Hijacked IP space.

All,

Sorry, to interrupt any off-topic rambles, but I had a client call last week who had just had some telephone abuse heaped on them, by somebody accusing them of spamming. It turns out our client had a netblock assigned to them back in the mid-90's. They used to put on networking trade shows, and used the space for making show networks. They haven't put on a networking trade show (with a public network) since about 1997.

Of course to complicate the matter, the sole contact listed in whois no longer works there.

I informed our client how to remove their name from the whois record and relinquish the netblock back to ARIN, which I hope they are doing now.

I also have (at the suggestion of some research through the nanog archives) submitted the netblock to the completewhois site.

[I have no interest in commenting on the current inane OT nanog thread about that subject, so don't even try me.]

Mr. Thomas' cymru.com service was offline when I tried to contact it last week (he replied via email about an outage... sorry to hear... coffee will get there eventually. Order put to the roaster today. - hang in there.)

Of course I have no hard data, other than my client's phone call about another phone call, so I can't query based on a timestamp to see where this was being announced from. It appears to vanished, and has remained so according to my casual glances here and there.

The netblock in question is:

204.89.0.0/21

So, my question is: Other than the above, and mentioning it here, is there anything else *I* can do to assist my client? Especially since I am not at all directly related to this netblock in any way. Additionally, it would not hurt to know if anyone here *does* know when or where the announcement came from.

The client in question are good folks, and I hate to see their reputation tainted by the actions of others.

Thanks,

--chuck goolsbee, digital.forest

Of course I have no hard data, other than my client's phone

> call about another phone call, so I can't query based on a
> timestamp to see where this was being announced from. It
> appears to vanished, and has remained so according to my
> casual glances here and there.

> The netblock in question is:

> 204.89.0.0/21

No announcement for that block has been visible here at any time in
the past couple of weeks (specifically, since Oct 13). We might have
missed it if it was never announced for more than a few minutes at a
time, but it's _much_ more likely that the block was never announced
and was merely forged into headers of a spam.

Our system reports that neither that prefix, nor any of its
more-specifics, has been seen in the global routing tables at
any moment since January 1st, 2002. [ http://www.renesys.com ]

James Cowie wrote:

[ re: 204.89.0/21...]

>>No announcement for that block has been visible here at any time in
>>the past couple of weeks (specifically, since Oct 13). We might have
>>missed it if it was never announced for more than a few minutes at a
>>time, but it's _much_ more likely that the block was never announced
>>and was merely forged into headers of a spam.

>Our system reports that neither that prefix, nor any of its
>more-specifics, has been seen in the global routing tables at
>any moment since January 1st, 2002. [ http://www.renesys.com ]

We haven't seen anything from that block in our spamtrap either for at
least a week.

The .224/24, on the other hand, it a real sewer.

Correct. Unfortunately, that's my old block and I wasn't quite ready to
hand it back since I'd sort of wanted to announce it again. I've been
trying to chase down C&W as the upstream of AS 30080, the jokers who've
been pulling this stuff for quite some time with other blocks. My
POC updates to ARIN keep getting rejected, so yes, it looks like an
abandoned block with an old netcom.com address.

I'm starting to figure that, given the delays, there's been enough damage
done that 204.89.224/24 will never be able to get off the blocking lists
anyway, so perhaps I'll turn it back in afterall. *sigh* That's what
I get for trying to find low-cost ISPs willing to announce portable
space.

I can confirm the same thing here. A nice lot of spam to spamtraps from
that .224 block, but nothing interesting from the rest. I also took the
liberty of checking the various mail gateways I manage for a few ISPs and
nothing from 204.89.0.0/21.

I'm starting to figure that, given the delays, there's been enough damage
done that 204.89.224/24 will never be able to get off the blocking lists
anyway, so perhaps I'll turn it back in afterall. *sigh*That's what
I get for trying to find low-cost ISPs willing to announce portable
space.

So a RIR giving out that /24 would in fact be selling "damaged goods" and
the customer who got it would be able to sue. I think RIRs have to make a
larger effort to protect their assets.

