utterly irrelevant to this particular case.)

Not at all irrelevant, I'm talking generically here (not specific to
this case). Trying to cover all bases.


>>4) Is obtaining disused IP space / AS allocations from assigned
>>entity, and not updating ARIN criminal activity?
>
> In this particular case, nobody appears to have ``obtained'' IP space
> from the various High Schools, Middle Schools, and Elementary schools
> involved, other than via deceit, trickery, and fraud.  Were the various
> schools involved here ripped off?  I would say yes.  Does the fraud in
> this case rise to the level of being either criminal or actionable?
> I am not a lawyer, but my guess is that the answer is probably yes to
> both... *IF* anybody cared enough to persue it.  I base that opinion
> stictly and only on the definition of the English language word `fraud'
> as given at www.merriam-webster.com.
>
> As regards to updating ARIN, or the lack thereof, the _absence_ of such
> ``updating'', in this case... i.e. the absence of any notice to ARIN
> that these blocks were being glomed onto... is part of the overall
> pattern of fraud in this case which, as I have said, I believe to be
> potentially both criminal and actionable... if anybody cared enough to
> persue it.
>
> But that's just my opinion, and I am not a lawyer.

Perhaps there is a method of class action, as opposed to individual
companies trying to sue?


>>5) Is advertising Prefixes or AS number assigned to another entity
>>criminal activity?
>
> If it constitutes criminal fraud which deprives some party of some property,
> or some right, or the full enjoyment of some property or some right, to which
> they are otherwise entitled, under law, then yes, although I am not a
> lawyer, my limited understanding of the law in these United States indicates
> to me that yes, most probably such activity may well be considered criminal,
> in at least some circumstances, perhaps including the ones being discussed
> in this thread.

Well that might possibly be a start of a legal avenue..?


>>6) If any of the above could be classed as criminal activity, are
>>Reliance Globalcom (in this case) legally obligated to cut them off?,
>
> The answer to that depends, I think, upon whether they are _knowing_
> participants in the fraud.  If they merely got duped... which is indeed
> what is suggested by that fact that somebody paid $4,000 to get a specific
> domain name so that they could then dupe _somebody_ (where that somebody
> who was to be duped, in this case was clearly _not_ ARIN)... then in
> that case, Reliance Globalcom is just another one of the victims, and not
> one of the perpetrators.
>
> Hypothetically, if, once they have been duly informed that this particular
> fraud is ongoing, they do nothing, and continue announcing the routes even
> after allowing them a reasonable amount of time to properly investigate what
> is going on here, then at that point I think that yes, then they might in
> fact be criminally liable, civilly liable, or both.

Might be worth pointing that out to them? Most companies don't like risk..


>>or just help by switching on a packet capture
>
> What would be the point of that??
>
> I can already tell you what the blocks in question are most probably being
> used for, and have done so already, I think.

I was referring to new legislation coming into effect that gives the
FBI? the power to say 'flick the switch on now' and they then can log
traffic..

All in all, it just seems pretty pointless trying to fight spam if the
law isnt backing you. Filtering yes, fighting no.. Perhaps the law is
what needs to be worked on? (As a general comment to all)


Cheers
Heath

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Randy Bush]

not directly related, but i get occasional harrassing calls from
mental/emotional children who are using whois.  it's amusing but
basically pathetic.

randy

Los Angeles Internet Exchanges

[Mehmet Akcin]

Hello,

if you are somewhat involved with technical or non technical operations of IX 
points within Los Angeles / Orange County area, could you please contact me 
off-list?

thank you.

mehmet

Re: Facebook down!! Alert!

[Quinn Kuzmich]

Giant Panty Raid.  Now I know what I'll be calling my weekend/overnight
shifts.  Who says being a Network Engineer can't be fun?

Q

On Wed, Oct 6, 2010 at 4:08 PM, Tammy A. Wisdom wrote:

>
>
> This thread proves too me yet again that nanog is the internets equivalent
> of a giant panty raid.  This isn't the outages list & I am rather annoyed
> that we must discuss junk social media sites such as facebook.  Just because
> you are panicing does not mean that the thousands of people on this list
> give a flying rats ass that facebook is down!
> Can we please discuss relevant topics such as running networks? (for
> instance NOT @#...@#$ing FACEBOOK!)
> This list over the last year has just gone soo far downhill that I am most
> likely going to unsubscribe from it as I don't get any technical benefit
> from the garbage that is discussed on this list 99.999% of the
> time.
>
> --Tammy
>

Re: Facebook down!! Alert!

[Tammy A. Wisdom]

- Original Message -
> From: "david raistrick" 
> To: "Andrew Kirch" 
> Cc: nanog@nanog.org
> Sent: Wednesday, October 6, 2010 3:05:10 PM
> Subject: Re: Facebook down!! Alert!
> On Wed, 6 Oct 2010, david raistrick wrote:
> 
> > On Wed, 6 Oct 2010, Andrew Kirch wrote:
> >
> >> No, the majority does not define what "operational" means. Facebook
> >> is
> >> not a mission critical internet resource (such as a fiber cut,
> >> power
> >
> > not a mission critical internet resource -to you-
> 
> 
> to be clear, I could give a damn about if we talk about this on nanog
> or
> not. (and I agree that outages is the right place to announce outages,
> and outage-discuss to discuss them).
> 
> 
> my point is that facebook has moved beyond being a pure content
> provider,
> and (much like, say, google) provide both content AND service. I have
> dependancies on facebook's (as do many many others who perhaps dont
> yet
> hire folks who even know what nanog is but someday will) services.
> without them, my teams can't work and my employeer loses signiicant
> figures of revenue per day.
> 
> so facebook is very much operationally relevant for my network, and
> that
> these mixed content/service providers will be more and more relevant
> as
> time goes on and we as a community should figure out how to deal with
> their transition from pure content to perhaps some day pure service.
> 


This thread proves too me yet again that nanog is the internets equivalent of a 
giant panty raid.  This isn't the outages list & I am rather annoyed that we 
must discuss junk social media sites such as facebook.  Just because you are 
panicing does not mean that the thousands of people on this list give a flying 
rats ass that facebook is down!
Can we please discuss relevant topics such as running networks? (for instance 
NOT @#...@#$ing FACEBOOK!)
This list over the last year has just gone soo far downhill that I am most 
likely going to unsubscribe from it as I don't get any technical benefit from 
the garbage that is discussed on this list 99.999% of the time.  

