Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Jason Pope]

All,

WRT the below route object, DataBank does announce IP space for Hoechst 
Celanese 
Corporation as they are a direct customer of ours:

 $ whois -h whois.radb.net 148.163.0.0
 route:148.163.0.0/16
 descr:/16 for Celanese
 origin:AS13767
 mnt-by:DBANK-MNT
 changed:  jp...@databank.com 20090818
 source:LEVEL3


Currently, we only announce/originate the following prefixes via BGP:

148.163.178.0/24
148.163.179.0/24

via our providers, Level3 and Sprint.  We asked our providers to relax their 
filters for the whole /16, since Celanese owns that IP space.  That may or may 
not be a good idea, depending on your view of network management.  We did this 
in case our customer needed to announce new networks which would save us the 
time/work of placing more/new route objects in the registry.  We have the 
appropriate LOA for this network which is validated through face-to-face 
meetings with their network engineers and representatives.

DataBank is very sensitive to network abuse; we have an AUP in place with all 
of 
our customers and will always work hard to enforce it to prevent network abuse.

I apologize that I didn't respond sooner, but I have gotten behind on my NANOG 
reading.

Thank you,
Jason Pope
DataBank Holdings
214.720.2266 office

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Owen DeLong]

On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote:

 It also needs
 
 1. Someone to complain to law enforcement
 
True,

 2. Law enforcement to decide this is something worth following up on
 re prosecution - especially if the crook is not within their
 jurisdiction, it'd be FBI, and they have a minimum threshold for
 damage caused (higher than the few thousand dollars a /16's
 registration fees cost?)
 
Not necessarily...

If the crook is in another county, same state, it could be simple extradition.

If the crook is across state lines, it could still be handled as an extradition,
but, slightly more complicated.

If the crook is on the other side of an international boundary, that's a whole
new ball of wax and the number of permutations of regulatory combinations
involved prevents any rational enumeration here.

Owen

 [not counting 7.5 million bucks paid in aftermarket deals like
 microsoft from nortel]
 
 --srs
 
 On Thu, Mar 31, 2011 at 10:45 AM, Owen DeLong o...@delong.com wrote:
 If they put it on letterhead and signed their own name in such a way that it 
 purports
 to be an agent of the organization for which they were not an authorized 
 agent, that
 is usually enough to become a criminal act, whether it is considered 
 forgery, fraud,
 or something else, I'm not sure about the exact technicalities and they may 
 vary
 by jurisdiction.
 
 
 
 -- 
 Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

Local law isnt likely to touch this at all.

On Thu, Mar 31, 2011 at 11:27 AM, Owen DeLong o...@delong.com wrote:

 If the crook is in another county, same state, it could be simple extradition.

 If the crook is across state lines, it could still be handled as an 
 extradition,
 but, slightly more complicated.

 If the crook is on the other side of an international boundary, that's a whole
 new ball of wax and the number of permutations of regulatory combinations
 involved prevents any rational enumeration here.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message Pine.OSX.4.64.1103310053260.312@cevin-2.local, 
Brandon Ross br...@pobox.com wrote:

On Wed, 30 Mar 2011, Ross Harvey wrote:

 Wait a second, I'm pretty sure that in most contexts, a signature or
 letterhead means not so much this is real because it's so obviously
 genuine, but rather:

 This is real or I am willing to take a forgery rap.

Do you think most providers check the signer's ID to make sure they 
actually signed their own name?  How do you prove that whomever you accuse 
of signing it actually forged it if not?

Does anyone know of there ever being even a single case where someone was 
convicted of forgery for this?

Excuse me, but I think that this discussion is starting to stray rather
far from either the known or the reasonably plausible facts.

In the first place, I do not accept the theory that either Circle Internet
or Bandcon were hoodwinked by cleverly forged letterheads, and there is
no evidence I am aware of which would support that theory.

Until, if ever, additional facts are forthcoming, I believe that it is
just as plausible that some spammer simply came to each of these companies
and said to them Hi!  I really want to hijack these two unused /16 blocks.
Will you help me? and that one, or another, or perhaps both of these
companies simply replied Yea.  Sure.  We didn't quite make our quarterly
numbers, and we are always on the lookout for new revenue streams.  So
how much money do you intend to give us if we help you with this, exactly?

