AS11296 -- Hijacked?

Robert_Bonomi · October 2, 2010, 8:03pm

From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Fri Oct 1 16:33:09 2010
From: John Curran <jcurran@arin.net>
To: George Bonser <gbonser@seven.com>
Date: Fri, 1 Oct 2010 17:32:47 -0400
Subject: Re: AS11296 -- Hijacked?
Cc: "nanog@nanog.org" <nanog@nanog.org>

George -
Full agreement; the next step is defining a deterministic process for id=
entifying these specific resources which are hijacked,

That _seems_ fairly simple -- can you trace a 'continuity of ownership from
the party that they were -originally- allocatd to to the party presently using
them. If yes, legiitmate, if no, hijacked. With most States corporation
records on-line, tracing corporate continuity is fairly straight foruard.
As long as you recognize that a corpoation 'abadoned', 'dissolved' (or
similar) in one state is *NOT* the 'parent' of a same-/similarly-named
corporation established in another state. And that "documents" surfacing
'long after' a resource-holder has 'disappeared', puporting to show a transfer
of those resources 'at the time of disappearance', are "highly suspect", and
really require confirmation from someone who can be -independantly- verified
as part of the 'old' organization at the time of the transfer.

This isn't rocket science, it's straightforward corporate forensics, and the
establishment of "provenence", or the equivalent of an 'abstract of title' for
real-estate.

"Somebody", either IANA, or the RIRs _should_ have been keeping track of
what prefixes are announced, and _by_whom_, as a minimal check on utilization
when an existing AS submits a request for additional space.

A netblock (meaing an entire allocation, not just some sub-set thereof) that's
been 'missing' for an extended period, and then shows up in an geographically
distant locale is 'suspicious' to start with. All the more so it it was
multi-homed, and now has only a single upstream.

John_Curran1 · October 2, 2010, 8:41pm

Robert -

You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no "corporate" surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack.

/John

John Curran
President and CEO
ARIN

William_Herrin · October 2, 2010, 8:46pm

Hi Robert,

It may seem simple but it only seems that way. The legacy registrants
(pre-arin registrants) in particular were not necessarily legal
entities. Like trademarks with a TM instead of a Circle-R, they were
nothing more than unverified names asserted by the individuals
requesting IP addresses. In some cases they were obviously
corporations but in many others there are only ambiguous forensics to
examine.

Regards,
Bill Herrin

James_Hess · October 2, 2010, 11:59pm

Hm.. just a thought... if an org doesn't have and are unable to
obtain any good written documentation
at all, from even the public record, then aren't they (as far as the
operator community should
be concerned) not the same registrant, or authorized?

Where would a person be if they were trying to claim the right to a
certain piece of land, and someone else
(an opportunist/scammer) also claimed ownership using "papers" they
had created, but the 'rightful' owner
had neither a deed, nor a transfer agreement, proof of their use of
that land, nor other certified document,
and the local authority did not have any record of a transfer from
the now defunct original owner?

John_Curran1 · October 3, 2010, 2:05am

The reason: approximately 15000 legacy address blocks which ARIN become the
successor registry for at its formation, many of which hadn't been updated
since they were allocated. In the other regions, there are significantly
fewer early allocations where the holders haven't also involved ongoing in
the combined registry/operator forum in the region. Two particular quicks of
this region is that the registry is not combined with the operator forum,
and many of the assignments from the earliest days of the Internet are in
this region, made with minimal documentation, and were often forgotten or
never put into publicly routed use...

Ergo, when a party appears and says that they'd like to update the contacts
on their WHOIS record, and we see an organization which exists back to the
original allocation, it is fairly straightforward to make it happen and know
that we're not facilitating a hijacking. For this reason, legacy holders are
allowed to change anything except the organization name without requiring
documentation.

It gets more challenging when you instead have a different organization name
XYX, which states it is the rightful holder of NET-ABC123 because it acquired
JKL company which in theory had earlier bought the right piece of company ABC
which is now defunct but never updated any of IP records post business deal,
and no one from ABC or JKL can be found and the public records may indeed show
that JKL bought some part of ABC but most assuredly don't say anything about
networks or as#'s... Circumstances such as the aformentioned are regretfully
the rule, not the exception.

(As an aside, I'll note that we do also look at the historical routing of the
address block, since that provides some insight which often can corroborate
an otherwise weak documentary record.)

Now, we really want folks to come in and update their records but when it
comes to updating the actual organization name for an address block, we either
need to hold the line on legal/commercial documents (which reduces hijacking
but almost sends some legitimate but underdocumented legacy folks away) or we
can simply have folks attest to their view of reality and update the records
accordingly (which will get us much more current Whois records but with
"current" not necessarily implying any more accurate records...)

This is *your* (the collective "your") WHOIS database, and ARIN will administer
it per any policy which adopted by the community.

/John

John Curran
President and CEO
ARIN

P.S. I will note that we fully have the potential to recreate this problem
      in IPv6 if we're not careful, and establishing some very clear record
      keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to
      be very important if we ever hope to determine the party using a given
      IPv6 block in just a few short years...

George_Bonser · October 3, 2010, 5:02am

This is *your* (the collective "your") WHOIS database, and ARIN will
administer
it per any policy which adopted by the community.

/John

John Curran
President and CEO
ARIN

P.S. I will note that we fully have the potential to recreate this
problem
      in IPv6 if we're not careful, and establishing some very clear
record
      keeping requirements for IPv6 with both RIRs and ISPs/LIRs is
going to
      be very important if we ever hope to determine the party using a
given
      IPv6 block in just a few short years...

So then the question is, what can we as a community (note that is not
ARIN specific) do that makes it more difficult for someone to
fraudulently announce number resources they aren't really entitled to?
On the reactive side, we could have more people actively searching for
such abuse. What can be done on the proactive side to make it more
difficult to do it in the first place?