--Tammy


-- 

Tammy A Wisdom
The Summit Open Source Development Group
http://www.sosdg.org   /  http://www.ahbl.org 

**
Disclaimer:

This e-mail may contain trade secrets or privileged, undisclosed or 
otherwise confidential information. If you have received this e-mail 
in error, you are hereby notified that any review, copying or 
distribution of it is strictly prohibited. Please inform us 
immediately and destroy the original transmittal. Thank you for your 
cooperation.

**

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Ronald F. Guilmette]

In message , 
Heath Jones  wrote:

>> Certainly, fine folks at Reliance Globalcom Services, Inc. could tell
>> us who is paying them to connect these hijacked blocks to their network,
>> but I rather doubt that they are actually going to come clean and do
>> that.
>
>Ron, I haven't been following this anti-spam stuff much since it went
>political with ARIN but I do have a few quick questions (relating to
>US law and spam).
>
>1) Is spamming from within the US criminal activity?

Sadly, it appears not.

In many cases it is however actionable.  (And in other cases involving
actual criminal activity, e.g. as prohibited by 18 USC 1030, `Fraud and
related activity in connection with computers', it may, I think, be
considered as an aggravating factor in determining punishments.)

>What constitutes spam in that case?

Are you asking what I think?  Or what the majority of netizens think?
Or are you asking what U.S. courts think?

Those are three different answers.

>2) If you could justify the incoming spam as a DOS, is that criminal
>activity? Could you justify it as a DOS?

Yes.  No.

>3) Is providing ARIN with bogus information just to get around their
>processes criminal activity?

In this case, nobody provided ARIN with *any* bogus information, ever.
(So your question is utterly irrelevant to this particular case.)

>4) Is obtaining disused IP space / AS allocations from assigned
>entity, and not updating ARIN criminal activity?

In this particular case, nobody appears to have ``obtained'' IP space
from the various High Schools, Middle Schools, and Elementary schools
involved, other than via deceit, trickery, and fraud.  Were the various
schools involved here ripped off?  I would say yes.  Does the fraud in
this case rise to the level of being either criminal or actionable?
I am not a lawyer, but my guess is that the answer is probably yes to
both... *IF* anybody cared enough to persue it.  I base that opinion
stictly and only on the definition of the English language word `fraud'
as given at www.merriam-webster.com.

As regards to updating ARIN, or the lack thereof, the _absence_ of such
``updating'', in this case... i.e. the absence of any notice to ARIN
that these blocks were being glomed onto... is part of the overall
pattern of fraud in this case which, as I have said, I believe to be
potentially both criminal and actionable... if anybody cared enough to
persue it.

But that's just my opinion, and I am not a lawyer.

>5) Is advertising Prefixes or AS number assigned to another entity
>criminal activity?

If it constitutes criminal fraud which deprives some party of some property,
or some right, or the full enjoyment of some property or some right, to which
they are otherwise entitled, under law, then yes, although I am not a
lawyer, my limited understanding of the law in these United States indicates
to me that yes, most probably such activity may well be considered criminal,
in at least some circumstances, perhaps including the ones being discussed
in this thread.

>6) If any of the above could be classed as criminal activity, are
>Reliance Globalcom (in this case) legally obligated to cut them off?,

The answer to that depends, I think, upon whether they are _knowing_
participants in the fraud.  If they merely got duped... which is indeed
what is suggested by that fact that somebody paid $4,000 to get a specific
domain name so that they could then dupe _somebody_ (where that somebody
who was to be duped, in this case was clearly _not_ ARIN)... then in
that case, Reliance Globalcom is just another one of the victims, and not
one of the perpetrators.

Hypothetically, if, once they have been duly informed that this particular
fraud is ongoing, they do nothing, and continue announcing the routes even
after allowing them a reasonable amount of time to properly investigate what
is going on here, then at that point I think that yes, then they might in
fact be criminally liable, civilly liable, or both.

>or just help by switching on a packet capture

What would be the point of that??

I can already tell you what the blocks in question are most probably being
used for, and have done so already, I think.


Regards,
rfg

Re: Facebook down!! Alert!

[Dan White]

On 06/10/10 17:05 -0400, david raistrick wrote:
my point is that facebook has moved beyond being a pure content 
provider, and (much like, say, google) provide both content AND 
service.   I have dependancies on facebook's (as do many many others 
who perhaps dont yet hire folks who even know what nanog is but 
someday will) services. without them, my teams can't work and my 
employeer loses signiicant figures of revenue per day.


Why can't your teams work? Do they have email? I'm trying to imagine what
operational scenarios are involved between the technical staff in a company
that depend on Facebook being up, unless you're working for Facebook.

Even if I were not email inclined, I'd set up a local XMPP server do to my
communication.

so facebook is very much operationally relevant for my network, and 
that these mixed content/service providers will be more and more 
relevant as time goes on and we as a community should figure out how 
to deal with their transition from pure content to perhaps some day 
pure service.


How we deal with it is to create a viable distributed version of it.

--
Dan White

RE: Scam telemarketers spoofing our NOC phone number for callerid

[FEARGAL_LEDWIDGE]

From: sc...@doc.net.au [mailto:sc...@doc.net.au] 
Sent: Wednesday, October 06, 2010 2:26 PM
Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid

>There were some laws passed recently which makes "faking" caller-id illegal,
>although I'm not sure exactly what the details are (eg, I'm fairly sure
>sending your cell phone number from a desk phone is fine as you own both of
>them).

In the US - it's not quite law yet. 

The bill in question is H.R. 1258: Truth in Caller ID Act of 2010. It was 
passed by the house in April 2010 - but has not yet been passed by the Senate. 
A similar bill was passed by the Senate previously - so it's only a matter of 
time.

Specifically - the bill will make it illegal "to cause any caller ID service to 
transmit misleading or inaccurate caller ID information."

Changing your caller-id for legitimate non-nefarious purposes will still be 
allowed.


Feargal

Re: Facebook down!! Alert!

[Valdis . Kletnieks]

On Wed, 06 Oct 2010 16:39:03 EDT, Andrew Kirch said:

> No, the majority does not define what "operational" means.  Facebook is
> not a mission critical internet resource (such as a fiber cut, power
> loss at a peering point, DoS attack.  

Yes, but anytime something spikes the number of calls at my help desk, that
*is* an operational issue, even if it's something stupid in the eyes of the
savvy network engineers that hang out here...



pgpiPNXs2OAKT.pgp
Description: PGP signature

Re: Facebook down!! Alert!

