Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
All, WRT the below route object, DataBank does announce IP space for Hoechst Celanese Corporation as they are a direct customer of ours: $ whois -h whois.radb.net 148.163.0.0 route:148.163.0.0/16 descr:/16 for Celanese origin:AS13767 mnt-by:DBANK-MNT changed: jp...@databank.com 20090818 source:LEVEL3 Currently, we only announce/originate the following prefixes via BGP: 148.163.178.0/24 148.163.179.0/24 via our providers, Level3 and Sprint. We asked our providers to relax their filters for the whole /16, since Celanese owns that IP space. That may or may not be a good idea, depending on your view of network management. We did this in case our customer needed to announce new networks which would save us the time/work of placing more/new route objects in the registry. We have the appropriate LOA for this network which is validated through face-to-face meetings with their network engineers and representatives. DataBank is very sensitive to network abuse; we have an AUP in place with all of our customers and will always work hard to enforce it to prevent network abuse. I apologize that I didn't respond sooner, but I have gotten behind on my NANOG reading. Thank you, Jason Pope DataBank Holdings 214.720.2266 office
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote: It also needs 1. Someone to complain to law enforcement True, 2. Law enforcement to decide this is something worth following up on re prosecution - especially if the crook is not within their jurisdiction, it'd be FBI, and they have a minimum threshold for damage caused (higher than the few thousand dollars a /16's registration fees cost?) Not necessarily... If the crook is in another county, same state, it could be simple extradition. If the crook is across state lines, it could still be handled as an extradition, but, slightly more complicated. If the crook is on the other side of an international boundary, that's a whole new ball of wax and the number of permutations of regulatory combinations involved prevents any rational enumeration here. Owen [not counting 7.5 million bucks paid in aftermarket deals like microsoft from nortel] --srs On Thu, Mar 31, 2011 at 10:45 AM, Owen DeLong o...@delong.com wrote: If they put it on letterhead and signed their own name in such a way that it purports to be an agent of the organization for which they were not an authorized agent, that is usually enough to become a criminal act, whether it is considered forgery, fraud, or something else, I'm not sure about the exact technicalities and they may vary by jurisdiction. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
Local law isnt likely to touch this at all. On Thu, Mar 31, 2011 at 11:27 AM, Owen DeLong o...@delong.com wrote: If the crook is in another county, same state, it could be simple extradition. If the crook is across state lines, it could still be handled as an extradition, but, slightly more complicated. If the crook is on the other side of an international boundary, that's a whole new ball of wax and the number of permutations of regulatory combinations involved prevents any rational enumeration here. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
In message Pine.OSX.4.64.1103310053260.312@cevin-2.local, Brandon Ross br...@pobox.com wrote: On Wed, 30 Mar 2011, Ross Harvey wrote: Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather: This is real or I am willing to take a forgery rap. Do you think most providers check the signer's ID to make sure they actually signed their own name? How do you prove that whomever you accuse of signing it actually forged it if not? Does anyone know of there ever being even a single case where someone was convicted of forgery for this? Excuse me, but I think that this discussion is starting to stray rather far from either the known or the reasonably plausible facts. In the first place, I do not accept the theory that either Circle Internet or Bandcon were hoodwinked by cleverly forged letterheads, and there is no evidence I am aware of which would support that theory. Until, if ever, additional facts are forthcoming, I believe that it is just as plausible that some spammer simply came to each of these companies and said to them Hi! I really want to hijack these two unused /16 blocks. Will you help me? and that one, or another, or perhaps both of these companies simply replied Yea. Sure. We didn't quite make our quarterly numbers, and we are always on the lookout for new revenue streams. So how much money do you intend to give us if we help you with this, exactly? In the second place, this amusing letterhead fraud theory only holds up if one also believes that, upon being presented with a mere forged letterhead, allegedly coming in over the transom as it were, i.e. from a previously unknown source, along with a request to announce some routes to a couple of sizable blocks of IPv4 space, neither Circle Internet nor BandCon even bothered to pick up the bleepin' phone to call the contact number that is/was plainly visible for all to see, right there in the relevant ARIN