AS11296 -- Hijacked?

I received a nice email from a very polite graduate student just now,
who shall remain nameless, and I decided that I wanted to give him
the reply below, but also to post this all to NANOG too, so here it
is. I hope this may ally some of the concern that has been expressed
about me not being more forthcomeing about the details of this case.
(And if anybody gives me a hard time about being ``off topic'' then
I'm going to give him or her a knucke sandwich, because I was
specifically asked... indeed badgered... to provide more explanation
of, and more justification for my earlier posting, as the record in
the archives of this list will clearly show.)

The friendly graduate student wote:

I've been quietly following NANOG's little flamewar over this. I'm
interested in what techniques you used to arrive at your conclusion
regarding AS11296.

Unfortunately for me, I'm not a network op. Instead, I am a PhD student
interested in all matters inter-domain. I hope you feel this is enough
to make me a worthy recipient.

No, actually, it isn't. If I google you can I be _sure_ that you're
not playing for the other team? Probably not.

But the good news is that I have decided to be a bit less cagey
generally, and specifically in my public comments about these things
anyway, and to give out more confirming data bits anyway. And I'll
be sending this letter on to the NANOG list soon, with your name
redacted, of course.

What follows below is information that could be gleened (if you know
how) from whois.internic.net. It's all public info. I just rearrange
it and print it out in a nice pretty way. (Of course knowing where
to look within the vast IPv4 address space is also quite helpful, but
I'm not going to get in to that.)

The bottom line here is that if you get the whois records for the domains
associated with the name servers in the list attached at the end, you'll
see that they are all going to be ``fishy'' in some way, e.g. ``cloaked''
(aka ``privacy protected''), or else registered to some mystery fly-by
night company that may or may not actually exist, or at any rate, the
domains will all be registered to something sort-of stealthy... something
which is intended to make the spammer behind all this a bit harder to find.

Oh yea, and the snail mail addresses given in the WHOIS records for the
domains will usually/often be tracable to UPS Store rental P.O. boxes...
those are standard spammer favorites, because...as they well know... us
spamfighters can't find out who really controls any one of those boxes
without a subpoena... unlike USPS boxes, for instance. (All this is
quite well known in the dank sleezy spammer undergound already, so I'm
not hardly giving away any secrets here.) And in a similar vein, the
contact phone numbers given in the whois records will quite typically
be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers
are _not_ trying to save you money when you want to call them up to bitch
to them about the fact that they sent you 8,372 spams in a row. Nope,
again, they use the toll-free numbers for a very specific purpose, which
is again to make it more difficult for anyone trying to track them down
to find their actual physical location. Non-tollfree numbers are typically
associated with a specific geographic vicinity (although even that is
being substantially eroded by number portability). But the toll free
numbers are truly and always utterly geographically anonymous. So
spammers use them a lot, primarily in domain whois records.

So here you are. You've got this s**t load of highly ``fishy'' name servers,
and they are all planted firmly into IP space that (a) appears to have been
allocated to a reputable name brand company... such as Seiko, in this
case... *and* (b) the block in question, based on the RegDate: and Updated:
fields of the block's ARIN whois record, apparently hasn't been touched for
years... maybe even a decade or more... thus implying that the former owners
of the block either have abandoned it years ago, or else they themselves
went belly up and ceased to exist, probably during the Great Dot Com Crash
of 2000. Add it all up and what does it spell? No, not heartburn... Hijack.

See, there actually isn't any big mystery about any of this, except the
part about how I came to focus on this particular set of IP blocks and/or
the particular AS that was announcing routes to them. And about that
part, I have nothing to say, except to tell these spammers (who are
probably listening) what I always say... that spamming is THE most public
of all crimes. If you really think that you an hide and be totally invisible,
even while you blast MILLIONS of total strangers with your advertising, then
you need to up your lithium, because the dosage you're on now clearly isn't
doing the job.

Oh, and one other small thing... Even though the spammers try to hide
themselves, often times, they really don't try THAT hard, probably because
most folks don't care enough to really learn how to track these kinds of
schmucks down, so in general, they only have to be a little stealthy...
not a lot stealthy, and they know that. But using hijacked space raises
the bar a little. In this context, you shouldn't really use all P.O.
boxes that are on your same island, just because you are too effing lazy
to take a ferry to the mainland once a month to pick up your hate mail
from your anonymous UPS drop box.

I can't really tell you exactly who engineered the hijacking in this
case. Somebody with some network savvy obviously. What I suspect I
_can_ tell you is which spammer (who runs a false-front ``affiliate
marketing'' operation, just as cover story for their own snowshoe
spamming... as most of the serious snowshoers do these days) most
probably sub-leased the IP space from whoever actually engineered the
hijacking.