[Andrew Kirch]

 On 10/6/2010 5:05 PM, david raistrick wrote:
>
>
> to be clear, I could give a damn about if we talk about this on nanog
> or not. (and I agree that outages is the right place to announce
> outages, and outage-discuss to discuss them).
>
>
> my point is that facebook has moved beyond being a pure content
> provider, and (much like, say, google) provide both content AND
> service.   I have dependancies on facebook's (as do many many others
> who perhaps dont yet hire folks who even know what nanog is but
> someday will) services. without them, my teams can't work and my
> employeer loses signiicant figures of revenue per day.
>
> so facebook is very much operationally relevant for my network, and
> that these mixed content/service providers will be more and more
> relevant as time goes on and we as a community should figure out how
> to deal with their transition from pure content to perhaps some day
> pure service.

My company buys firearms, so I am going to start posting to nanog every
time my service providers go down (Springfield Armory, Rock River Arms,
Volkmann Custom, and Benelli).  Certainly they're a website, but without
that website I can't order the firearms which costs me significant
figures of revenue per day.
Perhaps your company buys widgets of some sort?

That is not however a core networking issue.  Facebook outages may be
important to your company, and I do some business on there as well, but
NANOG is not a list where non-bandwidth vendor outages should be
reported.  (unless you like guns too!)

Andrew

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, david raistrick wrote:


On Wed, 6 Oct 2010, Andrew Kirch wrote:


No, the majority does not define what "operational" means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power


not a mission critical internet resource -to you-



to be clear, I could give a damn about if we talk about this on nanog or 
not. (and I agree that outages is the right place to announce outages, 
and outage-discuss to discuss them).



my point is that facebook has moved beyond being a pure content provider, 
and (much like, say, google) provide both content AND service.   I have 
dependancies on facebook's (as do many many others who perhaps dont yet 
hire folks who even know what nanog is but someday will) services. 
without them, my teams can't work and my employeer loses signiicant 
figures of revenue per day.


so facebook is very much operationally relevant for my network, and that 
these mixed content/service providers will be more and more relevant as 
time goes on and we as a community should figure out how to deal with 
their transition from pure content to perhaps some day pure service.





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: Facebook down!! Alert!

[Nathan Eisenberg]

> -Original Message-
> From: Guerra, Ruben [mailto:ruben.gue...@arrisi.com]
> Sent: Wednesday, October 06, 2010 1:47 PM
> To: nanog@nanog.org
> Subject: RE: Facebook down!! Alert!
> 
> Passes Andrew the shotgun... Please kill all FB threads with it. :)
> 
> The only thing I noticed being down last night is battle.net ;). Guess you
> know where my priorities are. Lol
> 
> -Rg

Minecraft.net keeps going down, maybe we should start a thread about that, too!

Nathan

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Andrew Kirch wrote:


No, the majority does not define what "operational" means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power


not a mission critical internet resource -to you-


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: Facebook down!! Alert!

[Guerra, Ruben]

Passes Andrew the shotgun... Please kill all FB threads with it. :)

The only thing I noticed being down last night is battle.net ;). Guess you know 
where my priorities are. Lol

-Rg


-Original Message-
From: Andrew Kirch [mailto:trel...@trelane.net] 
Sent: Wednesday, October 06, 2010 3:39 PM
To: nanog@nanog.org
Subject: Re: Facebook down!! Alert!

 On 10/6/2010 4:33 PM, david raistrick wrote:
>
> so the majority defines operational now, huh?  wow. nice to know that
> network service providers outnumber other companies these days... (of
> course, those service providers also make their money from facebook
> consumers)

No, the majority does not define what "operational" means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power
loss at a peering point, DoS attack.  Please let's end this thread (And
others of its ilk here and now).

RE: Facebook down!! Alert!

[Adcock, Matt [HISNA]]

OpenDNS is my favorite for blocking things like FB and all sorts of other 
productivity killers.


The information in this email and any attachments are for the sole use of the 
intended recipient and may contain privileged and confidential information. If 
you are not the intended recipient, any use, disclosure, copying or 
distribution of this message or attachment is strictly prohibited.  We have 
taken precautions to minimize the risk of transmitting software viruses, but we 
advise you to carry out your own virus checks on any attachment to this 
message. We cannot accept liability for any loss or damage caused by software 
viruses. If you believe that you have received this email in error, please 
contact the sender immediately and delete the email and all of its attachments


From: david raistrick [mailto:dr...@icantclick.org]
Sent: Wed 10/6/2010 3:34 PM
To: Matt Baldwin
Cc: nanog@nanog.org
Subject: Re: Facebook down!! Alert!



On Wed, 6 Oct 2010, Matt Baldwin wrote:

> I would imagine more businesses benefit from a FB outage in terms of a
> tick up in productivity versus businesses harmed by a FB outage, e.g.

Perhaps, then, we should instead be discussing the business benefits of
blocking facebook so companies can regain productivity?



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html





 

Re: Facebook down!! Alert!

[Andrew Kirch]

 On 10/6/2010 4:33 PM, david raistrick wrote:
>
> so the majority defines operational now, huh?  wow. nice to know that
> network service providers outnumber other companies these days... (of
> course, those service providers also make their money from facebook
> consumers)

No, the majority does not define what "operational" means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power
loss at a peering point, DoS attack.  Please let's end this thread (And
others of its ilk here and now).

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Matt Baldwin wrote:


I would imagine more businesses benefit from a FB outage in terms of a
tick up in productivity versus businesses harmed by a FB outage, e.g.


Perhaps, then, we should instead be discussing the business benefits of 
blocking facebook so companies can regain productivity?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Greg Whynott wrote:




just because you don't want to play facebook games doesn't make a facebook
outage any less operationally relevant than, say, an akamai or limelight
outage.


IMO which may be way off base, when akamai goes off the air, people lose 
potential sales/revenue.  when facebook goes off the air, a greater 
number of companies become more efficient than those who suffer 
productivity loss.



so the majority defines operational now, huh?  wow. nice to know that 
network service providers outnumber other companies these days... (of 
course, those service providers also make their money from facebook 
consumers)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[Jeff Harper]

> From: "Mark" 
> It's back up. There goes that short burst of productivity.
> 
> 
> On Oct 6, 2010, at 12:49 PM, Mark Hofman wrote:
> 
> > Ditto In AU and from other reports US.
> > Guess productivity will go up ;-)

The irony is that the short burst of productivity was spent troubleshooting if 
Facebook was up or down.