In the second place, this amusing letterhead fraud theory only holds
up if one also believes that, upon being presented with a mere forged
letterhead, allegedly coming in over the transom as it were, i.e. from
a previously unknown source, along with a request to announce some
routes to a couple of sizable blocks of IPv4 space, neither Circle
Internet nor BandCon even bothered to pick up the bleepin' phone to call
the contact number that is/was plainly visible for all to see, right
there in the relevant ARIN allocation WHOIS records for the IPv4 space
in question.

Then there is also the small matter of the name on the _checks_...
you know... the checks that _somebody_ had to write, in the first instance,
before either BandcCon or Circle Internet would have been likely to provide
_any_ kind of service to some new and total stranger.  Or was this duped
by clever forgeries single bullet theory that you folks have been dis-
cussing also intended to include the forging of CHECKS in the name of
Hoechst Celanese Corporation?


See, no matter how you slice it, both BandCon and Circle Internet have
a lot of explaining to do.  At the very least, and even if this
implausible forged letterhead theory were true... which I gravely
doubt... both BandCon and Circle Internet have been rather grotesquely
negligent, i.e. in accepting, without any checking whatsoever, the
representations made to them by some total stranger who simply para-
chutted out of the clouds one day, clutching a forged letterhead in one
hand and a bag of unmarked small denomination bills in the other.

So that's the very least... the companies were both, at the very least,
rather stupendously negligent.

At the very worst on the other hand, one or another or both of them may
have been entirely in on and part of these hijacking schemes/scams from
the get-go.

I myself would tend to go with the latter theory, simply because it is
the only one that would seem to make any sense, you know, logically.  Ask
yourself which of these theories seems the most plausible?

1)  The spammer forged two checks in the name Hoechst Celanese
Corporation and gave one each to Circle Internet and BandCon,
respectively, along with similarly forged letters of introduction
and requests for routing of IP space.

Unless I am misremembering, this means that the spammer would have
engaged in not one but TWO very serious federal fraud offenses.

Even sleezy low-life spammers do not customarily accept this level
of risk, e.g. just to get their hands on some IPv4 space which, we
must remember, is only likely to be of value to them for a relatively
brief period of time, EVEN IF they can manage to keep it routed.

2)  The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies -zero- actually money, and
nonetheless, both companies started happily announcing routes for
the purported Hoechst Celanese Corporation, even though neither
company received a dime for this service, and even though they both
CONTINUED to provide this service, utterly for free, apparently for
at least THREE FULL MONTHS.

3)  The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies checks 

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong o...@delong.com wrote:

 On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote:

 It also needs

 1. Someone to complain to law enforcement

 True,

as has been brought up in the past here... some folk rely heavily upon
IRR data for route prefix filtering. if the object is in the IRR
database (with the right linkages), it gets permitted in router
filters automagically.

-chris
(being able to validate 'ownership', really authorization to route,
automatically will sure be nice, eh?)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 11:48 AM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 On Thu, Mar 31, 2011 at 7:57 AM, Owen DeLong o...@delong.com wrote:

 On Mar 30, 2011, at 10:26 PM, Suresh Ramasubramanian wrote:

 It also needs

 1. Someone to complain to law enforcement

 True,

 as has been brought up in the past here... some folk rely heavily upon
 IRR data for route prefix filtering. if the object is in the IRR
 database (with the right linkages), it gets permitted in router
 filters automagically.

I forgot:
$ whois -h whois.radb.net 148.163.0.0
route: 148.163.0.0/16
descr: /16 for Celanese
origin:AS13767
mnt-by:DBANK-MNT
changed:   jp...@databank.com 20090818
source:LEVEL3

(this means l3 proxy'd in the record, I think... maybe an L3 person
can speak to this bit?)

 -chris
 (being able to validate 'ownership', really authorization to route,
 automatically will sure be nice, eh?)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message b2506b41-ad1f-4fb0-9d8e-c0a54e44b...@delong.com, 
Owen DeLong o...@delong.com wrote:

Cleaning up the routing {is not what ARIN does or thinks it should do}, true.

However, this sounds like there are two issues...

1. Routing -- Would be nice if the advertising provider(s) stopped doing
   so.  Not something ARIN can really do much about.

