Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN
allocates them but many people have had problems routing the new addresses
and we don't have the time for those sort of problems.
If you have arpas for sale get in touch.
Bill
Study Business at USQ's Australian Graduate School of Business.
http://www.usq.edu.au/faculty/business/usqagsb/
<sarcasm on>
Why settle for a few /24's, when you can have the whole enchilada
for pennys on the dollar!
http://spamhaus.org/sbl/listings.lasso?isp=arin
Like many of our convicted felons^W^Wfriends in the criminal
trespassing^Wemail business, the new strategy to help yourself to a
few /16's without stupid questions being asked is now:
- scan the routing tables for /16-size holes in space that has been
assigned in the timeframe 1989 through 1995.
- determine if said "hole" is registered with any relevant address space
registry (ARIN,RIPE,APNIC, but LACNIC need not apply), and the space
is not routed.
- determine if all registered POCs for the space are dead by way of
the domains having expired
- spend less than $10 to re-register the "missing" domains, using the
original contact details (and persons) still listed in the IP space
registration.
- eventually change the POCs for the address space to your liking
- voila. substantially more IP space than you wanted in the first place.
- slice & dice, and sell the space in /20 chunks to those highest-bidding
Florida state-prison buddies of yours, many of which have found new ways
of making a living without tipping the hands of their parole officers
(in way too obvious ways). Gee, don't you love Florida: all you can
expect there for, say: a cocaine trafficking charge is parole after
14 months served out of your 3-year-sentence. And carrying drivers
licenses is optional, the same seems to be true for gun permits.
- find yourself some nice, conspiring providers like AS 6453, 14551, 6939
or 10910 who will find nothing (or hardly anything, given the lack
of abuse complaints implicating the space) wrong by you (for example)
announcing IP space belonging to a german steel mill from some god-
forgotten swamp in Panama. Like: that steel mill must have moved, yeah.
</sarcasm>
Makes you wonder how some providers' (paging AS 10910!) business due
diligence process works: they do a credit check, pull the D&B report,
they confirm the service address (occasionally with a visit by a sales
person), but then fail to notice that the prefix filter installed for
the customer has a few /16's and more /19's from a few other /16's in
it, where the address space registration bears no resemblance with reality,
following the pattern in the point list above, and has little if any
legitimacy that you and I could possibly see.
I am sure you can figure out the likely operational impact resulting from
appearance of hijacked/stolen IP space just about now. AS 16506 is routing
VPN tunnel endpoints for Al-Qaeda, you said? you surely must be joking, or
it's a really bad rumor not reflecting reality, Sir...
bye,Kai
While its certainly wrongb to steal IPs like this, some of the blame
must go to the RIRs. They should be repo-ing this space. I realize they
engage in much handwrining over their "lack of authority", but authority
to route address space is, for all intents and purposes, given by those
who actually do the routing. Furthermore, ARIN has a large warchest for
defending against legal challenges.
ARIN needs to repo any space that has been advertised for a reasonable
length of time, and reissue it.
- Dan
Should any of the ISP community hold any responsibility to help the RIR's
pull this space back when they are hijacked? I would think
ARIN/RIPE/APNIC would like to see ISP's email them blocks that are
hijacked so they can reclaim them, or put them into a holding pen while
they attempt to contact the owners... (then reclaim if no contacts can be
made)
-Chris
Thus spake "Daniel Golding" <dgold@FDFNet.Net>
ARIN needs to repo any space that has [not] been advertised for a
reasonable length of time, and reissue it.
So you're claiming that ARIN should revoke any allocations, including those
made before it came into existence, simply because the addresses aren't in
the global tables?
If that's the position of the community, that's a drastic change from
assertions made in the IETF WGs and may affect address allocation guidelines
and even some protocol work.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
Current ISPs are having so much trouble trying to get a small /20 for
existing customers that they should start revoking addresses from
companies not using them.
Lots of major companies with /8 and /16 are using a /20 worth of
addresses.
I think there should be somekind of guideline that is more up to date with
todays reality and if revoking is the only good way to do so, let's do it.
-chris
Should any of the ISP community hold any responsibility to help the
RIR's pull this space back when they are hijacked?
To me, the most important thing is that the ISP/carrier community
should ensure that inappropriate route announcements are filtered.
"Inappropriate" here means blocks that are either unallocated, or
are being used without permission from the user to whom they were
originally allocated. The issue of whether the blocks should be
allocated (or not) doesn't come into this part if the analysis.
In the case I reported here a few weeks back, I'm glad to be able to
announce that all those six blocks are now fully de-announced and the
torrent of spam that was flowing from most of them has now stopped.
That result couldn't have been achieved without the considerable help
and advice I had from participants here, and the Security departments
of the carriers that were innocent victims of the deception.
So I'd like to thank them all for that help.
(There's obviously a lot of administrative work to do on putting the
allocations involved back in order, and handing some of the IP space
back, and that's the job in hand right now!)