Re: Facebook down!! Alert!

[Greg Whynott]

> just because you don't want to play facebook games doesn't make a facebook 
> outage any less operationally relevant than, say, an akamai or limelight 
> outage.



IMO which may be way off base,   when akamai goes off the air,  people lose 
potential sales/revenue.   when facebook goes off the air,   a greater number 
of companies become more efficient than those who suffer productivity loss.

  yes,  it is worth mention,  but else where,  like twitter or on your wall.  

-g

Re: Mobile Looking Glass?

[axs8091]

I've use the app "Traceroute" before which aggregates most of the major
ISP's looking glass sites and seems to be pretty good about keeping on top
of it to clean up the broken ones.

http://remarkablepixels.com/traceroute

On Wed, Oct 6, 2010 at 3:32 PM, Mike O'Connor  wrote:

> :Anyone know of an iPhone application for checking public Looking Glass
> servers?
> :
> :Boss called me in a panic when I was out for lunch to check on something
> and would make my life much easier but searching for stuff on iTunes is
> awful.
>
> If you have an AIM or Jabber client on your iPhone, there's bgpbotz:
>
> http://software.merit.edu/bgpbotz/
>
> I've used it successfully via AIM on my phone a couple times -- worked
> like a champ.
>
> --
>  Michael J. O'Connor
> m...@dojo.mi.org
>
>  =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
> "YOU MUST OBEY ME BECAUSE I'M LOUD!"
> -Dogbert
>
>

Re: Facebook down!! Alert!

[Matt Baldwin]

I would imagine more businesses benefit from a FB outage in terms of a
tick up in productivity versus businesses harmed by a FB outage, e.g.
Zygna.  So, net net a FB outage could be seen as a positive thing in
the course of a work day.

-matt

On Wed, Oct 6, 2010 at 12:31 PM, david raistrick  wrote:
> On Wed, 6 Oct 2010, Bret Clark wrote:
>
>> I have to agree on this as well. I can understand when a service provider
>> is
>
>
> you've forgotten that facebook (and indeed twitter too) are service
> providers that provide business-critical services.
>
> just because you don't want to play facebook games doesn't make a facebook
> outage any less operationally relevant than, say, an akamai or limelight
> outage.
>
>
>
>
>
> --
> david raistrick        http://www.netmeister.org/news/learn2quote.html
> dr...@icantclick.org             http://www.expita.com/nomime.html
>
>
>

Re: Scam telemarketers spoofing our NOC phone number for callerid

[J. Oquendo]

Scott Howard wrote:
> On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis  wrote:
>
>   
>> Some do.  Anyone with control of a phone system with digital lines (i.e.
>> asterisk with PRI) can trivially set callerID to whatever they want. There
>> are perfectly legitimate, and not so legitimate uses for this.
>>
>> 
>
> You don't even need the PRI.  There's a number of SIP providers that will
> allow you to set CallerID.  In some cases they do some level of verification
> first, but in many cases it's just a free-for-all.
>
> There were some laws passed recently which makes "faking" caller-id illegal,
> although I'm not sure exactly what the details are (eg, I'm fairly sure
> sending your cell phone number from a desk phone is fine as you own both of
> them).
>
>   Scott.
>
>   
It's HR 1258 the Truth in Caller ID Act however, means nothing to
someone outside the United States and this is where the issue seems to
stem from (a huge portion).

So imagine the following:

YourCompany --> VoIP_Peer --> Euro_Company

Someone compromises something in Euro_Company, unbeknownst to that
company, they're sending YOU traffic which you in turn pass (remember
you trusted them here). Guess what? Euro_Company's PBX was sending false
Caller ID. Should you be the one held liable as an ITSP? Further
consideration:

You --> Call Dell Support --> call re-routes to West Bumfork India -->
Callee gets your callback
Yourphone --> ring ring ring --> CID: Dell 12125551234

Where is the truth there?

Anyhow, I don't know if Obama signed this into law yet.

On my phone right now, I set the caller ID to the main number of my
company so that clients take the appropriate steps in going through
Customer Service. Guess what? When I'm at home and on-call my Caller-ID
is set to my company's main number so that clients don't call me at home
on a Sunday morning. Am I committing a "despicable" act by doing this?
Is it any different than unplugging my Snom, Cisco or Polycom and
bringing it home which yields the same results.

While I do recognize the abuse (spammers, telemarketers, etc), I don't
see how a bill is going to stop this from occurring. Who knows maybe
blacklisting ITSP providers. Should we play a guessing game: "Well, it
is coming from Global Crossing..."

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

Re: Mobile Looking Glass?

[Mike O'Connor]

:Anyone know of an iPhone application for checking public Looking Glass servers?
:
:Boss called me in a panic when I was out for lunch to check on something and 
would make my life much easier but searching for stuff on iTunes is awful.

If you have an AIM or Jabber client on your iPhone, there's bgpbotz:

http://software.merit.edu/bgpbotz/

I've used it successfully via AIM on my phone a couple times -- worked
like a champ.

--
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"YOU MUST OBEY ME BECAUSE I'M LOUD!" -Dogbert

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Bret Clark wrote:


I have to agree on this as well. I can understand when a service provider is



you've forgotten that facebook (and indeed twitter too) are service 
providers that provide business-critical services.


just because you don't want to play facebook games doesn't make a facebook 
outage any less operationally relevant than, say, an akamai or limelight 
outage.






--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Eric Brunner-Williams]

On 10/6/10 10:34 AM, Owen DeLong wrote:


On Oct 6, 2010, at 6:35 AM, Ben McGinnes wrote:


On 7/10/10 12:08 AM, Eric Brunner-Williams wrote:

so ... should domains associated with asn(s) and addr block allocations
be subject to some expiry policy other than "it goes into the drop pool
and one of {enom,pool,...} acquire it (and the associated non-traffic
assets) for any interested party at $50 per /24"?


Interesting idea, but how do you apply it to ccTLD domains with widely
varying policies.  All it takes is whois records being legitimately
updated to use domain contacts using a ccTLD domain to circumvent.
Sounds like more of a stop-gap measure.


Regards,
Ben




Number resources are not and should not be associated with domain
resources at the policy level. This would make absolutely no sense
whatsoever.


hmm. ... "are not" ... so the event complained of ... didn't happen?

