PCH survey on peering

[Bill Woodcock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Howdy.

We're conducting a statistical overview of peering sessions for a research 
paper.  The paper we produce will be input into OECD guidelines on national 
communications regulatory frameworks, so we'd very much like it to accurately 
reflect the diversity of peering agreements out there in the world.  At the 
same time, if we ask for too much data, people will be reluctant to answer our 
questions, so we've tried to keep the data we're collecting as simple as 
possible.

Specifically, for each other Autonomous System you peer with, we'd be 
interested in knowing the following five pieces of information:

Your ASN
Your peer's ASN
Whether a written and signed peering agreement exists (the alternative 
being that it's less formal, like a "handshake agreement")
Whether the terms are roughly symmetric (the alternative being that it 
describes an agreement with different terms for each of the two parties, like 
one paying the other, or one receiving more or fewer than full customer routes)
If a jurisdiction of governing law is defined

The easiest way for us to take the information is as a tab-text file or 
spreadsheet, consisting of rows as follows:

Your ASN: Integer
Peer ASN: Integer
Written agreement: Boolean
Symmetric: Boolean
Governing Law: ISO 3166 two-digit country-code, or empty

For instance:

42  715  false  true  us 
42  3856  true  true  us 

The ASNs are just there so we can avoid double-counting a single pair of peers, 
when we hear from both of them.  As soon as we've collated the data, we'll 
strip the ASNs to protect privacy, and only the final aggregate statistics will 
be published in any case.  We've currently got about 10,000 sessions 
documented, and would love to have as many more as possible.  We'd like to 
finish collecting data by the end of the second week of April, two weeks from 
now.

If you're able to help us, please email me the data in whatever form you can.  
If you need a non-disclosure, we're happy to sign one.

Thanks for considering this,

-Bill Woodcock
 Research Director
 Packet Clearing House





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk2UNaUACgkQGvQy4xTRsBG9lwCfbLFFFx0VKm7SesIkc2YPIr2s
nAQAoNEusliD6nzZGoJpOKVFPGXqRt/h
=RbBg
-END PGP SIGNATURE-

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message , 
Brandon Ross  wrote:

>On Wed, 30 Mar 2011, Ross Harvey wrote:
>
>> Wait a second, I'm pretty sure that in most contexts, a signature or
>> letterhead means not so much "this is real because it's so obviously
>> genuine", but rather:
>>
>> "This is real or I am willing to take a forgery rap".
>
>Do you think most providers check the signer's ID to make sure they 
>actually signed their own name?  How do you prove that whomever you accuse 
>of signing it actually forged it if not?
>
>Does anyone know of there ever being even a single case where someone was 
>convicted of forgery for this?

Excuse me, but I think that this discussion is starting to stray rather
far from either the known or the reasonably plausible facts.

In the first place, I do not accept the theory that either Circle Internet
or Bandcon were hoodwinked by cleverly forged letterheads, and there is
no evidence I am aware of which would support that theory.

Until, if ever, additional facts are forthcoming, I believe that it is
just as plausible that some spammer simply came to each of these companies
and said to them "Hi!  I really want to hijack these two unused /16 blocks.
Will you help me?" and that one, or another, or perhaps both of these
companies simply replied "Yea.  Sure.  We didn't quite make our quarterly
numbers, and we are always on the lookout for new revenue streams.  So
how much money do you intend to give us if we help you with this, exactly?"

In the second place, this amusing "letterhead fraud" theory only holds
up if one also believes that, upon being presented with a mere forged
letterhead, allegedly coming in "over the transom" as it were, i.e. from
a previously unknown source, along with a request to announce some
routes to a couple of sizable blocks of IPv4 space, neither Circle
Internet nor BandCon even bothered to pick up the bleepin' phone to call
the contact number that is/was plainly visible for all to see, right
there in the relevant ARIN allocation WHOIS records for the IPv4 space
in question.

Then there is also the small matter of the name on the _checks_...
you know... the checks that _somebody_ had to write, in the first instance,
before either BandcCon or Circle Internet would have been likely to provide
_any_ kind of service to some new and total stranger.  Or was this "duped
by clever forgeries" single bullet theory that you folks have been dis-
cussing also intended to include the forging of CHECKS in the name of
"Hoechst Celanese Corporation"?


See, no matter how you slice it, both BandCon and Circle Internet have
a lot of explaining to do.  At the very least, and even if this
implausible "forged letterhead" theory were true... which I gravely
doubt... both BandCon and Circle Internet have been rather grotesquely
negligent, i.e. in accepting, without any checking whatsoever, the
representations made to them by some total stranger who simply para-
chutted out of the clouds one day, clutching a forged letterhead in one
hand and a bag of unmarked small denomination bills in the other.

So that's the very least... the companies were both, at the very least,
rather stupendously negligent.

At the very worst on the other hand, one or another or both of them may
have been entirely "in on" and part of these hijacking schemes/scams from
the get-go.

I myself would tend to go with the latter theory, simply because it is
the only one that would seem to make any sense, you know, logically.  Ask
yourself which of these theories seems the most plausible?

1)  The spammer forged two checks in the name "Hoechst Celanese
Corporation" and gave one each to Circle Internet and BandCon,
respectively, along with similarly forged letters of introduction
and requests for routing of IP space.

Unless I am misremembering, this means that the spammer would have
engaged in not one but TWO very serious federal fraud offenses.

