As some of you have seen from sessions today, hijacking of ips has been
noticed by many. I want to give report of what the current situation is as
I've been monitoring known hijacked ip ranges and active use of those.
The active list is included later in this email and is available online at
http://www.completewhois.com/hijacked/hijacked_flist-bgp_routed_asannounced-details.txt
First I want to thank quite a number of companies both large and smaller
for helping to deal with this problem. By now very few ip blocks are left
that were hijacked and are still in active use, in fact 1/2 of the ones
left announcing space are victims that were resold the space (particularly
in 146.20.0.0/8 block; I wish they would finally renumber out of these
blocks, some of them have had 4 months to do it from original notice).
New hijacked blocks do not appear to be such a common occurance by
spammers which makes things easier (but we must still remember what
happened before and all of you must remember to take care of the resources
where you maybe listed as an admin for. If your company is beeing aquired
- make sure when you leave the company new administrator is assigned from
new company (if this is not possible, inform ARIN ip block will be left
without active administrator and what led to this). Those of you that were
administrators for companies no longer in business (even going back up to
10 years), please at some if you remember what ip block were to check on
what whois currently looks like and who that companie's domains are
registered to. If you find problems, address them to ARIN or to completewhois
for investigation about what happend to original company.
Now today at NANOG meeting I was approached by a group of people concerned
that the are too many names of network engineers listed on the site. I
have to point it that I make all possible efforts to contact network engineers
and have them resolve questionable problems on their own - some just do
not answer such emails, but others did and netblocks with references to
those people no matter if those people may have been involved in hijacking
or not are not mentioned on the site. I would hope that I would not have
to approach you in the first place and considering recent ARIN announcement
http://www.arin.net/announcements/20031014.html (with which BTW I do not
fully agree with - reporting every case to authorities maybe going too
far - but they may not have any choice, either do it for all or for none)
So I hope that any of you that may have questinable blocks in current
use would on your stop and return them to the state they were before in
whois or return them to arin or continue using the blocks and apply to
officially transfer them (remember ARIN currently does transfers at no
extra charge, this will not last forever!!!).
The group that approached me had specific concerns because while some may
have been mentioned on site as directly involved in hijacking, which I
think is appropriate to them; others may have been mentioned indirectly
when their whois records were listed under some blocks current use
section. I want to stress out that active use in no way implies any
connection to hijacking, it is simply result of dns and related whois
info on what active use of the block and what it has been (i.e. isp
customers, irc, spam sites, etc) and having it comes very usefull for
correlation between different cases and people previously asked me to
include it in fact. To differentiate about this data, I'm willing to
put a desclaimer up in each file regarding data listed in active use
section. Please make your suggestions on the best text for this to me
privately or on hijacked mail list when I bring this topic up there. I
also understand that number of people do not want google and other search
engines to be able to reference their names and other data if its in the
current use section. Please make a suggestions on how to best achieve this
without stopping google from searching other sections of the site. Would
the solution of separating current use data into separate files in separate
directory and putting robots.txt file there work? Should I also make sure
that people are only able to reference those files when they first looked
at the data in primary data file?
And understand that if I do not hear your concerns, I would not know what
maybe wrong with the completewhois hijacked section or what is done wrong
as far as investigations go. I do answer emails even if it may take several
days sometimes and have in the past made changes based on what has been
suggested.
Now going back to the top of this post, below is the list of actively
advertised hijacked blocks (same program as has been used for bogon
advertisements has been used here as well):
142.105.220.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.224.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.228.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.232.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
146.20.36.0/22 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.40.0/21 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.48.0/20 ## AS23131 : STARLAN : Starlan Communications Inc.
146.20.64.0/19 ## AS12277 : TRACON : Tracon Industries
146.20.80.0/22 ## AS3638 : GLOBALI : Shaman Exchange, Inc.
146.20.80.0/21 ## AS12277 : TRACON : Tracon Industries
146.20.88.0/22 ## AS12277 : TRACON : Tracon Industries
192.107.49.0/24 ## AS30080 : BA-CONSULTING : BA Consulting
198.182.182.0/24 ## AS16631 : COGENT-ASN : Cogent Communications
199.245.138.0/24 ## AS30080 : BA-CONSULTING : BA Consulting
203.29.33.0/24 ## AS3491 : CAIS-ASN : CAIS Internet
203.29.34.0/24 ## AS16631 : COGENT-ASN : Cogent Communications
203.30.20.0/24 ## AS3491 : CAIS-ASN : CAIS Internet
203.30.26.0/23 ## AS3491 : CAIS-ASN : CAIS Internet
203.55.84.0/22 ## AS3409 : INET-1-AS : Internetworks, Inc.
204.155.240.0/20 ## AS16631 : COGENT-ASN : Cogent Communications
And for for comparison here is what this looked like on Sep 26th when I
started active monitoring (I also have manual data from early August, but
it would take too long to put it into email. I can say though, that there
were twice as many hijacked announcements then, things have really
changed for good in the last several months as more people and RIRs
themselve became aware of these issues).
139.81.128.0/17 # AS22653 - GlobalCompass
142.105.0.0/21 # AS19800 - Grant County Public Utility
142.105.220.0/22 # AS3908 - Supernet
142.105.224.0/22 # AS3908 - Supernet
142.105.228.0/22 # AS3908 - Supernet
142.105.232.0/22 # AS3908 - Supernet
142.247.0.0/16 # AS577 - bell.ca
(Note - this is proper announcement on behalf on behalf of MDS)
146.20.36.0/22 # AS20473 - NetTransactions
146.20.40.0/21 # AS20473 - NetTransactions
146.20.48.0/20 # AS23131 - Starlan
146.20.64.0/19 # AS12277 - Tracon
146.20.80.0/22 # AS3638 - Globali
146.20.80.0/21 # AS12277 - Tracan
146.20.88.0/22 # AS12277 - Tracan
150.112.0.0/16 # AS8121 - TCH/Layer42.net
157.112.0.0/16 # AS23720 - FUSIONGOL-AS-AP
(Note - this is proper announcement, on behalf of Clipper)
166.88.0.0/16 # AS8121 - TCH/Layer42.net
167.179.0.0/16 # AS4768 - Clear Communications
192.107.49.0/24 # AS30080 - BA Consulting (hijacker used named),
routed by AS3568 CW
198.133.167.0/24 # AS8121 - TCH/Layer42
199.245.138.0/24 # AS30080 - BA Consulting
203.4.160.0/24 # AS9826 - ILink.net
203.29.32.0/24 # AS9826 - ILink.Net
203.29.33.0/24 # AS3491 - CAIS
203.30.20.0/24 # AS3491 - CAIS
203.30.26.0/23 # AS3491 - CAIS
204.155.240.0/20 # AS16631 - Cogent
205.235.64.0/24 # AS29698 - Internet America LLC (hijacker named used)
205.235.69.0/24 # AS29698 - Internet America LLC