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Scott Howard]

On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis  wrote:

> Some do.  Anyone with control of a phone system with digital lines (i.e.
> asterisk with PRI) can trivially set callerID to whatever they want. There
> are perfectly legitimate, and not so legitimate uses for this.
>

You don't even need the PRI.  There's a number of SIP providers that will
allow you to set CallerID.  In some cases they do some level of verification
first, but in many cases it's just a free-for-all.

There were some laws passed recently which makes "faking" caller-id illegal,
although I'm not sure exactly what the details are (eg, I'm fairly sure
sending your cell phone number from a desk phone is fine as you own both of
them).

  Scott.

Re: Facebook down!! Alert!

[Greg Whynott]

Especially for Facebook alerts.. You are propagating a false perception 
that everyone cares.

-g



On Oct 6, 2010, at 2:20 PM, christian koch wrote:

> +1
> 
> 
> 
> On Wed, Oct 6, 2010 at 12:57 AM, Zaid Ali  wrote:
> 
>> I think the Outages mailing list is more appropriate for this.
>> 
>> 
>> On 10/5/10 9:46 PM, "Mike Lyon"  wrote:
>> 
>>> Same here in SF Bay Area
>>> 
>>> On Tue, Oct 5, 2010 at 9:44 PM, James Smith >> wrote:
>>> 
 At 1:20am here in Canada, NB our networks are showing that facebook is
 down.
 Please confirm in the USA.
 
 
 
 ~SmithwaySecurity
 
 Sent from my iPhone
 
 
>> 
>> 
>> 
>> 

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Graham Beneke]

On 06/10/2010 17:15, William Herrin wrote:

I had my unpublished asterisk box up for all of two days before
getting half a megabit per second worth of false SIP registration
attempts.


The script kiddies and botnets seem to by trying hard.

I started announcing a brand new RIR allocation about 4 days ago and 
decided to tcpdump the background noise on the prefix before it gets 
used in production. About 80% of the traffic is systematic scanning on 
port 5060 across the entire prefix.


--
Graham Beneke

Re: Facebook down!! Alert!

[Bret Clark]

I have to agree on this as well. I can understand when a service 
provider is having problems and people questioning it since that can 
affect many of us who depend on backbone connections, but sites like 
facebook and twitter being down should not be posted here but on the 
"sitesemployeeswastetimeon.org" [\sarcasm off]


On 10/06/2010 02:20 PM, christian koch wrote:

+1



On Wed, Oct 6, 2010 at 12:57 AM, Zaid Ali  wrote:

   

I think the Outages mailing list is more appropriate for this.


On 10/5/10 9:46 PM, "Mike Lyon"  wrote:

 

Same here in SF Bay Area

On Tue, Oct 5, 2010 at 9:44 PM, James Smith   

At 1:20am here in Canada, NB our networks are showing that facebook is
down.
Please confirm in the USA.



~SmithwaySecurity

Sent from my iPhone


 




 

Re: Mobile Looking Glass?

[Jon Lewis]

googling iphone bgp, this result looked promising, but don't waste your 
time.  It appears to be more or less totally broken.

http://grid5.wordpress.com/2009/02/04/bgp-released/

On Wed, 6 Oct 2010, Jared Mauch wrote:


I have found the iSSH application (iPhone + iPad) works well.

You can ssh tunnel for things (eg: VNC) with ssh keys, etc..

- Jared

link:

http://itunes.apple.com/us/app/issh-ssh-vnc-console/id287765826?mt=8

On Oct 6, 2010, at 1:44 PM, St. Onge,Adam wrote:


Anyone know of an iPhone application for checking public Looking Glass servers?

Boss called me in a panic when I was out for lunch to check on something and 
would make my life much easier but searching for stuff on iTunes is awful.

==
This communication, including attachments, is confidential, may be subject to 
legal privileges, and is intended for the sole use of the addressee. Any use, 
duplication, disclosure or dissemination of this communication, other than by 
the addressee, is prohibited. If you have received this communication in error, 
please notify the sender immediately and delete or destroy this communication 
and all copies.






--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Facebook down!! Alert!

[christian koch]

+1



On Wed, Oct 6, 2010 at 12:57 AM, Zaid Ali  wrote:

> I think the Outages mailing list is more appropriate for this.
>
>
> On 10/5/10 9:46 PM, "Mike Lyon"  wrote:
>
> > Same here in SF Bay Area
> >
> > On Tue, Oct 5, 2010 at 9:44 PM, James Smith  >wrote:
> >
> >> At 1:20am here in Canada, NB our networks are showing that facebook is
> >> down.
> >> Please confirm in the USA.
> >>
> >>
> >>
> >> ~SmithwaySecurity
> >>
> >> Sent from my iPhone
> >>
> >>
>
>
>
>

Re: Facebook down!! Alert!

[Thomas Habets]

On Wed, 6 Oct 2010, Mark Hofman wrote:

Guess productivity will go up ;-)


You'd think so, but my experience is that when Facebook goes down the 
whole company will leave their desks and go to the networking people to 
get them to fix the Facebook. And they won't leave until Facebook is back.


-
typedef struct me_s {
  char name[]  = { "Thomas Habets" };
  char email[] = { "tho...@habets.pp.se" };
  char kernel[]= { "Linux" };
  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt"; };
  char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

Re: Mobile Looking Glass?

[Jared Mauch]

I have found the iSSH application (iPhone + iPad) works well.

You can ssh tunnel for things (eg: VNC) with ssh keys, etc..

- Jared

link:

http://itunes.apple.com/us/app/issh-ssh-vnc-console/id287765826?mt=8

On Oct 6, 2010, at 1:44 PM, St. Onge,Adam wrote:

> Anyone know of an iPhone application for checking public Looking Glass 
> servers?
> 
> Boss called me in a panic when I was out for lunch to check on something and 
> would make my life much easier but searching for stuff on iTunes is awful.
> 
> ==
> This communication, including attachments, is confidential, may be subject to 
> legal privileges, and is intended for the sole use of the addressee. Any use, 
> duplication, disclosure or dissemination of this communication, other than by 
> the addressee, is prohibited. If you have received this communication in 
> error, please notify the sender immediately and delete or destroy this 
> communication and all copies.

Mobile Looking Glass?

[St. Onge,Adam]

Anyone know of an iPhone application for checking public Looking Glass servers?

Boss called me in a panic when I was out for lunch to check on something and 
would make my life much easier but searching for stuff on iTunes is awful.