Even sleezy low-life spammers do not customarily accept this level
of risk, e.g. just to get their hands on some IPv4 space which, we
must remember, is only likely to be of value to them for a relatively
brief period of time, EVEN IF they can manage to keep it routed.

2)  The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies -zero- actually money, and
nonetheless, both companies started happily announcing routes for
the purported "Hoechst Celanese Corporation", even though neither
company received a dime for this service, and even though they both
CONTINUED to provide this service, utterly for free, apparently for
at least THREE FULL MONTHS.

3)  The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies checks that were NOT
   

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong  wrote:
>
> On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote:
>
>> It also needs
>>
>> 1. Someone to complain to law enforcement
>>
> True,

as has been brought up in the past here... some folk rely heavily upon
IRR data for route prefix filtering. if the object is in the IRR
database (with the right linkages), it gets permitted in router
filters automagically.

-chris
(being able to validate 'ownership', really authorization to route,
automatically will sure be nice, eh?)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 11:48 AM, Christopher Morrow
 wrote:
> On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong  wrote:
>>
>> On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote:
>>
>>> It also needs
>>>
>>> 1. Someone to complain to law enforcement
>>>
>> True,
>
> as has been brought up in the past here... some folk rely heavily upon
> IRR data for route prefix filtering. if the object is in the IRR
> database (with the right linkages), it gets permitted in router
> filters automagically.

I forgot:
$ whois -h whois.radb.net 148.163.0.0
route: 148.163.0.0/16
descr: /16 for Celanese
origin:AS13767
mnt-by:DBANK-MNT
changed:   jp...@databank.com 20090818
source:LEVEL3

(this means l3 proxy'd in the record, I think... maybe an L3 person
can speak to this bit?)

> -chris
> (being able to validate 'ownership', really authorization to route,
> automatically will sure be nice, eh?)
>

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message , 
Owen DeLong  wrote:

>Cleaning up the routing {is not what ARIN does or thinks it should do}, true.
>
>However, this sounds like there are two issues...
>
>1. Routing -- Would be nice if the advertising provider(s) stopped doing
>   so.  Not something ARIN can really do much about.
>
>2. Database -- Sounds like the existing resource holder may not still
>   be using the resource or may no longer exist. In either case, it's
>   worth having ARIN investigate the situation and take appropriate
>   database action if that is the case.

Worth it to whom?

I can tell you quite frankly that it sure as shineola isn't worth wasting
even one more additional second of _my_ time to try to beg, plead, cajole,
or browbeat ARIN/Curran into cleaning up the mess that is the IPv4 allocation
data base.  I've been down that road already, and all I have to show for it
is a couple of prominent boot marks on my ass and a couple of new enemies-
for-life... neither of which I really needed.

And also, frankly, I am utterly dumbfounded that you, of all people, should
be the one to suggest that this particular cock-up in the IPv4 allocation
data base is something that should be fixed.  I mean really, WTF?  Didn't
you, and I, and several other people already go through all of this at
least a couple of dozen times already on the ARIN public policy mailing
list?  And wasn't it you, in particular, who was consistantly the most
vocal and avid proponent of the view that ANY effort expended on cleaning
up the IPv4 allocations DB would be an utter waste of time and valuable
manpower, and that ultimately, any efforts along those lines would only
serve to give those procrastinating on the inevitable shift to IPv6 more
time to procrastinate?

Seriously, I was left with the impression that if IPv6 were a person, it
would be you, and that if it were a company, you would be the majority
shareholder.  (Not that there would be anything wrong with that.)

Now all of a sudden you actually CARE about IPv4 allocations??  I say again,
WTF?

Color me flabberghasted.

Anyway, none of this makes any difference.  If somebody (you?) wants to
report either or both of these hijacked IPv4 blocks to ARIN... well...
be my guest.  If your plan was to wait around for me to do it, you are
in for a long wait.  I have more productive uses for my time just now,
like counting the pennies in my change jar and checking Craigslist for
mint Rolls Royces priced under a dollar.


Regards,
rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Tony Tauber]

I don't believe this record indicates that Level3 proxy registered the route
object.
It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to
enter a route object 18 months ago.

It looks like Level3 is originating the route in AS3356, not accepting it
from AS13767 (which is what the object would suggest to do.)

Oops, looks like the route is now gone.  Guess it got cleaned.

Tony

On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow  wrote:

>
> I forgot:
> $ whois -h whois.radb.net 148.163.0.0
> route: 148.163.0.0/16
> descr: /16 for Celanese
> origin:AS13767
> mnt-by:DBANK-MNT
> changed:   jp...@databank.com 20090818
> source:LEVEL3
>
> (this means l3 proxy'd in the record, I think... maybe an L3 person
> can speak to this bit?)
>
> > -chris
> > (being able to validate 'ownership', really authorization to route,
> > automatically will sure be nice, eh?)
> >
>
>

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber  wrote:
> I don't believe this record indicates that Level3 proxy registered the route
> object.
> It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to
> enter a route object 18 months ago.
>

possibly...