allocation WHOIS records for the IPv4 space in question. Then there is also the small matter of the name on the _checks_... you know... the checks that _somebody_ had to write, in the first instance, before either BandcCon or Circle Internet would have been likely to provide _any_ kind of service to some new and total stranger. Or was this duped by clever forgeries single bullet theory that you folks have been dis- cussing also intended to include the forging of CHECKS in the name of Hoechst Celanese Corporation? See, no matter how you slice it, both BandCon and Circle Internet have a lot of explaining to do. At the very least, and even if this implausible forged letterhead theory were true... which I gravely doubt... both BandCon and Circle Internet have been rather grotesquely negligent, i.e. in accepting, without any checking whatsoever, the representations made to them by some total stranger who simply para- chutted out of the clouds one day, clutching a forged letterhead in one hand and a bag of unmarked small denomination bills in the other. So that's the very least... the companies were both, at the very least, rather stupendously negligent. At the very worst on the other hand, one or another or both of them may have been entirely in on and part of these hijacking schemes/scams from the get-go. I myself would tend to go with the latter theory, simply because it is the only one that would seem to make any sense, you know, logically. Ask yourself which of these theories seems the most plausible? 1) The spammer forged two checks in the name Hoechst Celanese Corporation and gave one each to Circle Internet and BandCon, respectively, along with similarly forged letters of introduction and requests for routing of IP space. Unless I am misremembering, this means that the spammer would have engaged in not one but TWO very serious federal fraud offenses. Even sleezy low-life spammers do not customarily accept this level of risk, e.g. just to get their hands on some IPv4 space which, we must remember, is only likely to be of value to them for a relatively brief period of time, EVEN IF they can manage to keep it routed. 2) The spammers gave Circle Internet and BandCon forged letters of introduction (on forged letterheads) and requests for routing services, and gave the two companies -zero- actually money, and nonetheless, both companies started happily announcing routes for the purported Hoechst Celanese Corporation, even though neither company received a dime for this service, and even though they both CONTINUED to provide this service, utterly for free, apparently for at least THREE FULL MONTHS. 3) The spammers gave Circle Internet and BandCon forged letters of introduction (on forged letterheads) and requests for routing services, and gave the two companies checks
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong o...@delong.com wrote: On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote: It also needs 1. Someone to complain to law enforcement True, as has been brought up in the past here... some folk rely heavily upon IRR data for route prefix filtering. if the object is in the IRR database (with the right linkages), it gets permitted in router filters automagically. -chris (being able to validate 'ownership', really authorization to route, automatically will sure be nice, eh?)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Thu, Mar 31, 2011 at 11:48 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong o...@delong.com wrote: On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote: It also needs 1. Someone to complain to law enforcement True, as has been brought up in the past here... some folk rely heavily upon IRR data for route prefix filtering. if the object is in the IRR database (with the right linkages), it gets permitted in router filters automagically. I forgot: $ whois -h whois.radb.net 148.163.0.0 route: 148.163.0.0/16 descr: /16 for Celanese origin:AS13767 mnt-by:DBANK-MNT changed: jp...@databank.com 20090818 source:LEVEL3 (this means l3 proxy'd in the record, I think... maybe an L3 person can speak to this bit?) -chris (being able to validate 'ownership', really authorization to route, automatically will sure be nice, eh?)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
In message b2506b41-ad1f-4fb0-9d8e-c0a54e44b...@delong.com, Owen DeLong o...@delong.com wrote: Cleaning up the routing {is not what ARIN does or thinks it should do}, true. However, this sounds like there are two issues... 1. Routing -- Would be nice if the advertising provider(s) stopped doing so. Not something ARIN can really do much about. 