==
This communication, including attachments, is confidential, may be subject to 
legal privileges, and is intended for the sole use of the addressee. Any use, 
duplication, disclosure or dissemination of this communication, other than by 
the addressee, is prohibited. If you have received this communication in error, 
please notify the sender immediately and delete or destroy this communication 
and all copies.

Re: 2010.10.06 NANOG50 day 3, Wednesday morning notes

[jim deleskie]

+1

On Wed, Oct 6, 2010 at 1:49 PM, Guerra, Ruben wrote:

> Thanks for the notes Matt! :)
>
>
>
> -Original Message-
> From: Matthew Petach [mailto:mpet...@netflight.com]
> Sent: Wednesday, October 06, 2010 10:54 AM
> To: nanog@nanog.org
> Subject: 2010.10.06 NANOG50 day 3, Wednesday morning notes
>
> Thanks to everyone for a wonderful conference--this wraps
> the last of NANOG50--see you all in Miami!
>
> Notes from this morning's session are posted at
>
> http://kestrel3.netflight.com/2010.10.06-NANOG50-morning-notes.txt
>
> sorry about the gaps, I kinda nodded off now and then--only got 2 hours
> of sleep last night.  ^_^;;
>
> Apologies for typos, misspellings, etc.
>
> Thanks again for a wonderful conference!!  :)
>
> Matt
>
>
>

RE: 2010.10.06 NANOG50 day 3, Wednesday morning notes

[Guerra, Ruben]

Thanks for the notes Matt! :)



-Original Message-
From: Matthew Petach [mailto:mpet...@netflight.com] 
Sent: Wednesday, October 06, 2010 10:54 AM
To: nanog@nanog.org
Subject: 2010.10.06 NANOG50 day 3, Wednesday morning notes

Thanks to everyone for a wonderful conference--this wraps
the last of NANOG50--see you all in Miami!

Notes from this morning's session are posted at

http://kestrel3.netflight.com/2010.10.06-NANOG50-morning-notes.txt

sorry about the gaps, I kinda nodded off now and then--only got 2 hours
of sleep last night.  ^_^;;

Apologies for typos, misspellings, etc.

Thanks again for a wonderful conference!!  :)

Matt

Re: Scam telemarketers spoofing our NOC phone number for callerid

[J. Oquendo]

William Herrin wrote:
> On Wed, Oct 6, 2010 at 10:37 AM, Dan White  wrote:
>   
>> If your PBX is SIP based, you might be victim of a SIP registration hijack,
>> which are on the rise, based on traffic we've been seeing in our network.
>> 
>
> I had my unpublished asterisk box up for all of two days before
> getting half a megabit per second worth of false SIP registration
> attempts. Filled /var/log. I had to write a script to dynamically
> filter source IPs with too many failures.
>
> Regards,
> Bill Herrin
>
>   

"A Simple Asterisk Based Toll Fraud Prevention Script"
http://www.infiltrated.net/asterisk-ips.html

Cheap marketing of a free RBL for VoIP: http://www.infiltrated.net/voipabuse

Anyhow, I spoke about this last week (toll fraud abuse via IP PBX
tricksters). Show # 275
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=22622&cmd=tc

http://voipsa.org/blog/2010/09/29/voip-attackers-sometimes-they-come-back/
http://voipsa.org/blog/2010/09/28/voip-abuse-project/


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

Re: 2010.10.06 NANOG50 day 3, Wednesday morning notes

[David Conrad]

On Oct 6, 2010, at 5:53 AM, Matthew Petach wrote:
> Thanks again for a wonderful conference!!  :)

Thanks very much for the notes!

Regards,
-drc

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Joe Greco]

> On Wed, 6 Oct 2010, Matthew Huff wrote:
> 
> > Digital all the way through. No sip. No outside access to the PBX subnet 
> > either. Just a mininute ago our telco has verified that the calls are 
> > not orginating from out phone system. It's a simple caller id spoofing. 
> > People don't realize that caller id can be spoofed and therefore are 
> > 100% sure that we are makign the harrasing calls.
> 
> Some do.  Anyone with control of a phone system with digital lines (i.e. 
> asterisk with PRI) can trivially set callerID to whatever they want. 

That's not correct; what is true is that *some* LEC's do not filter
the callerID submitted and so this is *sometimes* true.  There are
many examples where a LEC does not accept random callerID's from a
PRI customer.  Sometimes this is even problematic, for example, when
the LEC helpfully inserts the callerID *they* think is correct and
it's actually wrong.

> There are perfectly legitimate, and not so legitimate uses for this.

Yes.  It's very useful, for example, to be able to generate your cell
phone's callerID from your PBX, since people have a habit of dialing
you from the number you called, even if you specifically asked them to
use a different callback number.

> However, SIP scanning and brute forcing has become really common, so it's 
> about as likely that a phone system has been compromised as someone is 
> forging callerID to one of its numbers.

Correct.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

RE: Scam telemarketers spoofing our NOC phone number for callerid

[Jon Lewis]

On Wed, 6 Oct 2010, Matthew Huff wrote:

Digital all the way through. No sip. No outside access to the PBX subnet 
either. Just a mininute ago our telco has verified that the calls are 
not orginating from out phone system. It's a simple caller id spoofing. 
People don't realize that caller id can be spoofed and therefore are 
100% sure that we are makign the harrasing calls.


Some do.  Anyone with control of a phone system with digital lines (i.e. 
asterisk with PRI) can trivially set callerID to whatever they want. 
There are perfectly legitimate, and not so legitimate uses for this.


However, SIP scanning and brute forcing has become really common, so it's 
about as likely that a phone system has been compromised as someone is 
forging callerID to one of its numbers.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Brielle Bruns]

On 10/6/10 9:43 AM, Matthew Huff wrote:

Digital all the way through. No sip. No outside access to the PBX
subnet either. Just a mininute ago our telco has verified that the
calls are not orginating from out phone system. It's a simple caller
id spoofing. People don't realize that caller id can be spoofed and
therefore are 100% sure that we are makign the harrasing calls.

Just wanted nanog to be aware of this since the only two numbers that
this has happened with are the ones in our ARIN whois records.





I'm currently dealing with an engineering firm in Florida that I believe
is having the same issue.  Getting calls at 2am, 3am MDT and at the
exact same time 12 hours later to one of my numbers which has call
screening.