> It looks like Level3 is originating the route in AS3356, not accepting it
> from AS13767 (which is what the object would suggest to do.)
>
> Oops, looks like the route is now gone.  Guess it got cleaned.
>

l3 ams router says:
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
  S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network  Next HopMetric LocPrf Weight Path
*>i148.163.0.0/20   4.69.181.3   0100  0 i
* i 4.69.181.3   0100  0 i
*>i148.163.64.0/20  4.69.181.3   0100  0 i
* i 4.69.181.3   0100  0 i
*  148.163.178.0/24 213.206.131.45  10 86  0 1239 13767 i
* i 4.69.185.185  100  0 13767 i
*>i 4.69.185.185  100  0 13767 i
*  148.163.179.0/24 213.206.131.45  10 86  0 1239 13767 i
* i 4.69.185.185  100  0 13767 i
*>i 4.69.185.185  100  0 13767 i
* i148.163.224.0/19 4.69.181.3   0100  0 i
*>i 4.69.181.3   0100  0 i

there's a possibility that, in this case, L3 is simply holding up the
/16 for their customer, sinking junk traffic and permitting more
specifics by the customer? (it's not clear here, though the above
seems to show sprint propogating databank's prefixes while L3 is
originating some parts of the /16 still.



indicates that the 2 upstreams for databank are apparently L3 and sprint.

-Chris

> Tony
>
> On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow
>  wrote:
>>
>> I forgot:
>> $ whois -h whois.radb.net 148.163.0.0
>> route:         148.163.0.0/16
>> descr:         /16 for Celanese
>> origin:        AS13767
>> mnt-by:        DBANK-MNT
>> changed:       jp...@databank.com 20090818
>> source:        LEVEL3
>>
>> (this means l3 proxy'd in the record, I think... maybe an L3 person
>> can speak to this bit?)
>>
>> > -chris
>> > (being able to validate 'ownership', really authorization to route,
>> > automatically will sure be nice, eh?)
>> >
>>
>
>

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Jima]

On 03/30/2011 03:53 PM, Ronald F. Guilmette wrote:

I just stumbled onto this one the other day.

Apparently, Spamhaus has known about this one for THREE MONTHS already:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL98308

It's being routed by AS11730, aka "Circle Internet LTD", a known spammer-
friendly provider that I have come across many times in the past.

They in turn are getting connectivity from:

AS26769  BandCon
AS7385   Integra Telecom

These companies are also not known for being especially scruplous either.
But I mean seriously, Jesus Christ!  Does ANYBODY even give a crap about
blatant naked IP space hijacking anymore?  Or is the entire net now on
its final slow descent into utter chaos?


 This address space seems to be offline now.  I for one forwarded info 
to a contact at Integra, but I can't attest to whether that had anything 
to do with it.


 I guess we can call this a victory for the community?  I dunno.

 Jima

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[rr]

For the record, Integra Telecom did have LOA for said netblock.
Needless to say LOA was forged on company letterhead with appropriate
signatures. Once brought to our attention we attempted to contact
customer to no avail, netblock has been removed until they prove
otherwise.

Randy Rooney

On Thu, Mar 31, 2011 at 10:04 AM, Jima  wrote:
> On 03/30/2011 03:53 PM, Ronald F. Guilmette wrote:
>>
>> I just stumbled onto this one the other day.
>>
>> Apparently, Spamhaus has known about this one for THREE MONTHS already:
>>
>>    http://www.spamhaus.org/sbl/sbl.lasso?query=SBL98308
>>
>> It's being routed by AS11730, aka "Circle Internet LTD", a known spammer-
>> friendly provider that I have come across many times in the past.
>>
>> They in turn are getting connectivity from:
>>
>>    AS26769  BandCon
>>    AS7385   Integra Telecom
>>
>> These companies are also not known for being especially scruplous either.
>> But I mean seriously, Jesus Christ!  Does ANYBODY even give a crap about
>> blatant naked IP space hijacking anymore?  Or is the entire net now on
>> its final slow descent into utter chaos?
>
>  This address space seems to be offline now.  I for one forwarded info to a
> contact at Integra, but I can't attest to whether that had anything to do
> with it.
>
>  I guess we can call this a victory for the community?  I dunno.
>
>     Jima
>
>

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Jima]

On 03/31/2011 12:12 PM, rr wrote:

For the record, Integra Telecom did have LOA for said netblock.
Needless to say LOA was forged on company letterhead with appropriate
signatures. Once brought to our attention we attempted to contact
customer to no avail, netblock has been removed until they prove
otherwise.


 Thank you for your forthright answer.  I can't speak for others, but I 
appreciate the clarification.


 Jima

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Matthew Petach]

On Thu, Mar 31, 2011 at 3:11 AM, Ronald F. Guilmette
 wrote:
>
...
> Seriously, I was left with the impression that if IPv6 were a person, it
> would be you, and that if it were a company, you would be the majority
> shareholder.  (Not that there would be anything wrong with that.)

I for one would put money on the table towards the "rename Owen to Mr. IPv6"
effort.   I think it would be wonderful to be able to honestly say
"IPv6 is in da
house!" every time the person formerly known as Owen walked into the
room at ARIN meetings.  :D

Matt

NAP Capital Region Culpeper

[Mehmet Akcin]

Hello

I am looking for people who has space and / or network in Terremark culpeper , 
please contact me off-list ( or people who is planning to get there sometime 
soon..)

mehmet

RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Stefan Fouant]

> -Original Message-
> From: Matthew Petach [mailto:mpet...@netflight.com]
> Sent: Thursday, March 31, 2011 2:28 PM
> 
> I for one would put money on the table towards the "rename Owen to Mr.
> IPv6"
> effort.   I think it would be wonderful to be able to honestly say
> "IPv6 is in da
> house!" every time the person formerly known as Owen walked into the
> room at ARIN meetings.  :D

+1 | That, or "The evangelist formerly known as Owen..." :p

Stefan Fouant

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Ronald F. Guilmette]

In message ,
rr  wrote:

>For the record, Integra Telecom did have LOA for said netblock.
>Needless to say LOA was forged on company letterhead with appropriate
>signatures. Once brought to our attention we attempted to contact
>customer to no avail, netblock has been removed until they prove
>otherwise.
>
>Randy Rooney


Mr. Rooney,

Since you have been kind enough to drop by, you know, to help clarify what
went on here, I wonder if you would mind very much just providing a couple
of small additional clarifications.