What has become clear is that this was the tip of the iceberg ... the
number of "lost" blocks that are being misused seems to be far greater
than anyone expected. Since dealing with the first six, which became
eight as a result of their association with two other blocks, two more
hijacked Class B's have come to light - one was resolved earlier today.
I would think ARIN/RIPE/APNIC would like to see ISP's email them
blocks that are hijacked so they can reclaim them, or put them into
a holding pen while they attempt to contact the owners... (then
reclaim if no contacts can be made)
I doubt if ISPs will necessarily be able to do that, as the hijacked
blocks were all in use with plausible credentials - mostly obtained
by a combination of social engineering, and creating similar domains
(or reviving old ones) to "grab" the necessary handles. Only by the
very careful comparison of information about the original registrant
will the real situation become evident.
In response to the requests I've had, I'm now creating a mailing list
for anyone to report IP space that they believe has been hijacked, and
the security teams from the major backbones will be welcome to join
and take whatever action they see as appropriate when clear evidence
is produced - the relevant registry will also be notified and they
can, if they wish, review any potentially-problematic cases.
Ultimately it's the registries' decision as to whether the current user
is the same entity as the user to whom the space was originally assigned
(or has the necessary authority to use it, according to each registry's
stated policies); the mailing list will simply facilitate sharing the
necessary information.
The list will be hijacked at numbering~com and the normal majordomo
signup process will be available *shortly* but until then anyone who
wants to be added should send mail decodable by carbon lifeforms, to
listowner at numbering~com
> While its certainly wrongb to steal IPs like this, some of the blame
> must go to the RIRs. They should be repo-ing this space. I realize
[snip]
Should any of the ISP community hold any responsibility to help the
RIR's pull this space back when they are hijacked? I would think
You presume that no-one is doing that (hint: many of us are), and that
any action is taken (if so, none is visible).
Kai's post is not fiction. Guess what? A lot (not all) squatters get
caught quite nicely in those "evil" prefix length filters. If you HAVE
an allocation and for some reason just announce deaggregates, to a
third party you look *just* like the black hats. How does this help
your reachability while you're grazing on the commons?
Think about that for a second before the knee jerks up.
Cheers,
Joe
I'm sorry, but to clarify my question I wasn't presuming any such thing. I
was just asking if the RIRs expected ISP's to inform them when a clearly
hijacked address block was found and quashed.
Hmm, that WOULD presume the RIR had a method to handle that notification I
suppose.
-Chris
Email would work, but the more pressing issue is how the RIR is
to respond to that notification. RIRs don't have the resources
to revoke allocations/assignments for cause other than non-payment
(which necessarily excludes pre-RIR allocs). Additionally,
RIRs have no mechanism to enforce revocations. There has been
reasonable discussion on possible policy changes to address these
concerns; however, no consensus has been achieved to effect change
(yet). I would encourage folks to join the ppml@arin.net public
policy list for ARIN (and/or similar activities for other RIRs)
should you have some specific suggestions to this end.
Presently, the ONLY mechanism that the RIRs have to revoke/filter/
influence the global routing table is the routing policies employed
by the RIRs constituents. The folks on this list (NANOG) are
able to block abuse/squatters/rogue users. Can the RIRs help
with additional information in database objects? Such as
additional status information, accuracy of contact data, etc?
Your specific input is more than welcomed (but please redirect
to ppml).
-ron
/ARIN AC
Stephen,
Assertions made in the IETF are not necessarily correct or proper. The
past few years have led to a rash of bankruptcies in the technology
sector, which has led to substantial unrouted space. In any case, a "use
it or lose it" rule is completely in accord with the spirit of the
issuance guidelines - you are only supposed to ask for what you can use,
and you should return what you don't use. However, the assumption that
folks are altruistic is basically false. There is no reward for returning
IP space, therefore folks will not do it. IRRs, as the proper
administrative authority should step in.
I also understand that there is some kind of mental "red line" concerning
the IP space that was issued before ARIN came into existance, for some
folks. There needs to be a consensus amongst ICANN/IANA/ISI/IETF that the
IRRs should have full authority for both current and legacy space.
- Dan
[Note: I am not suggesting that anyone should do anything that is described
here]
Kai Schlichting wrote:
> Our client wants to purchase a number of IPv4 addresses. Yes we know
ARIN
> allocates them but many people have had problems routing the new
addresses
> and we don't have the time for those sort of problems.
<sarcasm on>
Why settle for a few /24's, when you can have the whole enchilada
for pennys on the dollar!
Don't beleive the listing of hijacked netblocks @ Spamhaus, its maintained
by someone who doesn't seem to know the difference between spammer-hijacked
netblocks & netblocks assigned by ISPs to thier users.
Like many of our convicted felons^W^Wfriends in the criminal
trespassing^Wemail business, the new strategy to help yourself to a
few /16's without stupid questions being asked is now:- scan the routing tables for /16-size holes in space that has been
assigned in the timeframe 1989 through 1995.