Look at the snail-mail addresses in the whois records for the domains
listed below. Yes, they are UPS boxes, but look at the general location,
Victoria, BC. So now go and google for "affiliate marketing" and
"Victoria". There really aren't that many probable suspects. Victoria
ain't a terribly big place. Not like, e.g. Vancouver. But then the
schmuck would have to take the ferry over once a month to collect his
hate mail from his mainland anonymous UPS box, and he's too effing lazy
to do that. That's why he's a spammer, because he's too effing lazy and
untalented to get honest work, or even to learn an honest trade, you
know, like male hooker. (Hey! At least it's consensual, unlike spamming.)

(Nishant? I know you're listening. Now you WILL make sure that Tobyn
gets a copy of this posting, won't you? That's a good boy. Thanks.
Effing assholes!)

Could it possibly be that I'm jumping to the Wrong Conclusion here about
who the spammer is, I mean just based on something as flimsy as geographic
proximity? Sure, but not bloody likely. You see that's not hardly the
only evidence that I have in front of me. I'm just not talking about
the rest. (And I hope it keeps the son of a bitch up nights trying to
figure out how ELSE he phuked up, in addition to being lazy and using
only local UPS drop boxes.)

Regards,
rfg

P.S. Some or all of the data presented below may still be available via
whois.internic.net, even though the IP blocks are no longer even routed.
Try this for example:

   whois -h whois.internic.net 206.226.96.2

Yup. Still there. At least for now. Probably be gone by morning.

P.P.S. To all of the spammers out there reading this who think that you
have learned from this e-mail how to be more stealthy still, and how to
hide from me even better in the future... well... enjoy your fantasy
while it lasts. I can find you now, I can find you next year, and I'll
be able to find you ten years from now. And do you know why? Because
I'm smarter than you are. And that's not saying much. If you had any
talent... any talent at all... then you'd be able to find an HONEST job.
It wouldn't pay as well, but at least you wouldn't be ashamed to tell
your mother what you _actually_ do for a living.

In the meantime, please hurry up and die. The world will most definitely
be a better place when we no longer have to carry your dead weight on the
backs of humanity. Don't flatter yourselves. You make nothing. You
build nothing. You contribute nothing. You just annoy people. For
money. We will make sure that that exact epitaph is engraved on your
headstone, so that you will be remembered properly, once you go.

...

I would take more of an Occam's razor approach. If you have an AS that
is supposedly an ISP in North Carolina or Ohio or wherever and first of
all have only one way into their network (are they an ISP or are they
simply reselling someone else's service?) and none of that connectivity
traces back to their region of operation, and particularly where their
name has been bought by or merged with someone else and that someone
else is not announcing their AS and address blocks, then that is
certainly cause for suspicion. "Hijacking" of defunct resources is
probably a widespread activity. Finding the hijacked resources of
companies that liquidated in fairly public fashion is probably easier
than finding resources for a company that has been "laundered" through
several mergers over several years where the current company doesn't
even realize that they "own" the resources of a company bought by a
company they bought because of personnel turnover involved with layoffs
and such.

To the general population of this list: Have you worked for a company
that has liquidated? Are those Internet resource registrations still in
whois? Maybe you should inform ARIN so those resources can be
reclaimed. I did that when I noticed that a company I once worked for
that evaporated still had resources in the database. That is just
ASKING for someone to announce those resources and nobody is probably
going to blink an eye because the upstreams rarely check to see if the
entity they are talking to are actually authorized to announce that
space. You tell them the ASN and net blocks, the two jibe, upstream
says OK.

How much address space is being wasted in this way?

G

Cheers Ron for coming forth with your reasoning, it is appreciated.
Your bit of trust in me/us has gone a long way, and its good to
understand your motivation and how you came to your conclusions.

I'm actually quite surprised that you have found so much spam coming
out of the US! I would have thought less developed countries where its
easy to obtain unregulated connections, with little legal repercussion
would be more popular. Then again, I personally have not done a lot of
research in the field.

Good luck with your endeavour.
Heath

"Hijacking" of defunct resources is probably a widespread activity.

It is. A number of individuals and entities have been involved in
tracking these over the years, and I've seen enough to figure out
that it's common because it's relatively easy, it's likely to be
undetected, it's likely to be ignored if detected, there are no
significant penalties, and even if it all goes south: it's easy
to start over and do it again.

How much address space is being wasted in this way?