First, could you tell me what job title you hold at Integra Telecom please?
(I wouldn't even ask, but you are apparently posting from a gmail account,
and that always makes me a bit... well... leary.)

Second, because I am actually an ignorant son-of-a-bitch (despite any
possible appearances to the contrary), I wonder if, just for my personal
edification, you could tell me exactly what "LOA" stands for in this context.
(Yes, I really don't know, but would like to.)

Thirdly, I'd very much like to know if your company is in the habit of
providing services (e.g. transit, routing) to other parties at no charge,
and for extended periods of time

Lastly, assuming that your company is NOT in the habit of providing services
(e.g. routing, transit) to other parties at no charge, then I think that I
can speak for many here when I say that I would really appreciate it if you
could tell me/us whose name was on the check that was used to pay for the
services that your company apparently did provide to the 159.223.0.0/16 IP
block, apparently for a period in excess of three months.

If in fact the other party involved in this incident deceived and defrauded
you in some way, then I hardly think that this information, i.e. the name
on the check that paid for all this, is something that Integra has any
special obligation to keep secret.  Even if there ever had been any such
obligation, leagl, ethical, or otherwise, I do believe that the other
party involved has now nullified any such obligation by their very act
of comitting a rather outrageous and damaging fraud upon your company.

I look forward to your response.


Regards,
rfg

Final step of .com DNSSEC deployment

[Matt Larson]

As part of the deployment of DNSSEC in .com, the zone has been signed
and in a "deliberately unvalidatable" state for several weeks.  Late
last week the .com key material was unobscured and the actual keys
have been visible in the zone since March 24.

The final step in the deployment was publishing the .com zone's DS
record in the root zone.

I am pleased to report that the root zone including a DS record for
.com was published at approximately 1500 UTC today, March 31.

Matt Larson, on behalf of the many people at Verisign who made this
deployment possible

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[rr]

Hmm, thought it was a NANOG prerequisite to be able to do a google
search. Should be pretty easy to find this info with that tool in your
handbag.

With the above tool I've got your phone # and would be happy to call
you if you'd like clarification on our process.

Please just reply to me off-list.

Randy

On Thu, Mar 31, 2011 at 12:32 PM, Ronald F. Guilmette
 wrote:
>
> In message ,
> rr  wrote:
>
>>For the record, Integra Telecom did have LOA for said netblock.
>>Needless to say LOA was forged on company letterhead with appropriate
>>signatures. Once brought to our attention we attempted to contact
>>customer to no avail, netblock has been removed until they prove
>>otherwise.
>>
>>Randy Rooney
>
>
> Mr. Rooney,
>
> Since you have been kind enough to drop by, you know, to help clarify what
> went on here, I wonder if you would mind very much just providing a couple
> of small additional clarifications.
>
> First, could you tell me what job title you hold at Integra Telecom please?
> (I wouldn't even ask, but you are apparently posting from a gmail account,
> and that always makes me a bit... well... leary.)
>
> Second, because I am actually an ignorant son-of-a-bitch (despite any
> possible appearances to the contrary), I wonder if, just for my personal
> edification, you could tell me exactly what "LOA" stands for in this context.
> (Yes, I really don't know, but would like to.)
>
> Thirdly, I'd very much like to know if your company is in the habit of
> providing services (e.g. transit, routing) to other parties at no charge,
> and for extended periods of time
>
> Lastly, assuming that your company is NOT in the habit of providing services
> (e.g. routing, transit) to other parties at no charge, then I think that I
> can speak for many here when I say that I would really appreciate it if you
> could tell me/us whose name was on the check that was used to pay for the
> services that your company apparently did provide to the 159.223.0.0/16 IP
> block, apparently for a period in excess of three months.
>
> If in fact the other party involved in this incident deceived and defrauded
> you in some way, then I hardly think that this information, i.e. the name
> on the check that paid for all this, is something that Integra has any
> special obligation to keep secret.  Even if there ever had been any such
> obligation, leagl, ethical, or otherwise, I do believe that the other
> party involved has now nullified any such obligation by their very act
> of comitting a rather outrageous and damaging fraud upon your company.
>
> I look forward to your response.
>
>
> Regards,
> rfg
>
>

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Owen DeLong]

On Mar 31, 2011, at 12:01 PM, Stefan Fouant wrote:

>> -Original Message-
>> From: Matthew Petach [mailto:mpet...@netflight.com]
>> Sent: Thursday, March 31, 2011 2:28 PM
>> 
>> I for one would put money on the table towards the "rename Owen to Mr.
>> IPv6"
>> effort.   I think it would be wonderful to be able to honestly say
>> "IPv6 is in da
>> house!" every time the person formerly known as Owen walked into the
>> room at ARIN meetings.  :D
> 
> +1 | That, or "The evangelist formerly known as Owen..." :p
> 
> Stefan Fouant
> 
> 
ROFLMAO

Owen

RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Rafael Cresci]

>> I for one would put money on the table towards the "rename Owen to Mr.
>> IPv6"
>> effort.   I think it would be wonderful to be able to honestly say
>> "IPv6 is in da
>> house!" every time the person formerly known as Owen walked into the 
>> room at ARIN meetings.  :D

"Like a v6, like a v6" could be the soundtrack... :-)

[]s
Rafael Cresci

Re: IPv6 SEO implecations?