Left a message with their IT department, so hoping they follow up and
return my call.

--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

2010.10.06 NANOG50 day 3, Wednesday morning notes

[Matthew Petach]

Thanks to everyone for a wonderful conference--this wraps
the last of NANOG50--see you all in Miami!

Notes from this morning's session are posted at

http://kestrel3.netflight.com/2010.10.06-NANOG50-morning-notes.txt

sorry about the gaps, I kinda nodded off now and then--only got 2 hours
of sleep last night.  ^_^;;

Apologies for typos, misspellings, etc.

Thanks again for a wonderful conference!!  :)

Matt

RE: Scam telemarketers spoofing our NOC phone number for callerid

[Matthew Huff]

Digital all the way through. No sip. No outside access to the PBX subnet 
either. Just a mininute ago our telco has verified that the calls are not 
orginating from out phone system. It's a simple caller id spoofing. People 
don't realize that caller id can be spoofed and therefore are 100% sure that we 
are makign the harrasing calls. 

Just wanted nanog to be aware of this since the only two numbers that this has 
happened with are the ones in our ARIN whois records.




Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -Original Message-
> From: Jon Lewis [mailto:jle...@lewis.org]
> Sent: Wednesday, October 06, 2010 11:34 AM
> To: Matthew Huff
> Cc: '(nanog@nanog.org)'
> Subject: RE: Scam telemarketers spoofing our NOC phone number for callerid
> 
> On Wed, 6 Oct 2010, Matthew Huff wrote:
> 
> > Our system is PRI based, not sip.
> 
> PRI for origination and termination...but what are your phones?  Old
> school or VOIP/SIP?  If your phone system supports SIP clients, it really
> ought to be IP restricted to only allow your phones access, or use
> something like fail2ban to stop the SIP scanners from eventually gaining
> access.
> 
> --
>   Jon Lewis, MCP :)   |  I route
>   Senior Network Engineer |  therefore you are
>   Atlantic Net|
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
<>

RE: Scam telemarketers spoofing our NOC phone number for callerid

[Jon Lewis]

On Wed, 6 Oct 2010, Matthew Huff wrote:


Our system is PRI based, not sip.


PRI for origination and termination...but what are your phones?  Old 
school or VOIP/SIP?  If your phone system supports SIP clients, it really 
ought to be IP restricted to only allow your phones access, or use 
something like fail2ban to stop the SIP scanners from eventually gaining 
access.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: Scam telemarketers spoofing our NOC phone number for callerid

[Matthew Huff]

Our system is PRI based, not sip.


Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -Original Message-
> From: wher...@gmail.com [mailto:wher...@gmail.com] On Behalf Of William Herrin
> Sent: Wednesday, October 06, 2010 11:15 AM
> To: Dan White
> Cc: Matthew Huff; (nanog@nanog.org)
> Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid
> 
> On Wed, Oct 6, 2010 at 10:37 AM, Dan White  wrote:
> > If your PBX is SIP based, you might be victim of a SIP registration hijack,
> > which are on the rise, based on traffic we've been seeing in our network.
> 
> I had my unpublished asterisk box up for all of two days before
> getting half a megabit per second worth of false SIP registration
> attempts. Filled /var/log. I had to write a script to dynamically
> filter source IPs with too many failures.
> 
> Regards,
> Bill Herrin
> 
> --
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004
<>

Re: Scam telemarketers spoofing our NOC phone number for callerid

[William Herrin]

On Wed, Oct 6, 2010 at 10:37 AM, Dan White  wrote:
> If your PBX is SIP based, you might be victim of a SIP registration hijack,
> which are on the rise, based on traffic we've been seeing in our network.

I had my unpublished asterisk box up for all of two days before
getting half a megabit per second worth of false SIP registration
attempts. Filled /var/log. I had to write a script to dynamically
filter source IPs with too many failures.

Regards,
Bill Herrin

-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Scam telemarketers spoofing our NOC phone number for callerid

[Dan White]

On 06/10/10 10:29 -0400, Matthew Huff wrote:

We have recently gotten complaints of harrassing and high pressure sales scams 
orginating from our NOC's phone number. Since the number is a virtual number on 
the PBX, it can't be used for outgoing calls. I assume the scammers choose the 
number from the whois db. Anyone else seen this happening? Any suggestions on 
whom we should contact?


Could be Caller ID spoofing. If so, have a recipient of the call perform a
trap and trace to find the originator of the call (doing so may require you
to file a police report to find who's making the calls, depending on your
jurisdiction).

If your PBX is SIP based, you might be victim of a SIP registration hijack,
which are on the rise, based on traffic we've been seeing in our network.

--
Dan White

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Owen DeLong]

On Oct 6, 2010, at 6:35 AM, Ben McGinnes wrote:

> On 7/10/10 12:08 AM, Eric Brunner-Williams wrote:
>> so ... should domains associated with asn(s) and addr block allocations
>> be subject to some expiry policy other than "it goes into the drop pool
>> and one of {enom,pool,...} acquire it (and the associated non-traffic
>> assets) for any interested party at $50 per /24"?
> 
> Interesting idea, but how do you apply it to ccTLD domains with widely
> varying policies.  All it takes is whois records being legitimately
> updated to use domain contacts using a ccTLD domain to circumvent.
> Sounds like more of a stop-gap measure.
> 
> 
> Regards,
> Ben
> 
> 

Number resources are not and should not be associated with domain
resources at the policy level. This would make absolutely no sense
whatsoever.

Owen

Scam telemarketers spoofing our NOC phone number for callerid

[Matthew Huff]

We have recently gotten complaints of harrassing and high pressure sales scams 
orginating from our NOC's phone number. Since the number is a virtual number on 
the PBX, it can't be used for outgoing calls. I assume the scammers choose the 
number from the whois db. Anyone else seen this happening? Any suggestions on 
whom we should contact?




Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



<>

Re: Anyone can share the Network card experience

[Joel Jaeggli]

On 10/5/10 10:01 AM, Deric Kwok wrote:
> Hi
> 
> Anyone can share the Network card experience
> 
> ls onborad PCI Expresscard better or Plug in slot PCI Express card good?

both are likely to be pci-e x1 interfaces if it's a single or dual port
chipset.

> How are their performance in Gig transfer rate?

should be a 100% in an appropiately fast machine.

you'll find that most 4 port gig or 10gig cards have x4 or x8 connectors.