2. Database -- Sounds like the existing resource holder may not still be using the resource or may no longer exist. In either case, it's worth having ARIN investigate the situation and take appropriate database action if that is the case. Worth it to whom? I can tell you quite frankly that it sure as shineola isn't worth wasting even one more additional second of _my_ time to try to beg, plead, cajole, or browbeat ARIN/Curran into cleaning up the mess that is the IPv4 allocation data base. I've been down that road already, and all I have to show for it is a couple of prominent boot marks on my ass and a couple of new enemies- for-life... neither of which I really needed. And also, frankly, I am utterly dumbfounded that you, of all people, should be the one to suggest that this particular cock-up in the IPv4 allocation data base is something that should be fixed. I mean really, WTF? Didn't you, and I, and several other people already go through all of this at least a couple of dozen times already on the ARIN public policy mailing list? And wasn't it you, in particular, who was consistantly the most vocal and avid proponent of the view that ANY effort expended on cleaning up the IPv4 allocations DB would be an utter waste of time and valuable manpower, and that ultimately, any efforts along those lines would only serve to give those procrastinating on the inevitable shift to IPv6 more time to procrastinate? Seriously, I was left with the impression that if IPv6 were a person, it would be you, and that if it were a company, you would be the majority shareholder. (Not that there would be anything wrong with that.) Now all of a sudden you actually CARE about IPv4 allocations?? I say again, WTF? Color me flabberghasted. Anyway, none of this makes any difference. If somebody (you?) wants to report either or both of these hijacked IPv4 blocks to ARIN... well... be my guest. If your plan was to wait around for me to do it, you are in for a long wait. I have more productive uses for my time just now, like counting the pennies in my change jar and checking Craigslist for mint Rolls Royces priced under a dollar. Regards, rfg
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
I don't believe this record indicates that Level3 proxy registered the route object. It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to enter a route object 18 months ago. It looks like Level3 is originating the route in AS3356, not accepting it from AS13767 (which is what the object would suggest to do.) Oops, looks like the route is now gone. Guess it got cleaned. Tony On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow morrowc.li...@gmail.com wrote: I forgot: $ whois -h whois.radb.net 148.163.0.0 route: 148.163.0.0/16 descr: /16 for Celanese origin:AS13767 mnt-by:DBANK-MNT changed: jp...@databank.com 20090818 source:LEVEL3 (this means l3 proxy'd in the record, I think... maybe an L3 person can speak to this bit?) -chris (being able to validate 'ownership', really authorization to route, automatically will sure be nice, eh?)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber ttau...@1-4-5.net wrote: I don't believe this record indicates that Level3 proxy registered the route object. It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to enter a route object 18 months ago. possibly... It looks like Level3 is originating the route in AS3356, not accepting it from AS13767 (which is what the object would suggest to do.) Oops, looks like the route is now gone. Guess it got cleaned. l3 ams router says: Status codes: s suppressed, d damped, h history, * valid, best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path *i148.163.0.0/20 4.69.181.3 0100 0 i * i 4.69.181.3 0100 0 i *i148.163.64.0/20 4.69.181.3 0100 0 i * i 4.69.181.3 0100 0 i * 148.163.178.0/24 213.206.131.45 10 86 0 1239 13767 i * i 4.69.185.185 100 0 13767 i *i 4.69.185.185 100 0 13767 i * 148.163.179.0/24 213.206.131.45 10 86 0 1239 13767 i * i 4.69.185.185 100 0 13767 i *i 4.69.185.185 100 0 13767 i * i148.163.224.0/19 4.69.181.3 0100 0 i *i 4.69.181.3 0100 0 i there's a possibility that, in this case, L3 is simply holding up the /16 for their customer, sinking junk traffic and permitting more specifics by the customer? (it's not clear here, though the above seems to show sprint propogating databank's prefixes while L3 is originating some parts of the /16 still. http://www.robtex.com/as/as13767.html indicates that the 2 upstreams for databank are apparently L3 and sprint. -Chris Tony On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow morrowc.li...@gmail.com wrote: I forgot: $ whois -h whois.radb.net 148.163.0.0 route: 148.163.0.0/16 descr: /16 for Celanese origin: AS13767 mnt-by: DBANK-MNT changed: jp...@databank.com 20090818 source: LEVEL3 (this means l3 proxy'd in the record, I think... maybe an L3 person can speak to this bit?) -chris (being able to validate 'ownership', really authorization to route, automatically will sure be nice, eh?)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Thu, Mar 31, 2011 at 3:11 AM, Ronald F. Guilmette r...@tristatelogic.com wrote: ... Seriously, I was left with the impression that if IPv6 were a person, it would be you, and that if it were a company, you would be the majority shareholder. (Not that there would be anything wrong with that.) I for one would put money on the table towards the rename Owen to Mr. IPv6 effort. I think it would be wonderful to be able to honestly say IPv6 is in da house! every time the person formerly known as Owen walked into the room at ARIN meetings. :D Matt
RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
-Original Message- From: Matthew Petach [mailto:mpet...@netflight.com] Sent: Thursday, March 31, 2011 2:28 PM I for one would put money on the table towards the rename Owen to Mr. IPv6 effort. I think it would be wonderful to be able to honestly say IPv6 is in da house! every time the person formerly known as Owen walked into the room at ARIN meetings. :D +1 | That, or The evangelist formerly known as Owen... :p Stefan Fouant
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Mar 31, 2011, at 12:01 PM, Stefan Fouant wrote: -Original Message- From: Matthew Petach [mailto:mpet...@netflight.com] Sent: Thursday, March 31, 2011 2:28 PM I for one would put money on the table towards the rename Owen to Mr. IPv6 effort. I think it would be wonderful to be able to honestly say IPv6 is in da house! every time the person formerly known as Owen walked into the room at ARIN meetings. :D +1 | That, or The evangelist formerly known as Owen... :p Stefan Fouant ROFLMAO Owen
RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
I for one would put money on the table towards the rename Owen to Mr. IPv6 effort. I think it would be wonderful to be able to honestly say IPv6 is in da house! every time the person formerly known as Owen walked into the room at ARIN meetings. :D Like a v6, like a v6 could be the soundtrack... :-) []s Rafael Cresci
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Fri, Apr 1, 2011 at 12:31 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: +1 | That, or The evangelist formerly known as Owen... :p No no ... TEFKAO. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote: As I already mentioned, 159.223.0.0/16, which is actually registered to the Hoechst Celanese Corporation, has quite obviously been hijacked And have you reported this to ARIN? https://www.arin.net/public/fraud/index.xhtml Obviously it's not fraud on Celanese's part, but it certainly seems to be evidence that they don't need the space anymore. If someone who needed it more had it, they might not put up with the hijacking. -Bill -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) iEYEARECAAYFAk2TmqwACgkQGvQy4xTRsBGkiwCgvHVFs1qz55H+FNCj+Apwrcev sFIAoMluDV11me+X8I9MoVie611H8e9P =p+yS -END PGP SIGNATURE-
RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
I have a level 3 circuit with BGP. Level 3 set me up a maintainer. To communicate with this program I just send an email to the maintainer, based on my email address and the maintainer name it will allow the route I request advertisement. I don't believe any one monitors this system and I would imagine if no one complains about this company advertising hijacked routes to level 3 then it would be quite easy to advertise a network that has been abandon. -Original Message- From: Bill Woodcock [mailto:wo...@pch.net] Sent: Wednesday, March 30, 2011 5:04 PM To: Ronald F. Guilmette Cc: nanog@nanog.org Subject: Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote: As I already mentioned, 159.223.0.0/16, which is actually registered to the Hoechst Celanese Corporation, has quite obviously been hijacked And have you reported this to ARIN? https://www.arin.net/public/fraud/index.xhtml Obviously it's not fraud on Celanese's part, but it certainly seems to be evidence that they don't need the space anymore. If someone who needed it more had it, they might not put up with the hijacking. -Bill -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) iEYEARECAAYFAk2TmqwACgkQGvQy4xTRsBGkiwCgvHVFs1qz55H+FNCj+Apwrcev sFIAoMluDV11me+X8I9MoVie611H8e9P =p+yS -END PGP SIGNATURE-
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
In message be8c4985-f955-4868-8145-146e57bbf...@pch.net, Bill Woodcock wo...@pch.net wrote: On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote: As I already mentioned, 159.223.0.0/16, which is actually registered = to the Hoechst Celanese Corporation, has quite obviously been hijacked And have you reported this to ARIN? No. Why would I? The ARIN folks have already made it abundantly clear... to me and to others... that this sort of thing is Not our job, man. ARIN maintains a data base. If other people elect to ignore what's in that data base... well... as anybody from ARIN will be only too happy to tell you, they are not the routing police. Regards, rfg
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
In message 002201cbef24$c1b61d70$45225850$@com, you wrote: I don't believe any one monitors this system and I would imagine if no one complains about this company advertising hijacked routes to level 3 then it would be quite easy to advertise a network that has been abandon(sic). At this point, I do believe that you are stating the obvious. Whether it is wise, or otherwise, to leave one's company's route announcements entirely on autopilot is, I think, a remaining question. The evidence would seem to suggest not. But then again, as I think we all know, there is a non-zero costs associated with doing anything well, professionally, or (as the laywers like to say) in a workman-like manner, and these costs are often seen as being at odds with the corporate bottom line. Personally, I just hope that Level3 accrues a sufficient quantity of bad PR from what they have done here so that they will lose a client or two, and that this in turn might have some salutary effect upon the corporate calculus. Regards, rfg