[Wil Schultz]

On Mar 30, 2011, at 4:55 PM, Wil Schultz wrote:

> 
> 
> On Mar 30, 2011, at 4:39 PM, Alexander Harrowell  
> wrote:
> 
>> On Tuesday 29 Mar 2011 17:54:27 Wil Schultz wrote:
>>> On Mar 29, 2011, at 3:51 AM, Franck Martin wrote:
>>> 
>>> 
>>> And here's a breakdown of which user agents are seen on which ip, as you 
>>> can 
>> see the user-agent doesn't exactly match IP range. 
>>> 
>>> Googlebot-Image/1.0
>> 
>>> Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html); 
>> 
>>> DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; 
>> +http://www.google.com/bot.html)
>> 
>>> SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 
>> UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; 
>> +http://www.google.com/bot.html)
>> 
>> Interesting that there are Googlebot mobile devices! Perhaps user-experience 
>> testing of some kind? Googlers? Or IPv6 testing of the devices themselves? 
>> Although those user strings are indicative of not very recent, non-Android 
>> phones.
>> 
>> Would be interesting to see the percentages of traffic by each user agent.
>> -- 
>> The only thing worse than e-mail disclaimers...is people who send e-mail to 
>> lists complaining about them
> 
> I've got the logs still but I've torn down the VIP. I'll send hit count 
> percentages tomorrow. 
> 
> -wil

As promised, here are some percentages.

By IP, seems there are three main IP addresses:

2001:4860:4801:1302:0:6006:1300:b075 --> 0.33%
2001:4860:4801:1303:0:6006:1300:b075 --> 0.17%
2001:4860:4801:1401:0:6006:1300:b075 --> 0.31%
2001:4860:4801:1402:0:6006:1300:b075 --> 0.17%
2001:4860:4801:1404:0:6006:1300:b075 --> 1.34%
2001:4860:4801:1405:0:6006:1300:b075 --> 48.1%
2001:4860:4801:1407:0:6006:1300:b075 --> 24.82%
2001:4860:4801:1408:0:6006:1300:b075 --> 24.70%



By user-agent:

Googlebot-Image/1.0 --> 0.003%
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html); --> 
7.26%
DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html) --> 0.005%
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 
UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html) --> 92.73%



And finally, percentages of IP to user-agent:

Googlebot-Image/1.0 --> 0.003% of total
2001:4860:4801:1404:0:6006:1300:b07530%
2001:4860:4801:1408:0:6006:1300:b07530%
2001:4860:4801:1405:0:6006:1300:b07540%

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html); --> 
7.26% of total
2001:4860:4801:1401:0:6006:1300:b0751.21%
2001:4860:4801:1302:0:6006:1300:b0751.42%
2001:4860:4801:1404:0:6006:1300:b0752.11%
2001:4860:4801:1303:0:6006:1300:b0752.28%
2001:4860:4801:1402:0:6006:1300:b0752.39%
2001:4860:4801:1407:0:6006:1300:b0759.02%
2001:4860:4801:1408:0:6006:1300:b07537.15%
2001:4860:4801:1405:0:6006:1300:b07544.40%

DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html) --> 0.005% of total
2001:4860:4801:1407:0:6006:1300:b0755.88%
2001:4860:4801:1405:0:6006:1300:b07517.64%
2001:4860:4801:1408:0:6006:1300:b07535.29%
2001:4860:4801:1404:0:6006:1300:b07541.18%

SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 
UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html) --> 92.73% of total
2001:4860:4801:1401:0:6006:1300:b0750.24%
2001:4860:4801:1302:0:6006:1300:b0750.25%
2001:4860:4801:1404:0:6006:1300:b0751.27%
2001:4860:4801:1408:0:6006:1300:b07523.79%
2001:4860:4801:1407:0:6006:1300:b07526.06%
2001:4860:4801:1405:0:6006:1300:b07548.39%

-wil

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Ronald F. Guilmette]

In message ,
rr  wrote:

>Hmm, thought it was a NANOG prerequisite to be able to do a google
>search. Should be pretty easy to find this info with that tool in your
>handbag.

Which info is that, exactly?  Your title at Integra Telecom?

Umm... well... yes I guess this is you, right?

  http://www.linkedin.com/pub/randy-rooney/6/9ab/22a

So, are you THE Engineering Manager, or merely AN Engineering Manager
at Integra Telecom?  I'm guessing that it is a big enough outfit that
you probably have more than one.

(Sorry, but I can't help snickering a bit at your _prior_ employment.
As I feel sure you are already painfully aware, having that on your
resume does not exactly inspire a whole lotta confidence in the notion
that you are a straight shooter.  The words ``cover up'' are the ones
that come most immediately to mind.)

>With the above tool I've got your phone # and would be happy to call
>you if you'd like clarification on our process.

No thanks.  I didn't ask for "clarification" of your "process" (whatever
the hell THAT might mean), and frankly it doesn't interest me.  Your
process is... well... your process.   Whatever it may be, it belongs to
you and you should probably keep it to yourself.  (Who knows?  Since
business processes are now patentable, maybe someday you can get a
patent on it!)

I did however ask for the name of the crook whose name was on the check
that paid for the hijacked space routing.  Is that something you can
respond to, or no?  If not, why not?