> Thank you so much
> 

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Ben McGinnes]

On 7/10/10 12:08 AM, Eric Brunner-Williams wrote:
> so ... should domains associated with asn(s) and addr block allocations
> be subject to some expiry policy other than "it goes into the drop pool
> and one of {enom,pool,...} acquire it (and the associated non-traffic
> assets) for any interested party at $50 per /24"?

Interesting idea, but how do you apply it to ccTLD domains with widely
varying policies.  All it takes is whois records being legitimately
updated to use domain contacts using a ccTLD domain to circumvent.
Sounds like more of a stop-gap measure.


Regards,
Ben




signature.asc
Description: OpenPGP digital signature

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Eric Brunner-Williams]

so ... should domains associated with asn(s) and addr block 
allocations be subject to some expiry policy other than "it goes into 
the drop pool and one of {enom,pool,...} acquire it (and the 
associated non-traffic assets) for any interested party at $50 per /24"?


Eric

Re: New hijacking - Done via via good old-fashioned Identity Theft

[Heath Jones]

> Certainly, fine folks at Reliance Globalcom Services, Inc. could tell
> us who is paying them to connect these hijacked blocks to their network,
> but I rather doubt that they are actually going to come clean and do
> that.

Ron, I haven't been following this anti-spam stuff much since it went
political with ARIN but I do have a few quick questions (relating to
US law and spam).

1) Is spamming from within the US criminal activity? What constitutes
spam in that case?
2) If you could justify the incoming spam as a DOS, is that criminal
activity? Could you justify it as a DOS?
3) Is providing ARIN with bogus information just to get around their
processes criminal activity?
4) Is obtaining disused IP space / AS allocations from assigned
entity, and not updating ARIN criminal activity?
5) Is advertising Prefixes or AS number assigned to another entity
criminal activity?

6) If any of the above could be classed as criminal activity, are
Reliance Globalcom (in this case) legally obligated to cut them off?,
or just help by switching on a packet capture (new law coming into
effect i think??)


Cheers
Heath

New hijacking - Done via via good old-fashioned Identity Theft

[Ronald F. Guilmette]

[[ Note:  There are three more apparently hijacked blocks that are related
   to the 75 specific blocks I am reporting on herein.  I'll be reporting
   on those other three blocks later on, but right now I just want to keep
   it simple and report on just the ones relating to directnet.net. ]]

So anyway, presented below, as Rod Serling would have said, "... for your
approval..." you will find a collection of 75 separate IP blocks, all of
which appear to have been hijacked in one big gulp.

One /21, plus seventy four /24s.

This case was done, quite neatly, the good old fashioned way apparently
by trivial identity theft.  (And I should say that no fault whatsoever
accrues in any way to ARIN in this case.  They were not even involved in
the slightest, since all of the relevant WHOIS records have remained utterly
unchanged throughout this entire hijacking.)

The identity theft:

A company that was responsible for one /21 block and 74 separate /24
blocks (all of the latter of which had been originally allocated for
various U.S. elementary schools, middle schools, and high schools)
apparently went out of business.  In due time, the company's domain
name (directnet.net) came up for sale.  It was purchased for $4,000,
sometime between May 31, 2010 and June 13, 2010:

 http://www.dnjournal.com/archive/domainsales/2010/20100623.htm

Subsequently, the domain name was transferred to an anonymizing
registrar in the Cayman Islands.  Sometime before or after that
purchase, whoever had purchased the directnet.net domain convinced
the fine folks at Reliance Globalcom Services, Inc., (AS6517) to
announce routes to 100% of this rather cleverly hijacked IP space.
(See complete IP block list attached below.)

Sometime after that, the IP blocks in question began to fill up with
snowshoe name servers and snowshoe spam domains.

The entire set of relevant ARIN WHOIS records for the hijacked IP blocks,
along with the new WHOIS record for the newly re-registered directnet.net
domain, and also a listing of the snowshoe domains and name servers that
have been created in, or moved into these hijacked IP blocks are all
avaliable here:

 http://www.47-usc-230c2.org/hijacked-schools/

Although it is impossible to be absolutely certain who engineered this
clever hijacking, some of the evidence available to me at this time
suggests that a particular company listed on Spamhaus' ROKSO list may
possibly have either either had a hand in engineeering the hijacking, or
else may possibly have benefitted from it, after the fact, i.e. obtaining
IP space which they could then sub-lease to their space-hungry customers.

Certainly, fine folks at Reliance Globalcom Services, Inc. could tell
us who is paying them to connect these hijacked blocks to their network,
but I rather doubt that they are actually going to come clean and do
that.


Regards,
rfg


Hijacked blocks:

204.194.184.0/21
205.196.1.0/24
205.196.14.0/24
205.196.28.0/24
205.196.29.0/24
205.196.30.0/24
205.196.31.0/24
205.196.32.0/24
205.196.33.0/24
205.196.34.0/24
205.196.35.0/24
205.196.36.0/24
205.196.37.0/24
205.196.38.0/24
205.196.40.0/24
205.196.41.0/24
205.196.42.0/24
205.196.43.0/24
205.196.44.0/24
205.196.45.0/24
205.196.46.0/24
205.196.47.0/24
205.196.49.0/24
205.196.51.0/24
205.196.52.0/24
205.196.53.0/24
205.196.54.0/24
205.196.55.0/24
205.196.56.0/24
205.196.57.0/24
205.196.58.0/24
205.196.59.0/24
205.196.60.0/24
205.196.61.0/24
205.196.62.0/24
205.196.67.0/24
205.196.68.0/24
205.196.69.0/24
205.196.71.0/24
205.196.72.0/24
205.196.73.0/24
205.196.75.0/24
205.196.76.0/24
205.196.96.0/24
205.196.97.0/24
205.196.99.0/24
205.196.100.0/24
205.196.101.0/24
205.196.102.0/24
205.196.103.0/24
205.196.104.0/24
205.196.105.0/24
205.196.106.0/24
205.196.107.0/24
205.196.108.0/24
205.196.109.0/24
205.196.111.0/24
205.196.112.0/24
205.196.113.0/24
205.196.114.0/24
205.196.115.0/24
205.196.116.0/24
205.196.161.0/24
205.196.162.0/24
205.196.163.0/24
205.196.164.0/24
205.196.165.0/24
205.196.192.0/24
205.196.193.0/24
205.196.194.0/24
205.196.196.0/24
205.196.197.0/24
205.196.198.0/24
205.196.199.0/24
205.196.200.0/24