2. Database -- Sounds like the existing resource holder may not still
   be using the resource or may no longer exist. In either case, it's
   worth having ARIN investigate the situation and take appropriate
   database action if that is the case.

Worth it to whom?

I can tell you quite frankly that it sure as shineola isn't worth wasting
even one more additional second of _my_ time to try to beg, plead, cajole,
or browbeat ARIN/Curran into cleaning up the mess that is the IPv4 allocation
data base.  I've been down that road already, and all I have to show for it
is a couple of prominent boot marks on my ass and a couple of new enemies-
for-life... neither of which I really needed.

And also, frankly, I am utterly dumbfounded that you, of all people, should
be the one to suggest that this particular cock-up in the IPv4 allocation
data base is something that should be fixed.  I mean really, WTF?  Didn't
you, and I, and several other people already go through all of this at
least a couple of dozen times already on the ARIN public policy mailing
list?  And wasn't it you, in particular, who was consistantly the most
vocal and avid proponent of the view that ANY effort expended on cleaning
up the IPv4 allocations DB would be an utter waste of time and valuable
manpower, and that ultimately, any efforts along those lines would only
serve to give those procrastinating on the inevitable shift to IPv6 more
time to procrastinate?

Seriously, I was left with the impression that if IPv6 were a person, it
would be you, and that if it were a company, you would be the majority
shareholder.  (Not that there would be anything wrong with that.)

Now all of a sudden you actually CARE about IPv4 allocations??  I say again,
WTF?

Color me flabberghasted.

Anyway, none of this makes any difference.  If somebody (you?) wants to
report either or both of these hijacked IPv4 blocks to ARIN... well...
be my guest.  If your plan was to wait around for me to do it, you are
in for a long wait.  I have more productive uses for my time just now,
like counting the pennies in my change jar and checking Craigslist for
mint Rolls Royces priced under a dollar.


Regards,
rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Tony Tauber]

I don't believe this record indicates that Level3 proxy registered the route
object.
It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to
enter a route object 18 months ago.

It looks like Level3 is originating the route in AS3356, not accepting it
from AS13767 (which is what the object would suggest to do.)

Oops, looks like the route is now gone.  Guess it got cleaned.

Tony

On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow morrowc.li...@gmail.com
 wrote:


 I forgot:
 $ whois -h whois.radb.net 148.163.0.0
 route: 148.163.0.0/16
 descr: /16 for Celanese
 origin:AS13767
 mnt-by:DBANK-MNT
 changed:   jp...@databank.com 20090818
 source:LEVEL3

 (this means l3 proxy'd in the record, I think... maybe an L3 person
 can speak to this bit?)

  -chris
  (being able to validate 'ownership', really authorization to route,
  automatically will sure be nice, eh?)
 

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Christopher Morrow]

On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber ttau...@1-4-5.net wrote:
 I don't believe this record indicates that Level3 proxy registered the route
 object.
 It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to
 enter a route object 18 months ago.


possibly...

 It looks like Level3 is originating the route in AS3356, not accepting it
 from AS13767 (which is what the object would suggest to do.)

 Oops, looks like the route is now gone.  Guess it got cleaned.


l3 ams router says:
Status codes: s suppressed, d damped, h history, * valid,  best, i - internal,
  S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network  Next HopMetric LocPrf Weight Path
*i148.163.0.0/20   4.69.181.3   0100  0 i
* i 4.69.181.3   0100  0 i
*i148.163.64.0/20  4.69.181.3   0100  0 i
* i 4.69.181.3   0100  0 i
*  148.163.178.0/24 213.206.131.45  10 86  0 1239 13767 i
* i 4.69.185.185  100  0 13767 i
*i 4.69.185.185  100  0 13767 i
*  148.163.179.0/24 213.206.131.45  10 86  0 1239 13767 i
* i 4.69.185.185  100  0 13767 i
*i 4.69.185.185  100  0 13767 i
* i148.163.224.0/19 4.69.181.3   0100  0 i
*i 4.69.181.3   0100  0 i

there's a possibility that, in this case, L3 is simply holding up the
/16 for their customer, sinking junk traffic and permitting more
specifics by the customer? (it's not clear here, though the above
seems to show sprint propogating databank's prefixes while L3 is
originating some parts of the /16 still.

http://www.robtex.com/as/as13767.html

indicates that the 2 upstreams for databank are apparently L3 and sprint.