Was Integra Telecom _actually_ defrauded?  If so, who defrauded you?

Did your customer, Circle Internet defraud you?  If you are claining that
THEY are also an innocent party in this, then who defrauded them?  Whose
name was on the check that THEY cashed?

It really is a rather simple question, and doesn't require an elaborate,
convoluted, or lengthy digression into the details of your "process".

Ya know, maybe it's just me, but it would seem to me that that if either
you or your customer, Circle Internet, were in fact defrauded in this case,
that both of you would be altogether ready, willing, and indeed eager to
``out'' the actual crooked perpetrator... you know... instead of, like,
hiding the perp's identity and thus helping him to cover his tracks.
But I guess that's just me.  (When somebody cheats _me_, I am not myself
in the habit of then going out of my way to protect him.)

Don't misunderstand me.  If your company was in fact dedrauded, then allow
me to express my sincere condolences for your loss.  Or would it be more
accurate to say your gain?  You DID cash the check right?  I mean your
company does NOT have a policy of granting everybody three months of free
service, right?

>Please just reply to me off-list.

No thanks.

As Jodie Foster said in the movie Contact, ``This isn't a person to person
call.''

Crooks, hijacking, and mass spamming affect everybody on the whole Internet.

I didn't ask for the name of the crook who signed the check just for my
private or personal edification.  Other ISPs should know who they need
to be on the lookout for.

I can assure you that just because YOU have now stopped routing space for
this crook, that doesn't mean that he's going to just fold up his tent and
slink quietly away into oblivion.  In fact I already have evidence in hand
that he's still got both IP space and snowshoe spamming domains located
elsewhere (including elsewhere on Circle Internet, see below) that he is
continuing to use, even as we speak.

On the other hand, of course, if Integra and/or Circle Internet were in
fact ``in on the game'' from the get-go, then in that case I could well
and truly understand why both of your companies might now be reluctant
to give up your cohort.


Regards,
rfg


P.S.  I gather that nobody at your place even so much as raised an eyebrow
when tiny little Circle Internet, a company whose biggest _legitimate_ IP
block prior to this incident was a mere /21, suddenly showed up on your
doorstep asking to have an entire fresh new /16, belonging to an major,
internationally known chemical company routed for them, correct?

P.P.S.  OK, so you are reluctant to give up the actual hijacker.  So let's
just skip that for now.  Instead how about if you just tell us who owns
the followng domain names which are all getting DNS from Circle Internet
IP space, even as we speak.  And no, I _do not_ want you to just regurgitate
the fradulent bull puckey that's present within the relevant WHOIS records.

(To paraphrase Red Riding Hood "My my grandma!  What a lot of domains you
have!"  Odd that all of them were created so recently, and that none of
them seem even have associated web sites.  But again, I'm sure that I'm
the only one in the Universe who finds any of that odd.  Yea.)


208.85.32.114
dns2.virtualcheck.info
pinkcreditscore.info
pinkcreditreport.info
pinkcreditdeals.info
orangereports.info
orangeoffers.info
  

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Brett Watson]

On Mar 31, 2011, at 5:46 PM, Ronald F. Guilmette wrote:

> (Sorry, but I can't help snickering a bit at your _prior_ employment.
> As I feel sure you are already painfully aware, having that on your
> resume does not exactly inspire a whole lotta confidence in the notion
> that you are a straight shooter.  The words ``cover up'' are the ones
> that come most immediately to mind.)

Awww, that makes me "not a straight shooter"? I was at EBS, I just happened to 
join a company who's management weren't straight shooters.

And what all these accusations and attacks have to do with the thread, I have 
no idea.

Fwd: IPv4 Address Exhaustion Effects on the Earth

[Joao C. Mendes Ogawa]

FYI

--Jonny Ogawa

- Forwarded message from Stephen H. Inden -

From: Stephen H. Inden
Subject: IPv4 Address Exhaustion Effects on the Earth
Date: Fri, 1 Apr 2011 00:19:08 +0200
To: Global Environment Watch (GEW) mailing list
X-Mailer: Apple Mail (2.1084)
X-Mailman-Version: 2.1.9
List-Id: "GEW mailing list."


IPv4 Address Exhaustion Effects on the Earth

By Stephen H. Inden
April 1, 2011

At a ceremony held on February 3, 2011 the Internet Assigned Numbers
Authority (IANA) allocated the remaining last five /8s of IPv4 address
space to the Regional Internet Registries (RIRs). With this action,
the free pool of available IPv4 addresses was completely depleted.

Since then, several scientists have been studying the effects of this
massive IPv4 usage (now at its peak) on the Earth.

While measuring electromagnetic fields emanating from the world's
largest IPv4 Tier-1 backbones, NASA scientists calculated how the IPv4
exhaustion is affecting the Earth's rotation, length of day and
planet's shape.

Dr. Ron F. Stevens, of NASA's Goddard Space Flight Center, said all
packet switching based communications have some effect on the Earth's
rotation. It's just they are usually barely noticeable. Until now.

"Every packet affects the Earth's rotation, from a small ping to a
huge multi-terabyte download.  The problem with IPv4 is its variable
length header and tiny address space that can cause an electromagnetic
unbalance on transmission lines.  The widespread adoption of Network
Address Translation (NAT) on IPv4 networks is making the problem even
worse, since it concentrates the electromagnetic unbalance.  This
problem is not noticeable with IPv6 because of its fixed header size
and bigger 128 bits address space", Dr. Stevens said.

