Hijacking of address blocks assigned to Trafalgar House Group, London UK


I've been asked to draw the attention of Network administrators to the
recent hijacking of various large blocks of ARIN IP-space: particularly
six /16 blocks allocated to the London-based Trafalgar House Group.

Trafalgar House Group (THG):
Trafalgar House Group TRAF (NET-144-176-0-0-1)
Trafalgar House Group THIN1 (NET-144-177-0-0-1)
Trafalgar House Group THIN3 (NET-144-179-0-0-1)
Trafalgar House Group THIN4 (NET-144-180-0-0-1)
Trafalgar House Group THIN5 (NET-144-181-0-0-1)
Trafalgar House Group THIN2 (NET-158-181-0-0-1)

I'm sure I don't need to remind people here why this is bad - a zombie
block that can be announced and de-announced at an abuser's whim makes
it far more difficult to trace the source of spam or the destination of
responses: particularly where fraud and password-phishing has occurred.

The company originally known as Trafalgar House is now part of Aker
Kvaerner, headquartered in Norway, who have already set in train the
processes to recover the ARIN and other handles associated with their
Internet assets. Information about the original change of ownership
is available, if anyone wants further confirmation or background, at
http://www.brookes.ac.uk/other/conmark/IJCM/issue_02/010201.html and

I could give a lot more details but do not want to bore those of you
who have, inevitably, "heard it all before". I'm not claiming this
is new - or any sort of special case. I'm posting this solely as a
heads-up to help any admins who may have been asked to accept forged
credentials authorising the announcement of the above blocks, and at
the same time to ask for help from anyone who may have already been
approached in similar terms. But if anyone does want more background
they're welcome to mail me via the security account @ my domain.

At the time of writing THIN5 is being announced via Level3 in Boston,
and THIN2, plus two other hijacked blocks not owned by Aker Kvaerner
( and are being announced via Telia in
Amsterdam. Sadly we have had difficulty reaching the right people at
Telia, so if anyone from Telia is here, we'd be real pleased to hear
from you.

ARIN is now aware that handles ST58-ARIN and AMS87-ARIN are completely
bogus, as is also the statement on the WHOIS for ST58-ARIN, that:

    "This company Is currently contracted by trafalgar House to
     provide network management services. Further information
     will be made avaiblible to request" (sic);

If, therefore, any of you are asked to let through BGP announcements
of any of the above blocks, or if you have been asked anything like
this in the recent past - we ask you not to pass those announcements,
but to get in touch with us urgently, taking care to preserve any
documents that may have been sent to you to support that request: as
these may be needed for prosecution and possible civil litigation
against the perpetrators.

Any valid authority for the use of these blocks would come directly
from either Aker Kvaerner in Norway, or Equant (on their behalf).
It certainly would NOT claim to be from Trafalgar House Group at any
address because that Group is no longer trading under that identity.
However I'm told that there are no plans to deploy those blocks in
the immediate future, or until this incident has been cleared up.


Richard Cox
Mandarin Technology
Can you relay a working email address off list to me, which is not filtered by your discriminating spamtrap ?