Ray Wong
rayw@rayw.net

-Hank

But the RIRs are not selling any goods; are they not simply selling a
directory service?

-ron

>
>
> > I'm starting to figure that, given the delays, there's been enough damage
> > done that 204.89.224/24 will never be able to get off the blocking lists
> > anyway, so perhaps I'll turn it back in afterall. *sigh*That's what
> > I get for trying to find low-cost ISPs willing to announce portable
> > space.
>
> So a RIR giving out that /24 would in fact be selling "damaged goods" and
> the customer who got it would be able to sue.I think RIRs have to make a
> larger effort to protect their assets.

But the RIRs are not selling any goods; are they not simply selling a
directory service?

They view themselves as "leasing" out IP address space. Although they
never reclaim IP address space that has long since never been announced.
But even if it is leasing - if I lease an apartment that has termites and
can prove that the owner of the building knew about the termites - then I
would probably have a good case to sue. -Hank

-ron

Hank Nussbacher

Date: Tue, 4 Nov 2003 07:25:12 +0200 (IST)
From: Hank Nussbacher

They view themselves as "leasing" out IP address space.
Although they never reclaim IP address space that has long
since never been announced.

Perhaps if netblocks _were_ reclaimed,

1. Fewer hijackings would happen
2. Admins would be less likely to let IP lists rot.

Right now, it almost seems like the combination of hijackers and
public beatings is doing part of the RIRs' jobs for them...

Eddy

1. RIRs don't sell address space or make any claim of the merchantability,
  routability, or functionality of the address space they hand out.

2. RIRs assets do not include the unregistered addresses. They are not
  transferrable and have no book value.

As such, it would be difficult for an RIR customer to successfully sue. Most
likely if they explained the problems to the RIR, they could trade for a less
impacted block, but, suing the RIR is unlikely to accomplish much. The RIR
afterall, only provided a registration service to show in a public database
that as far as the particular RIR was concerned, those integers were unique
to the network operator in question. They make no claims about the actions
of others WRT those addresses, they just promise not to issue them to someone
else.

Owen

No, they do not view themseleves as leasing address space. They view
themseleves as registering it. They are quite clear about this. The
term leasing is commonly misapplied by people outside the RIR, but, I
have never seen any RIR claim that they are leasing the address space.
Certainly not in the financial sense.

What they do say is that as long as they are paid the correct fees for
registering the address space, they will not make a duplicate registration
for another party. They just register the address space. They do not
lease it. They do not claim to own it. They make no claims on the
actions of others with regard to the address space. By common consent
the majority of the internet regards the RIR registrations as binding
effective ownership, but, that is voluntary on the part of each and every
network provider.

Owen

That is not what RIPE and ARIN state. They specifically use the word "lease".

<http://www.ripe.net/ripencc/mem-services/registration/ipv6/global-ipv6-assign-2001-12-22.html>
and
<http://www.arin.net/policy/global-ipv6-assign-2001-12-22.txt>

"The global IPv6 policies in this document are based upon the understanding that address space is lease-licensed for use rather than owned. All Internet Registries are expected to manage address space operations correctly in accordance with this principle."

Also:
<http://www.ripe.net/ripencc/about/presentations/ir-allocation-procedures/tsld009.html>

Also:
http://www.arin.net/library/minutes/ARIN_IX/ppm_doc.html

"In regard to the criteria that "organizations who are granted initial allocations, but after two years no longer satisfy the requirements above, are subject to having their allocations revoked", the following model was proposed for allocations:

   - Addresses are "leased", assignments are not permanent"

Many more examples.

-Hank

"lease-licensed" is different from "leased". They are leasing you a license
to use the address space and claim it as unique to your organization.
If you look at the contract that you sign with the RIR, you will notice
that it does not convey ownership or any sort of lease in the commercial
lease sense of the word, but, the use of the term in policies is more
along the lines of the DHCP lease sense of the word. Also, notice
that all of the policies you quote are WRT IPv6 space and not
current IPv4 policies.