Over the past few years, Dr. Stevens has been measuring the IPv4
growing effects in changing the Earth's rotation in both length of
day, as well as gravitational field.  When IPv4 allocation reached its
peak, last February, he found out that the length of day decreased by
2.128 microseconds.  The electromagnetic unbalance is also affecting
the Earth's shape -- the Earth's oblateness (flattening on the top and
bulging at the Equator) is decreasing by a small amount every year
because of the increasing IPv4 usage.

The researcher concluded that IPv4 usage has reached its peak and is
causing harmful effects on the Earth:

"IPv4 is, indeed, harmful.  Not only 32 bits for its address space has
proven too small and prone to inadequate solutions like NAT, it is now
clear that its electromagnetic effects on the Earth are real and
measurable."

The solution?

"I'm convinced that the only permanent solution is to adopt IPv6 as
fast as we can", says Dr. Stevens.

--

Re: IPv4 Address Exhaustion Effects on the Earth

[Wil Schultz]

On Mar 31, 2011, at 6:14 PM, "Joao C. Mendes Ogawa"  
wrote:

> FYI
> 
> --Jonny Ogawa
> 
> - Forwarded message from Stephen H. Inden -
> 
> From: Stephen H. Inden
> Subject: IPv4 Address Exhaustion Effects on the Earth
> Date: Fri, 1 Apr 2011 00:19:08 +0200
> To: Global Environment Watch (GEW) mailing list
> X-Mailer: Apple Mail (2.1084)
> X-Mailman-Version: 2.1.9
> List-Id: "GEW mailing list."
> 
> 
> IPv4 Address Exhaustion Effects on the Earth
> 
> By Stephen H. Inden
> April 1, 2011
> 
> At a ceremony held on February 3, 2011 the Internet Assigned Numbers
> Authority (IANA) allocated the remaining last five /8s of IPv4 address
> space to the Regional Internet Registries (RIRs). With this action,
> the free pool of available IPv4 addresses was completely depleted.
> 
> Since then, several scientists have been studying the effects of this
> massive IPv4 usage (now at its peak) on the Earth.
> 
> While measuring electromagnetic fields emanating from the world's
> largest IPv4 Tier-1 backbones, NASA scientists calculated how the IPv4
> exhaustion is affecting the Earth's rotation, length of day and
> planet's shape.
> 
> Dr. Ron F. Stevens, of NASA's Goddard Space Flight Center, said all
> packet switching based communications have some effect on the Earth's
> rotation. It's just they are usually barely noticeable. Until now.
> 
> "Every packet affects the Earth's rotation, from a small ping to a
> huge multi-terabyte download.  The problem with IPv4 is its variable
> length header and tiny address space that can cause an electromagnetic
> unbalance on transmission lines.  The widespread adoption of Network
> Address Translation (NAT) on IPv4 networks is making the problem even
> worse, since it concentrates the electromagnetic unbalance.  This
> problem is not noticeable with IPv6 because of its fixed header size
> and bigger 128 bits address space", Dr. Stevens said.
> 
> Over the past few years, Dr. Stevens has been measuring the IPv4
> growing effects in changing the Earth's rotation in both length of
> day, as well as gravitational field.  When IPv4 allocation reached its
> peak, last February, he found out that the length of day decreased by
> 2.128 microseconds.  The electromagnetic unbalance is also affecting
> the Earth's shape -- the Earth's oblateness (flattening on the top and
> bulging at the Equator) is decreasing by a small amount every year
> because of the increasing IPv4 usage.
> 
> The researcher concluded that IPv4 usage has reached its peak and is
> causing harmful effects on the Earth:
> 
> "IPv4 is, indeed, harmful.  Not only 32 bits for its address space has
> proven too small and prone to inadequate solutions like NAT, it is now
> clear that its electromagnetic effects on the Earth are real and
> measurable."
> 
> The solution?
> 
> "I'm convinced that the only permanent solution is to adopt IPv6 as
> fast as we can", says Dr. Stevens.
> 
> --
> 

It's all true. 

Alse I've been weighing my router and it's 7 lbs heavier with the addition of 
all these new ip addresses in it's routing table. 

-wil

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

On Fri, Apr 1, 2011 at 12:31 AM, Stefan Fouant
 wrote:
>
> +1 | That, or "The evangelist formerly known as Owen..." :p

No no ... TEFKAO.

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Matthew Petach]

On Thu, Mar 31, 2011 at 6:04 PM, Brett Watson  wrote:
>
> On Mar 31, 2011, at 5:46 PM, Ronald F. Guilmette wrote:
>
>> (Sorry, but I can't help snickering a bit at your _prior_ employment.
>> As I feel sure you are already painfully aware, having that on your
>> resume does not exactly inspire a whole lotta confidence in the notion
>> that you are a straight shooter.  The words ``cover up'' are the ones
>> that come most immediately to mind.)
>
> Awww, that makes me "not a straight shooter"? I was at EBS, I just happened 
> to join a company who's management weren't straight shooters.
>
> And what all these accusations and attacks have to do with the thread, I have 
> no idea.

Apparently it has to do with the fact that you can only pay for
IP service via check; credit card billing has been abolished.
If you don't pay by check, you're a criminal--that's all there
is to it.