-Chris

 Tony

 On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow
 morrowc.li...@gmail.com wrote:

 I forgot:
 $ whois -h whois.radb.net 148.163.0.0
 route:         148.163.0.0/16
 descr:         /16 for Celanese
 origin:        AS13767
 mnt-by:        DBANK-MNT
 changed:       jp...@databank.com 20090818
 source:        LEVEL3

 (this means l3 proxy'd in the record, I think... maybe an L3 person
 can speak to this bit?)

  -chris
  (being able to validate 'ownership', really authorization to route,
  automatically will sure be nice, eh?)
 

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Matthew Petach]

On Thu, Mar 31, 2011 at 3:11 AM, Ronald F. Guilmette
r...@tristatelogic.com wrote:

...
 Seriously, I was left with the impression that if IPv6 were a person, it
 would be you, and that if it were a company, you would be the majority
 shareholder.  (Not that there would be anything wrong with that.)

I for one would put money on the table towards the rename Owen to Mr. IPv6
effort.   I think it would be wonderful to be able to honestly say
IPv6 is in da
house! every time the person formerly known as Owen walked into the
room at ARIN meetings.  :D

Matt

RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Stefan Fouant]

 -Original Message-
 From: Matthew Petach [mailto:mpet...@netflight.com]
 Sent: Thursday, March 31, 2011 2:28 PM
 
 I for one would put money on the table towards the rename Owen to Mr.
 IPv6
 effort.   I think it would be wonderful to be able to honestly say
 IPv6 is in da
 house! every time the person formerly known as Owen walked into the
 room at ARIN meetings.  :D

+1 | That, or The evangelist formerly known as Owen... :p

Stefan Fouant

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Owen DeLong]

On Mar 31, 2011, at 12:01 PM, Stefan Fouant wrote:

 -Original Message-
 From: Matthew Petach [mailto:mpet...@netflight.com]
 Sent: Thursday, March 31, 2011 2:28 PM
 
 I for one would put money on the table towards the rename Owen to Mr.
 IPv6
 effort.   I think it would be wonderful to be able to honestly say
 IPv6 is in da
 house! every time the person formerly known as Owen walked into the
 room at ARIN meetings.  :D
 
 +1 | That, or The evangelist formerly known as Owen... :p
 
 Stefan Fouant
 
 
ROFLMAO

Owen

RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Rafael Cresci]

 I for one would put money on the table towards the rename Owen to Mr.
 IPv6
 effort.   I think it would be wonderful to be able to honestly say
 IPv6 is in da
 house! every time the person formerly known as Owen walked into the 
 room at ARIN meetings.  :D

Like a v6, like a v6 could be the soundtrack... :-)

[]s
Rafael Cresci

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

On Fri, Apr 1, 2011 at 12:31 AM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:

 +1 | That, or The evangelist formerly known as Owen... :p

No no ... TEFKAO.

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Bill Woodcock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote:
 As I already mentioned, 159.223.0.0/16, which is actually registered to
 the Hoechst Celanese Corporation, has quite obviously been hijacked

And have you reported this to ARIN?

https://www.arin.net/public/fraud/index.xhtml

Obviously it's not fraud on Celanese's part, but it certainly seems to be 
evidence that they don't need the space anymore.  If someone who needed it more 
had it, they might not put up with the hijacking.

-Bill




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk2TmqwACgkQGvQy4xTRsBGkiwCgvHVFs1qz55H+FNCj+Apwrcev
sFIAoMluDV11me+X8I9MoVie611H8e9P
=p+yS
-END PGP SIGNATURE-

RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Jim Gonzalez]

I have a level 3 circuit with BGP. Level 3 set me up a maintainer. To
communicate with this program I just send an email to the maintainer, based
on my email address and the maintainer name it will allow the route I
request advertisement. I don't believe any one monitors this system and I
would imagine if no one complains about this company advertising hijacked
routes to level 3 then it would be quite easy to advertise a network that
has been abandon.