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
This is an old enough technique dating back to a few years - re-registering an expired domain that belonged to the ARIN contact, and filling out the ISP paperwork. There does seem to be something that needs to be done - its not something ARIN can easily look into, the SP is much better placed to take action. But its a gray area between the two. On Thu, Mar 31, 2011 at 3:22 AM, Jim Gonzalez j...@impactbusiness.com wrote: I have a level 3 circuit with BGP. Level 3 set me up a maintainer. To communicate with this program I just send an email to the maintainer, based on my email address and the maintainer name it will allow the route I request advertisement. I don't believe any one monitors this system and I would imagine if no one complains about this company advertising hijacked routes to level 3 then it would be quite easy to advertise a network that has been abandon. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
In message aanlktikempr3qvvdorvugrnzn0cnkoa4vtbta5q3m...@mail.gmail.com, you wrote: This is an old enough technique dating back to a few years - re-registering an expired domain that belonged to the ARIN contact, and filling out the ISP paperwork. FYI - That does not seem to have been what occured in the two particular cases I reported on today. The e-mail contact domain for the two relevant ARIN allocation records seems to still be in use by the chemical company, Hoechst Celanese. So that _really_ begs the question... Why did Circle Internet and (apparently) Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the crook who hijacked these two /16s had the right to use them? % traceroute to 148.163.5.2 (148.163.5.2), 64 hops max, 40 byte packets ... 8 ae-62-62.csw1.SanJose1.Level3.net (4.69.153.18) 42.796 ms ae-82-82.csw3.SanJose1.Level3.net (4.69.153.26) 44.268 ms ae-72-72.csw2.SanJose1.Level3.net (4.69.153.22) 43.296 ms 9 ae-4-90.edge8.SanJose1.Level3.net (4.69.152.212) 44.877 ms ae-3-80.edge8.SanJose1.Level3.net (4.69.152.148) 44.731 ms ae-1-60.edge8.SanJose1.Level3.net (4.69.152.20) 44.426 ms 10 BANDCON.edge8.SanJose1.Level3.net (4.53.30.42) 45.018 ms 45.779 ms 45.043 ms 11 148.163.5.2 (148.163.5.2) 44.820 ms 45.651 ms 44.571 ms In the case of Circle Internet, I feel sure that the check cleared, so they didn't see it as either necessary or useful to inquire further. But the question that I'd most like to get an answer to... and the one that nobody will likely ever get an answer to... is Did BandCon likewise see that the check which was made out to them cleared, and that thus they didn't see fit to inquire any further? Separately, Jim Gonzalez raised an interesting and related point... If I were to simply forge the sender address of an e-mail message, send it to Level3, and ask Level3 to route some arbitrary hunk of IP space for me, would Level3 just blindly do it? If so, I may perhaps see if I can have a bit of fun, at their expense, this weekend. I mean what the hay! It's pretty obvious that nobody from law enforcement has any interest in any of this crap, and that random bad actors can perpetrate whatever kinds of frauds they wish on the net with virtual impunity. So why should this hijacking crap only be a spectator's sport? Regards, rfg
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Wed, 30 Mar 2011, Ronald F. Guilmette wrote: So that _really_ begs the question... Why did Circle Internet and (apparently) Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the crook who hijacked these two /16s had the right to use them? What makes you think it was blind? The standard industry practice is to ask someone requesting to announce a route for a letter on the owner's letter head authorizing the announcement. Is it really that hard to invent some letterhead and sign a letter? It's probably one of the easiest to circumvent security procedures ever. Frankly it's a giant waste of time and does nothing other than frustrate legitimate work. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
Its also a procedure that does need some due diligence done on it, to avoid attacks where a SP's netblock is stolen when its actively routed rather than abandoned. On Thu, Mar 31, 2011 at 9:30 AM, Brandon Ross br...@pobox.com wrote: What makes you think it was blind? The standard industry practice is to ask someone requesting to announce a route for a letter on the owner's letter head authorizing the announcement. Is it really that hard to invent some letterhead and sign a letter? It's probably one of the easiest to circumvent security procedures ever. Frankly it's a giant waste of time and does nothing other than frustrate legitimate work. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather: This is real or I am willing to take a forgery rap. As it happens, that's good enough for many if not most non-cash transactions. Now, there are societies where that doesn't work, but they don't usually have a lot of networks. On Wed, Mar 30, 2011 at 9:00 PM, Brandon Ross br...@pobox.com wrote: On Wed, 30 Mar 2011, Ronald F. Guilmette wrote: So that _really_ begs the question... Why did Circle Internet and (apparently) Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the crook who hijacked these two /16s had the right to use them? What makes you think it was blind? The standard industry practice is to ask someone requesting to announce a route for a letter on the owner's letter head authorizing the announcement. Is it really that hard to invent some letterhead and sign a letter? It's probably one of the easiest to circumvent security procedures ever. Frankly it's a giant waste of time and does nothing other than frustrate legitimate work. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Wed, 30 Mar 2011, Ross Harvey wrote: Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather: This is real or I am willing to take a forgery rap. Do you think most providers check the signer's ID to make sure they actually signed their own name? How do you prove that whomever you accuse of signing it actually forged it if not? Does anyone know of there ever being even a single case where someone was convicted of forgery for this? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
Ronald... Cleaning up the routing, true. However, this sounds like there are two issues... 1. Routing -- Would be nice if the advertising provider(s) stopped doing so. Not something ARIN can really do much about. 2. Database -- Sounds like the existing resource holder may not still be using the resource or may no longer exist. In either case, it's worth having ARIN investigate the situation and take appropriate database action if that is the case. Owen Sent from my iPad On Mar 30, 2011, at 4:59 PM, Ronald F. Guilmette r...@tristatelogic.com wrote: In message be8c4985-f955-4868-8145-146e57bbf...@pch.net, Bill Woodcock wo...@pch.net wrote: On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote: As I already mentioned, 159.223.0.0/16, which is actually registered = to the Hoechst Celanese Corporation, has quite obviously been hijacked And have you reported this to ARIN? No. Why would I? The ARIN folks have already made it abundantly clear... to me and to others... that this sort of thing is Not our job, man. ARIN maintains a data base. If other people elect to ignore what's in that data base... well... as anybody from ARIN will be only too happy to tell you, they are not the routing police. Regards, rfg
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
If they put it on letterhead and signed their own name in such a way that it purports to be an agent of the organization for which they were not an authorized agent, that is usually enough to become a criminal act, whether it is considered forgery, fraud, or something else, I'm not sure about the exact technicalities and they may vary by jurisdiction. Owen Sent from my iPad On Mar 30, 2011, at 11:53 PM, Brandon Ross br...@pobox.com wrote: On Wed, 30 Mar 2011, Ross Harvey wrote: Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather: This is real or I am willing to take a forgery rap. Do you think most providers check the signer's ID to make sure they actually signed their own name? How do you prove that whomever you accuse of signing it actually forged it if not? Does anyone know of there ever being even a single case where someone was convicted of forgery for this? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Wed, Mar 30, 2011 at 10:15 PM, Owen DeLong o...@delong.com wrote: If they put it on letterhead and signed their own name in such a way that it purports to be an agent of the organization for which they were not an authorized agent, that is usually enough to become a criminal act, whether it is considered forgery, fraud, or something else, I'm not sure about the exact technicalities and they may vary by jurisdiction. So, are you saying this is okay? I guess I'm at a loss in understanding why everyone seems to be so apathetic on this issue. - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
It also needs 1. Someone to complain to law enforcement 2. Law enforcement to decide this is something worth following up on re prosecution - especially if the crook is not within their jurisdiction, it'd be FBI, and they have a minimum threshold for damage caused (higher than the few thousand dollars a /16's registration fees cost?) [not counting 7.5 million bucks paid in aftermarket deals like microsoft from nortel] --srs On Thu, Mar 31, 2011 at 10:45 AM, Owen DeLong o...@delong.com wrote: If they put it on letterhead and signed their own name in such a way that it purports to be an agent of the organization for which they were not an authorized agent, that is usually enough to become a criminal act, whether it is considered forgery, fraud, or something else, I'm not sure about the exact technicalities and they may vary by jurisdiction. -- Suresh Ramasubramanian (ops.li...@gmail.com)