Matt

HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[Atticus]

This OT, and for those of you with virgin ears, don't read more. This is
specifically to Ronald:

Maybe, if you didn't act like a flaming douchebag, and were polite to
people, they would be more interested in helping you out. Learn to use some
fucking manners. Every single message I've seen from you has been
condescending. I agree, this entire situation and situations like it are
fucked up. That doesn't give you the right to start demanding answers from
people, and in general treating everyone else like we are your personal
servants, and are responsible for making sure your every whim is carried
out.

That being said, I'm probably going to get banned for that, but I feel it
needed to be said.

Grobe

Re: Final step of .com DNSSEC deployment

[Brent Jones]

On Thu, Mar 31, 2011 at 1:05 PM, Matt Larson  wrote:
> As part of the deployment of DNSSEC in .com, the zone has been signed
> and in a "deliberately unvalidatable" state for several weeks.  Late
> last week the .com key material was unobscured and the actual keys
> have been visible in the zone since March 24.
>
> The final step in the deployment was publishing the .com zone's DS
> record in the root zone.
>
> I am pleased to report that the root zone including a DS record for
> .com was published at approximately 1500 UTC today, March 31.
>
> Matt Larson, on behalf of the many people at Verisign who made this
> deployment possible
>
>

Nice work! Congrats!

/me goes to signing some things

-- 
Brent Jones
br...@servuhome.net

RE: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[John van Oppen]

Why does it matter what his position is?   Sounds like they had a forged LOA 
from the customer and that they fixed the issue when they found out about it.   
 I am not sure you can ask too much more from a network operator, the best 
thing we can hope for are companies that will cancel customers if they are 
abuse sources, that is exactly what happened here.

Lots of people are posting on nanog with outside email addresses because they 
don't want to be tied too closely to the corporation for which they work, it 
seems totally reasonable to me especially given the mix of personal and 
professional ties a lot of us have in this community.The main issue here is 
getting results and it sounds like that happened here pretty quickly.   Most 
technical types are good people and for the most part will work though their 
corporate BS to get abuse issues solved as quickly as they can.   I know we do 
try to resolve abuse quickly and people who are nice and provide data up front 
just help expedite the process further, acting like a jerk is by far the least 
productive way to engage people in the nanog community. 


John

-Original Message-
From: Ronald F. Guilmette [mailto:r...@tristatelogic.com] 
Sent: Thursday, March 31, 2011 5:46 PM
To: nanog@nanog.org
Subject: Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care? 


In message ,
rr  wrote:

>Hmm, thought it was a NANOG prerequisite to be able to do a google 
>search. Should be pretty easy to find this info with that tool in your 
>handbag.

Which info is that, exactly?  Your title at Integra Telecom?

Umm... well... yes I guess this is you, right?

  http://www.linkedin.com/pub/randy-rooney/6/9ab/22a

So, are you THE Engineering Manager, or merely AN Engineering Manager at 
Integra Telecom?  I'm guessing that it is a big enough outfit that you probably 
have more than one.

(Sorry, but I can't help snickering a bit at your _prior_ employment.
As I feel sure you are already painfully aware, having that on your resume does 
not exactly inspire a whole lotta confidence in the notion that you are a 
straight shooter.  The words ``cover up'' are the ones that come most 
immediately to mind.)

>With the above tool I've got your phone # and would be happy to call 
>you if you'd like clarification on our process.

No thanks.  I didn't ask for "clarification" of your "process" (whatever the 
hell THAT might mean), and frankly it doesn't interest me.  Your
process is... well... your process.   Whatever it may be, it belongs to
you and you should probably keep it to yourself.  (Who knows?  Since business 
processes are now patentable, maybe someday you can get a patent on it!)

I did however ask for the name of the crook whose name was on the check that 
paid for the hijacked space routing.  Is that something you can respond to, or 
no?  If not, why not?

Was Integra Telecom _actually_ defrauded?  If so, who defrauded you?

Did your customer, Circle Internet defraud you?  If you are claining that THEY 
are also an innocent party in this, then who defrauded them?  Whose name was on 
the check that THEY cashed?

It really is a rather simple question, and doesn't require an elaborate, 
convoluted, or lengthy digression into the details of your "process".

Ya know, maybe it's just me, but it would seem to me that that if either you or 
your customer, Circle Internet, were in fact defrauded in this case, that both 
of you would be altogether ready, willing, and indeed eager to ``out'' the 
actual crooked perpetrator... you know... instead of, like, hiding the perp's 
identity and thus helping him to cover his tracks.
But I guess that's just me.  (When somebody cheats _me_, I am not myself in the 
habit of then going out of my way to protect him.)

Don't misunderstand me.  If your company was in fact dedrauded, then allow me 
to express my sincere condolences for your loss.  Or would it be more accurate 
to say your gain?  You DID cash the check right?  I mean your company does NOT 
have a policy of granting everybody three months of free service, right?

>Please just reply to me off-list.

No thanks.

As Jodie Foster said in the movie Contact, ``This isn't a person to person 
call.''

Crooks, hijacking, and mass spamming affect everybody on the whole Internet.

I didn't ask for the name of the crook who signed the check just for my private 
or personal edification.  Other ISPs should know who they need to be on the 
lookout for.

I can assure you that just because YOU have now stopped routing space for this 
crook, that doesn't mean that he's going to just fold up his tent and slink 
quietly away into oblivion.  In fact I already have evidence in hand that he's 
still got both IP space and snowshoe spamming domains located elsewhere 
(including elsewhere on Circle Internet, see below) that he is continuing to 
use, even as we speak.

On the other hand, of course, if Integra and/or Circle Internet were in fact 
``in on the game'' from the get-go, then in that