-Original Message-
From: Bill Woodcock [mailto:wo...@pch.net] 
Sent: Wednesday, March 30, 2011 5:04 PM
To: Ronald F. Guilmette
Cc: nanog@nanog.org
Subject: Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP
hijacking??

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote:
 As I already mentioned, 159.223.0.0/16, which is actually registered to
 the Hoechst Celanese Corporation, has quite obviously been hijacked

And have you reported this to ARIN?

https://www.arin.net/public/fraud/index.xhtml

Obviously it's not fraud on Celanese's part, but it certainly seems to be
evidence that they don't need the space anymore.  If someone who needed it
more had it, they might not put up with the hijacking.

-Bill




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk2TmqwACgkQGvQy4xTRsBGkiwCgvHVFs1qz55H+FNCj+Apwrcev
sFIAoMluDV11me+X8I9MoVie611H8e9P
=p+yS
-END PGP SIGNATURE-

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message be8c4985-f955-4868-8145-146e57bbf...@pch.net, 
Bill Woodcock wo...@pch.net wrote:

On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote:
 As I already mentioned, 159.223.0.0/16, which is actually registered =
to
 the Hoechst Celanese Corporation, has quite obviously been hijacked

And have you reported this to ARIN?

No.  Why would I?

The ARIN folks have already made it abundantly clear... to me and to others...
that this sort of thing is Not our job, man.

ARIN maintains a data base.  If other people elect to ignore what's in that
data base... well... as anybody from ARIN will be only too happy to tell you,
they are not the routing police.


Regards,
rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message 002201cbef24$c1b61d70$45225850$@com, you wrote:

I don't believe any one monitors this system and I
would imagine if no one complains about this company advertising hijacked
routes to level 3 then it would be quite easy to advertise a network that
has been abandon(sic).

At this point, I do believe that you are stating the obvious.

Whether it is wise, or otherwise, to leave one's company's route announcements
entirely on autopilot is, I think, a remaining question.

The evidence would seem to suggest not.

But then again, as I think we all know, there is a non-zero costs associated
with doing anything well, professionally, or (as the laywers like to say)
in a workman-like manner, and these costs are often seen as being at odds
with the corporate bottom line.

Personally, I just hope that Level3 accrues a sufficient quantity of bad
PR from what they have done here so that they will lose a client or two,
and that this in turn might have some salutary effect upon the corporate
calculus.


Regards,
rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

This is an old enough technique dating back to a few years -
re-registering an expired domain that belonged to the ARIN contact,
and filling out the ISP paperwork.

There does seem to be something that needs to be done - its not
something ARIN can easily look into, the SP is much better placed to
take action.  But its a gray area between the two.

On Thu, Mar 31, 2011 at 3:22 AM, Jim Gonzalez j...@impactbusiness.com wrote:
 I have a level 3 circuit with BGP. Level 3 set me up a maintainer. To
 communicate with this program I just send an email to the maintainer, based
 on my email address and the maintainer name it will allow the route I
 request advertisement. I don't believe any one monitors this system and I
 would imagine if no one complains about this company advertising hijacked
 routes to level 3 then it would be quite easy to advertise a network that
 has been abandon.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ronald F. Guilmette]

In message aanlktikempr3qvvdorvugrnzn0cnkoa4vtbta5q3m...@mail.gmail.com, you 
wrote:

This is an old enough technique dating back to a few years -
re-registering an expired domain that belonged to the ARIN contact,
and filling out the ISP paperwork.

FYI - That does not seem to have been what occured in the two particular
cases I reported on today.  The e-mail contact domain for the two relevant
ARIN allocation records seems to still be in use by the chemical company,
Hoechst Celanese.

So that _really_ begs the question... Why did Circle Internet and (apparently)
Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the
crook who hijacked these two /16s had the right to use them?