A lot. Moreover, large chunks of address space are being wasted in this way:

  1. Spammer sets up dummy front web-hosting/ISP company.
  1a. (optional) Spammer sets up second-level dummy front.
  2. Spammer gets ARIN et.al. to allocate a /20 or a /17 or whatever.
  3. Spammer uses spammer-friendly registrar to purchase
     throwaway domains in bulk. (Sometimes the registrar IS
     the spammer. Cost-effective.)
  4. Spammer populates the allocation with throwaway domains
     and commences snowshoe spamming.
  4a. (optional) Spamming facilitates drive-by downloads, malware
      injection, browser exploits, phishing, and other attacks.
  5. Anti-spam resources notice this and blacklist the allocation.
     So do large numbers of individual network/system/mail admins.
  6. Return to step 1.

It's instructive to consider who profits from each of these steps.

A quick check of my (local, incomplete, barely scratch-the-surface) list
of such things includes (and I've left out smaller and larger blocks,
thus this is a pretty much a snapshot of the middle of the curve):

  /16's: 25
  /17's: 20
  /18's: 47
  /19's: 73
  /20's: 99
  /21's: 88
  /22's: 105
  /23's: 198
  /24's: 3245

for a total of about 6.6 million IP addresses. My guess is that this
is likely a few percent, at best, of the real total: it just happens
to be the set that brought itself to my attention by being sufficiently
annoying to local resources. So I wouldn't be at all surprised to find
that real total is in the 100M ballpark.

So I've concluded that there really isn't an IPv4 address space shortage.
Spammers have absolutely no problem getting allocation after allocation
after allocation, turning each one into scorched earth and moving on.
ARIN et.al. certainly have no interest in stopping them, and ICANN only
cares about registrar profits, so there's no help coming from either
of those.

---rsk

Ron,

Let's try that without the diatribe:

"I saw spam domains pop up associated with 199.241.95.253.
199.241.64.0/19 appears to be a defunct registration reannounced to
the Internet two weeks ago by an AS11296 -- an unregistered AS number.
A large quantity of spam domains popped up with the other addresses
recently announced by AS11296 as well. Accordingly, I suspect that as
we've seen many times before and all clearly understand, AS11296 and
the addresses it advertises have been hijacked by a spammer."

There. Now, would that have been so hard?

Your friend was right. We don't want a "lengthy elaboration." Just a
simple, concise explanation of why you believe your claim to be true.

As for your secretive and ingenious detection, get over yourself.
We've seen this before. More than once.

Regards,
Bill Herrin

this is still less than a /8, which lasts ~3 months in ARIN region and
less if you could across RIR's...

Spammers have absolutely no problem getting allocation after allocation
after allocation, turning each one into scorched earth and moving on.

Materially correct, despite the fact that we look into
the company registrations, principal parties involved,
and mailing addresses at the time of a new request. It
is simply too easy to create a complete illusion of a
valid organization.

ARIN et.al. certainly have no interest in stopping them,

Hmm... An interesting assumption, and one that is quite incorrect.

Rich - How do suggest dealing with this problem? If you can suggest
a straightforward way of vetting a new organization which the community
will support, I'll happily have it implemented asap.

/John

John Curran
President and CEO
ARIN

Which is sort of like saying:

Citizen: "Hello, police? There is a crate of M-16's and a truckload of
ammunition just sitting here on the corner"
Police: "That is less than the Army goes through in 3 months ...
*click*"

While true, it is orthogonal to the point being made which is if you
collect those resources and issue them to legitimate operators, those
are some 6.6 million unique hosts addresses than cannot be used for
various nefarious activities.

Death by IP address?

-Bill

Quite possible if one is using it to distribute a virus. RE: Spanair
flight JK-5022

http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C
omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash

George -
   Full agreement; the next step is defining a deterministic process for identifying these specific resources which are hijacked, and then making a policy for ARIN to act. We have a duty of stewardship, so addressing this problem is a priority if the community directs us to do so via policy.

/John

Try this link instead http://tinyurl.com/2cngbx6

From: George Bonser [mailto:gbonser@seven.com]
Sent: Friday, October 01, 2010 2:32 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: RE: AS11296 -- Hijacked?

> From: wherrin@gmail.com
> Herrin
> Sent: Friday, October 01, 2010 2:27 PM
> To: George Bonser
> Cc: Christopher Morrow; nanog@nanog.org
> Subject: Re: AS11296 -- Hijacked?
>
>
> Death by IP address?
>
> -Bill

Quite possible if one is using it to distribute a virus. RE: Spanair
flight JK-5022

http://www.monstersandcritics.com/news/europe/news/article_1578877.php/

Hi George,

That's been debunked.

http://www.zdnet.com/blog/bott/fact-check-malware-did-not-bring-down-a-passenger-jet/2354?tag=nl.e550

"A computer at the airline’s maintenance headquarters [...] was
infected with some sort of malware. [...] That same computer is used
to record incident reports submitted by mechanics and is programmed to
raise an alarm if the same problem occurs three times on the same
aircraft.

