Looking for Abovenet/NetAccess contact

Dick_Cocks · January 10, 2004, 6:51am

Thanks to the responses I got to my last post, I’ve been able to reach a network administrator from Cable&Wireless, who assured that their announcements for 146.20.40.0/21 will be pulled in one week’s time unless their customer, Net Transactions (d/b/a Choopa) is able to provide proof of ownership for this netblock. I’ve been unable to reach any contacts at Abovenet and NetAccess to offer similar assurances, or even provide me and other IP investigators with the courtesy of a response.

I know I’ve seen tech guys from both company post to this forum before, so Im confused that they’re not doing anything. Does anyone have any contacts I could speak to about getting something done?

This is what I see on lg.above.net.

BGP routing table entry for 146.20.40.0/21, version 69945026

Paths: (4 available, best #1)

Advertised to non peer-group peers:

64.124.17.21 64.124.17.141 64.124.1 7.189 64.124.17.197 64.124.51.210

64.124.164.2 64.125.180.78 80.67.64.40 208.184.36.229 208.184.36.230

208.184.39.70 208.184.40.10 208.184.48.101 208.184.48.109 208.184.48.253

208.185.39.213 208.185.39.237 208.185.41.237 208.185.73.229 209.66.79.229

209.133.66.181 216.200.249.250

8001 20473

64.21.34.173 (metric 87) from 209.249.254.72 (209.249.254.72)

Origin IGP, metric 178, localpref 100, valid, internal, best

Community: 6461:1021 6461:1666 6461:2003 6461:2101 6461:2214 6461:2431

Originator: 209.249.254.55, Cluster list: 192.168.1.12

8001 20473

64.21.34.173 (metric 87) from 209.249.254.73 (209.249.254.73)

Origin IGP, metric 178, localpref 100, valid, internal

Community: 6461:1021 6461:1666 6461:2003 6461:2101 6461:2214 6461:2431

Originator: 209.249.254.55, Cluster list: 192.168.1.12

20473 20473, (received-only)

64.124.164.2 from 64.124.164.2 (64.237.63.242)

Ori gin IGP, metric 0, localpref 100, valid, external

20473 20473, (received-only)

216.200.249.250 from 216.200.249.250 (64.237.63.242)

Origin IGP, metric 0, localpref 100, valid, external

Thanx and regards

Richard Cocks

PS to Richard Cox: You’re not the only person with this name, so stop complaining, I’m not trying to impersonate you.

william_at_elan.net · January 10, 2004, 1:42pm

Why particular interest in 146.20.40.0/21 now? Its been announced for very
long and is only one of the blocks annouunced from 146.20.0.0/16, is there
something you have seen from this particular block, like scans or attacks?

As to 146.20.0.0/16 I can tell that this ip block has been noted as invalid
by ARIN in July 2003 (yes - 6 months ago) and has not had working reverse
dns since then. Despite that, this is still most heavily "used" hijacked ip
block, part of the reason is that companies using it are not actual hijackers
(block was hijacked by Omachonu Ogali of Informationwave - I think most of
you know the story as it has been mentioned at nanog before couple times)
but what I usually consider to be victims (i.e. those that buy ip blocks,
although in many case as far as this block, no actual money was exchanged)
Unfortunetly its also true that almost all of these companies & individuals
knew what kind of block they were getting even back then and many of them
already otherwise have dubious security & abuse records in the community.

Anyway the fact is that they've had 6 months now to get ip block from one
of other upstreams or from ARIN and they have not done it and this is shows
complete non-interest in dealing with this issue (in other cases of hijacked
ips sold, renumbering is done within 30 days max, except one company that had
/16 and used almost 1/2 of it and it took them a while...). So below is the
list of current announcements for this ip block, I've emailed all of them at
least once but I don't try to actively go after them as they are not hijackers
(from http://www.completewhois.co/hijacked/hijacked_flist-bgp_routed_asannounced-details.txt)
146.20.36.0/22 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.40.0/21 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.54.0/24 ## AS26627 : AS-PILOSOFT : Pilosoft, Inc.
146.20.64.0/19 ## AS12277 : TRACON : Tracon Industries
146.20.80.0/21 ## AS12277 : TRACON : Tracon Industries
146.20.88.0/22 ## AS12277 : TRACON : Tracon Industries
For those interested the following are announcements that were being done
from this block before with date when it ended:
last seen on 11-04-03 - 146.20.48.0/20 ## AS23131 : STARLAN : Starlan Communications Inc.
last seen on 12-27-03 - 146.20.51.0/24 ## AS26627 : AS-PILOSOFT : Pilosoft, Inc.
last seen on 01-08-04 - 146.20.56.0/24 ## AS26627 : AS-PILOSOFT : Pilosoft, Inc.

As you can see things are finally moving along just in the last month (before
most of these announcements lasted many months), lets hope this NANOG post
will encorage this process along (I have suspicious every one of the above
companies has at least one tech on nanog mail list..)

Abovenet and NetAccess to offer similar assurances, or even provide me

I'll be contacting abovenet (I know at least 4 security & routing contacts
there by now) regarding another hijacked ip block and can mention this one.
They are a bit slow on response, so it may take up to 30 days to stop it.
Again, if I were to mention this to MFN, I'd like to know what else is
been going on with NetTransactions and their use of this ip block that we
now care so much about it.

and other IP investigators with the courtesy of a response.

I get responses almost all the time from larger networks (but maybe not
immediatly on 1st or 2nd day, which is not good). If you try to annoy
people too much you may never get a response, like it happens so often
with antispam abuse reports.

I know I've seen tech guys from both company post to this forum before,
so Im confused that they're not doing anything. Does anyone have any
contacts I could speak to about getting something done?

Large companies have different people dealing with different issues. Its
not appropriate to email peering guy on the ip security issue (unless maybe
its about a peer). Most large networks have security@... email address in
addition to abuse@... you can email there on hijacking if you want to help.
If you get to know actual people in the company, don't just use this
information for any reason unless you really really aren't getting anywhere.

Richard Cocks

So are you on Hijacked-L? I have not seen post there before before ...

Suresh_Ramasubraman1 · January 10, 2004, 2:47pm

Dick Cocks [10/01/04 14:51 +0800]:

I wonder why this guy has so less sense as to keep creating accounts on a
service that has an AUP against forgery.

Now, which nanog poster do we know who

* Lives in NYC (the last two morphs he used to post to nanog were from new
york based dsl lines - roadrunner, and now mindspring)

* Has a lot of interest in suppressing hijacked netblocks

[again, both these are rather good things, in themselves]

and ...

* Is nutcase enough to fake (and vulgarly parody) another nanog poster's
name?

srs

ps - These are rhetorical questions. I have a feeling I know just who this
is. So - to the forger, please lay off creating dropboxes on domains that we
host. I'm not a complete idiot that I can't figure out who is trying to
troll and forge email from a network I control.