% traceroute to 148.163.5.2 (148.163.5.2), 64 hops max, 40 byte packets
 ...
 8  ae-62-62.csw1.SanJose1.Level3.net (4.69.153.18)  42.796 ms
ae-82-82.csw3.SanJose1.Level3.net (4.69.153.26)  44.268 ms
ae-72-72.csw2.SanJose1.Level3.net (4.69.153.22)  43.296 ms
 9  ae-4-90.edge8.SanJose1.Level3.net (4.69.152.212)  44.877 ms
ae-3-80.edge8.SanJose1.Level3.net (4.69.152.148)  44.731 ms
ae-1-60.edge8.SanJose1.Level3.net (4.69.152.20)  44.426 ms
10  BANDCON.edge8.SanJose1.Level3.net (4.53.30.42)  45.018 ms  45.779 ms  
45.043 ms
11  148.163.5.2 (148.163.5.2)  44.820 ms  45.651 ms  44.571 ms


In the case of Circle Internet, I feel sure that the check cleared, so they
didn't see it as either necessary or useful to inquire further.  But the
question that I'd most like to get an answer to... and the one that nobody
will likely ever get an answer to... is Did BandCon likewise see that the
check which was made out to them cleared, and that thus they didn't see fit
to inquire any further?

Separately, Jim Gonzalez raised an interesting and related point... If I
were to simply forge the sender address of an e-mail message, send it to
Level3, and ask Level3 to route some arbitrary hunk of IP space for me,
would Level3 just blindly do it?

If so, I may perhaps see if I can have a bit of fun, at their expense, this
weekend.  I mean what the hay!  It's pretty obvious that nobody from law
enforcement has any interest in any of this crap, and that random bad actors
can perpetrate whatever kinds of frauds they wish on the net with virtual
impunity.  So why should this hijacking crap only be a spectator's sport?


Regards,
rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Brandon Ross]

On Wed, 30 Mar 2011, Ronald F. Guilmette wrote:


So that _really_ begs the question... Why did Circle Internet and (apparently)
Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the
crook who hijacked these two /16s had the right to use them?


What makes you think it was blind?  The standard industry practice is to 
ask someone requesting to announce a route for a letter on the owner's 
letter head authorizing the announcement.  Is it really that hard to 
invent some letterhead and sign a letter?


It's probably one of the easiest to circumvent security procedures ever.

Frankly it's a giant waste of time and does nothing other than frustrate 
legitimate work.


--
Brandon Ross  AIM:  BrandonNRoss
   ICQ:  2269442
   Skype:  brandonross  Yahoo:  BrandonNRoss

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

Its also a procedure that does need some due diligence done on it, to
avoid attacks where a SP's netblock is stolen when its actively routed
rather than abandoned.

On Thu, Mar 31, 2011 at 9:30 AM, Brandon Ross br...@pobox.com wrote:

 What makes you think it was blind?  The standard industry practice is to ask
 someone requesting to announce a route for a letter on the owner's letter
 head authorizing the announcement.  Is it really that hard to invent some
 letterhead and sign a letter?

 It's probably one of the easiest to circumvent security procedures ever.

 Frankly it's a giant waste of time and does nothing other than frustrate
 legitimate work.




-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Ross Harvey]

Wait a second, I'm pretty sure that in most contexts, a signature or
letterhead means not so much this is real because it's so obviously
genuine, but rather:

This is real or I am willing to take a forgery rap.

As it happens, that's good enough for many if not most non-cash
transactions. Now, there are societies where that doesn't work, but
they don't usually have a lot of networks.

On Wed, Mar 30, 2011 at 9:00 PM, Brandon Ross br...@pobox.com wrote:

 On Wed, 30 Mar 2011, Ronald F. Guilmette wrote:

 So that _really_ begs the question... Why did Circle Internet and 
 (apparently)
 Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the
 crook who hijacked these two /16s had the right to use them?

 What makes you think it was blind?  The standard industry practice is to ask 
 someone requesting to announce a route for a letter on the owner's letter 
 head authorizing the announcement.  Is it really that hard to invent some 
 letterhead and sign a letter?

 It's probably one of the easiest to circumvent security procedures ever.

 Frankly it's a giant waste of time and does nothing other than frustrate 
 legitimate work.

 --
 Brandon Ross                                              AIM:  BrandonNRoss
                                                               ICQ:  2269442
                                   Skype:  brandonross  Yahoo:  BrandonNRoss

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Brandon Ross]

On Wed, 30 Mar 2011, Ross Harvey wrote:


Wait a second, I'm pretty sure that in most contexts, a signature or
letterhead means not so much this is real because it's so obviously
genuine, but rather:

This is real or I am willing to take a forgery rap.