On the day of the crash, the plane returned to the gate after the crew
noticed a problem. The mechanics at the airport identified the issue
and cleared the plane for takeoff. They apparently didn’t know that
this was the third report of a similar problem in a two-day period.
But even if the headquarters office had maintained its PC perfectly,
the plane would still have taken off. The mechanics were still
entering their report at the time of the crash."

Regards,
Bill Herrin

You'd have better luck calling the ATF, they are the ones empowered to enforce
the tax on machine guns. The local police do not have any authority to
enforce those taxes, and could get sued if they tried to.

From: wherrin@gmail.com On Behalf Of William
Herrin
Sent: Friday, October 01, 2010 2:50 PM
To: George Bonser
Cc: nanog@nanog.org
Subject: Re: AS11296 -- Hijacked?

> Quite possible if one is using it to distribute a virus. RE: Spanair
> flight JK-5022
>
>

http://www.monstersandcritics.com/news/europe/news/article_1578877.php/

C
> omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash

Hi George,

That's been debunked.

Good. Ok, now shall we move on to Stuxnet which now seems to be
infiltrating China. We don't know yet if that will cause any problems
or not. The idea that there are fairly significant amounts of address
space that could be used for practically anything at any time is
probably a bigger issue in 2010 than it was in 1995 simply because we
have more infrastructure that is either directly or indirectly exposed
to it. Malware distributed on the internet can find its way onto a
laptop and from there a thumb drive and from there to a computer used
for medical purposes or at a chemical plant is more plausible of a
scenario these days. Why make it EASY to distribute such things?

Why do you seem to be defending the idea that it is somehow good to have
lots of unaccounted for address space out there? Do you use it for
something?

G

> Citizen: "Hello, police? There is a crate of M-16's and a truckload
> of ammunition just sitting here on the corner"
> Police: "That is less than the Army goes through in 3 months ...
> *click*"

You'd have better luck calling the ATF, they are the ones empowered to
enforce the tax on machine guns. The local police do not have any authority
to enforce those taxes, and could get sued if they tried to.

Why are we diverting the topic from 'draft a proposal to empower ARIN to deal with these sorts of problems' to 'arguing with meaningless analogies that do nothing except make the author feel good'? This is an operations list, not a debate team.

Nathan

Bryan Fields wrote:

  

Citizen: "Hello, police? There is a crate of M-16's and a truckload of
ammunition just sitting here on the corner"
Police: "That is less than the Army goes through in 3 months ...
*click*"
    
You'd have better luck calling the ATF, they are the ones empowered to enforce
the tax on machine guns. The local police do not have any authority to
enforce those taxes, and could get sued if they tried to.
  

Here's an incident where the "local authorities" didn't know what to do about a possibly very worrisome incident at SJC (San Jose International Airport):

<The Mercury News - Bay Area news, sports, business, entertainment, lifestyle and commentary;

The problem is that people don't *think* - they just follow orders, follow their training. No one had thought about or trained for this type of incident. Fortunately, in this case, the people were not terrorists. Meanwhile, TSA confiscates bottles of shampoo and water.

jc

http://aircrewbuzz.com/2008/10/officials-release-preliminary-report-on.html

A more recent Interim report:

http://www.fomento.es/NR/rdonlyres/AADDBF93-690C-4186-983C-8D897F09EAA5/75736/2008_032_A_INTERINO_01_ENG.pdf

The crew apparently skipped the step where they were supposed to deploy
the slats/flaps prior to takeoff.

Additionally, the warning system on the aircraft which should have alerted
the crew to the failure to extend the flaps/slats also failed to sound.

A computer virus may have had a small contribution to the failure to detect
the warning system failure in the maintenance process, but, it did not cause
the accident.

The accident is clearly the result of pilot error, specifically the failure to
properly configure the aircraft for takeoff and failure to take remedial
action upon activation of the stall warning system during the initial
climb.

Owen (who is also a pilot with a commercial rating)

no, the point is/was that the number of addresses isn't likely the
really important point you don't care about reclaiming addresses
because of the size of the allocations. you care to reclaim because of
improper use/abuse and/or "theft" of the resource.

Nathan is correct though, propose some policy text that the community
can get behind? probably also do that on ppml....

-Chris

-chris

Having now read that article, it really strikes me as much ado about nothing.

The men were not concealing the lawfully carried weapons.
They were carrying the weapons in a lawful manner.
I suspect that all of their permits were in order.
They did not shoot anyone.
No animals were harmed in the making of this farce.

Turns out they were legitimate armed guards from US DoE on legitimate business.

Frankly, I'd be much more worried about the safety of whatever was in that
man's luggage being on the flight than about the guards carrying assault
rifles in the non-secure area of the airport.

Heck, we let SJPD carry guns in that area, why shouldn't the general public?

Owen