For APNIC, only look in 203/10 and look for /24-ish ones registered in
1993-early 1997.
- determine if said "hole" is registered with any relevant address space
registry (ARIN,RIPE,APNIC, but LACNIC need not apply), and the space
is not routed.
- determine if all registered POCs for the space are dead by way of
the domains having expired
- spend less than $10 to re-register the "missing" domains, using the
original contact details (and persons) still listed in the IP space
registration.
Or, if it has no email address you can just register a domain for the
original owner with the same contact information thats in the current IP
whois and mail ARIN from that in the original owners name.
- find yourself some nice, conspiring providers like AS 6453, 14551, 6939
or 10910
Or Qwest (AS209).
</sarcasm>
I am sure you can figure out the likely operational impact resulting from
appearance of hijacked/stolen IP space just about now. AS 16506 is routing
VPN tunnel endpoints for Al-Qaeda, you said? you surely must be joking, or
it's a really bad rumor not reflecting reality, Sir...
AS16506 has its only feeds from Teleglobe & UUNET.
Roland Verlander on NANOG wrote:
Don't beleive the listing of hijacked netblocks @ Spamhaus, its maintained
by someone who doesn't seem to know the difference between spammer-hijacked
netblocks & netblocks assigned by ISPs to thier users.
Actually, Spamhaus is very good at detecting zombies. The link provided is not strictly hijacked networks, though. In all cases, Spamhaus tends to side on a "questionable" zombie, as sometimes it's difficult to tell if a network was truly hijacked. As known spamhausen do hijack more networks and demonstrate a track record, it does lead to more easily detecting when a network or AS has been hijacked. In all cases, the list is about spam, not netblock hijacks.
-Jack
Jack Bates wrote:
Actually, Spamhaus is very good at detecting zombies.
Wrong.
The link provided
is not strictly hijacked networks, though.
I know that.
Here is one example of how good they are in detecting zombies:
<quote>
zombies
hosting24-7.org / hostingonus.com / iohosting.us / tiethepen.com (zombie?)
193.231.248.0/24 is listed on the Register Of Known Spam Operations (ROKSO)
database as being assigned to, under the control of, or providing service to
a known spam operation run by zombies. Please see the ROKSO spam records for
zombies
</quote>
And look at the whois it shows its a assignment SWIP'd to a spammer by an
ISP. Yeah, I'm sure that thats a zombie.
inetnum: 193.231.248.0 - 193.231.248.255
netname: SC-PRO-SYS-SRL
descr: SC PRO SYS SRL
descr: Pache Protopopescu 108
descr: sector 2 Bucharest
country: ro
admin-c: SSC100-RIPE
tech-c: SSC100-RIPE
status: ASSIGNED PA
mnt-by: AS3233-MNT
mnt-lower: AS3233-MNT
mnt-routes: WEBONLINE
notify: hostmaster@rnc.ro
changed: hostmaster@rnc.ro 20030410
source: RIPE
inetnum: 193.231.0.0 - 193.231.255.255
netname: RO-RNC-970804
descr: Local Registry for Europanet customers
descr: RO general
country: RO
admin-c: ES16
tech-c: ES16
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS3233-MNT
mnt-routes: AS3233-MNT
changed: GeertJan.deGroot@ripe.net 19941230
changed: hostmaster@ripe.net 19960207
changed: hostmaster@ripe.net 19970804
changed: hostmaster@ripe.net 19990504
changed: hostmaster@ripe.net 19990506
changed: hostmaster@ripe.net 20000303
changed: hostmaster@ripe.net 20000313
changed: hostmaster@ripe.net 20001130
changed: lir-help@ripe.net 20020109
source: RIPE
I'm reasonably sure it is (or was). Two main reasons:
(1) It should have been routing to Romania (AS2614 or AS3233)- it was
actually routing to or via Denmark (announced by AS16186).
(2) when the situation was pointed out, the route was quickly killed.
Same with 152.143.0.0: belongs to German company Kloeckner Stahl Bremen
but (parts of) it were being announced by Ayayai in Panama.
Teleglobe have stopped that routing - hence a large number of blocks
were suddenly de-announced and 152.143.0.0/16 now seems to be clean.
Roland Verlander wrote:
The Spamhaus Project
<quote>
zombies
hosting24-7.org / hostingonus.com / iohosting.us / tiethepen.com (zombie?)193.231.248.0/24 is listed on the Register Of Known Spam Operations (ROKSO)
database as being assigned to, under the control of, or providing service to
a known spam operation run by zombies. Please see the ROKSO spam records for
zombies
</quote>
Note the question mark for the zombie. Also note that it states clearly that the spammer is known to run zombies, thus all networks are suspect. Personally, I'm more apt to believe that ssc nabbed the domain under false pretenses from rnc. Not that it matters.
-Jack