Do you think most providers check the signer's ID to make sure they 
actually signed their own name?  How do you prove that whomever you accuse 
of signing it actually forged it if not?


Does anyone know of there ever being even a single case where someone was 
convicted of forgery for this?


--
Brandon Ross  AIM:  BrandonNRoss
ICQ:  2269442
Skype:  brandonross  Yahoo:  BrandonNRoss

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Owen DeLong]

Ronald...

Cleaning up the routing, true.

However, this sounds like there are two issues...

1.  Routing -- Would be nice if the advertising provider(s) stopped doing 
so.
Not something ARIN can really do much about.

2.  Database -- Sounds like the existing resource holder may not still be 
using
the resource or may no longer exist. In either case, it's worth having 
ARIN
investigate the situation and take appropriate database action if that 
is the case.

Owen


Sent from my iPad

On Mar 30, 2011, at 4:59 PM, Ronald F. Guilmette r...@tristatelogic.com 
wrote:

 
 In message be8c4985-f955-4868-8145-146e57bbf...@pch.net, 
 Bill Woodcock wo...@pch.net wrote:
 
 On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote:
 As I already mentioned, 159.223.0.0/16, which is actually registered =
 to
 the Hoechst Celanese Corporation, has quite obviously been hijacked
 
 And have you reported this to ARIN?
 
 No.  Why would I?
 
 The ARIN folks have already made it abundantly clear... to me and to others...
 that this sort of thing is Not our job, man.
 
 ARIN maintains a data base.  If other people elect to ignore what's in that
 data base... well... as anybody from ARIN will be only too happy to tell you,
 they are not the routing police.
 
 
 Regards,
 rfg

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Owen DeLong]

If they put it on letterhead and signed their own name in such a way that it 
purports
to be an agent of the organization for which they were not an authorized agent, 
that
is usually enough to become a criminal act, whether it is considered forgery, 
fraud,
or something else, I'm not sure about the exact technicalities and they may vary
by jurisdiction.

Owen


Sent from my iPad

On Mar 30, 2011, at 11:53 PM, Brandon Ross br...@pobox.com wrote:

 On Wed, 30 Mar 2011, Ross Harvey wrote:
 
 Wait a second, I'm pretty sure that in most contexts, a signature or
 letterhead means not so much this is real because it's so obviously
 genuine, but rather:
 
 This is real or I am willing to take a forgery rap.
 
 Do you think most providers check the signer's ID to make sure they actually 
 signed their own name?  How do you prove that whomever you accuse of signing 
 it actually forged it if not?
 
 Does anyone know of there ever being even a single case where someone was 
 convicted of forgery for this?
 
 -- 
 Brandon Ross  AIM:  BrandonNRoss
ICQ:  2269442
Skype:  brandonross  Yahoo:  BrandonNRoss

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Paul Ferguson]

On Wed, Mar 30, 2011 at 10:15 PM, Owen DeLong o...@delong.com wrote:

 If they put it on letterhead and signed their own name in such a way that it 
 purports
 to be an agent of the organization for which they were not an authorized 
 agent, that
 is usually enough to become a criminal act, whether it is considered forgery, 
 fraud,
 or something else, I'm not sure about the exact technicalities and they may 
 vary
 by jurisdiction.


So, are you saying this is okay?

I guess I'm at a loss in understanding why everyone seems to be so
apathetic on this issue.

- ferg



-- 
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

[Suresh Ramasubramanian]

It also needs

1. Someone to complain to law enforcement

2. Law enforcement to decide this is something worth following up on
re prosecution - especially if the crook is not within their
jurisdiction, it'd be FBI, and they have a minimum threshold for
damage caused (higher than the few thousand dollars a /16's
registration fees cost?)

[not counting 7.5 million bucks paid in aftermarket deals like
microsoft from nortel]

--srs

On Thu, Mar 31, 2011 at 10:45 AM, Owen DeLong o...@delong.com wrote:
 If they put it on letterhead and signed their own name in such a way that it 
 purports
 to be an agent of the organization for which they were not an authorized 
 agent, that
 is usually enough to become a criminal act, whether it is considered forgery, 
 fraud,
 or something else, I'm not sure about the exact technicalities and they may 
 vary
 by jurisdiction.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)