IPv6 is still regarded as experimental in nature by the RIRs and as such, they
have probably not spent a lot of time refining the legalese in the language
for their allocation policies.

Owen

Correct. Unfortunately, that's my old block and I wasn't quite ready to
hand it back since I'd sort of wanted to announce it again. I've been
trying to chase down C&W as the upstream of AS 30080, the jokers who've
been pulling this stuff for quite some time with other blocks.

C&W received quite a number of reports about abuse from AS30080, I'm very
surprised they have not reacted yet (in previous cases of hijacked block,
C&W acted on part with other large networks). The two ip blocks
199.245.138.0/24 and 204.89.224.0/24 are actually hijacked in rather
unique way by getting old @netcom.com email account forwarded to
hijackers (who is presumably a customer of earthlink). Nanog has just
seen confirmation from one of these people whose ip block has been
hijacked this way, for the other block you can see the data file at
http://www.completewhois.com/hijacked/files/199.245.138.0.txt

The 3rd ip block used by as30080 is 192.107.49.0/24 and there ARIN already
deleted this block from whois (but AS30080 still announces it). I'm certain
C&W knows about all the issues with those blocks (I actually only emailed
them once, but I know others did it quite a bit more then once and c&w
person is present at hijacked mail list too). It would really be good if
C&W finally take a stand on this and stopped this clearly bad activity
from their customer (not to mention that there are uncountable number of
unsolicited emails all originating in those blocks, I've received more
then two dozen in last months just on couple accounts). If C&W does not
take a stand and at least explain why is as30080 is still their customer
(public if possible or private to those individuals and organizations
looking into this matter), then more active measures may have to be taken
that that may very well cost C&W a lot more money in legal fees.

I'm starting to figure that, given the delays, there's been enough damage
done that 204.89.224/24 will never be able to get off the blocking lists
anyway, so perhaps I'll turn it back in afterall. *sigh* That's what
I get for trying to find low-cost ISPs willing to announce portable
space.

You should not be asking somebody to announce this space while whois is
not fixed and current and while its still announced by somebody else.
Afterwards, I'm sure you will be able to find somebody to announce the
space (as long as original company the ip block has been assigned to is
still around and you still represent it). 204.89.224.0/24 has not been on
blacklists too long yet (no more then 10 days) and its not too "contaminated"
yet and should be reusable fairly easily once you post on couple appropriate
mail lists that real ip block owner is now announcing it.

Also while we're on ip hijacking subject as I mentioned there is a new way it
has been done where instead of reregistering domains, the actual email
account is reused by somebody else and where whois at arin is for themost
part left unchanged (making it difficult for arin to do anything).

Because these cases are difficult to track the original owners and to proof
hijacking or to notice that it happend, it would be nice to stop such
activity in the first place. So I'd would really be good if somebody from
earthlink contacts me and I can then tell them privately what names they
need to "lock" as far as what their customers can request for additional
emails. Same applies for other ISPs - if you who work for company that
has in the past bought other large ISPs AND where you still allow new or
existing customers to get new email accounts at the domains of those old
companies (i.e. like earthlink is presumably doing with netcom.com), then
let me know domains and I can tell you what not to allow your customers
for emails.

Ray Wong wrote:

The .224/24, on the other hand, it a real sewer.

I'm starting to figure that, given the delays, there's been enough damage
done that 204.89.224/24 will never be able to get off the blocking lists
anyway, so perhaps I'll turn it back in afterall. *sigh* That's what
I get for trying to find low-cost ISPs willing to announce portable
space.

As strange as this may seem, I still think there's hope since it's thoroughly covered by existing DNSBLs. A few POCs, and you should be able to get it delisted. Yes, there's local listings such as ours, but the number of local BLs that identify specific blocks in _advance_ of, say, SBL, should be relatively small. And we're quick to delist once we find out.

But _first_, you have to get it disconnected from whose hijacking it now. There's no way you can get it delisted given it's _current_ metrics, not a chance.