Ongoing ASN and IP Space Hijacks: Update (TimeWarner/Level3/Tiscali)

Ronald_F_Guilmette1 · April 25, 2011, 10:22pm

Eleven days ago, I reported here the following highly probable hijacks:

AS8143
AS29987
AS11756
AS47024
AS27906

198.23.32.0/20 - NET-198-23-32-0-1
198.57.64.0/20 - NET-198-57-64-0-1
199.88.32.0/20 - NET-199-88-32-0-1
199.192.16.0/20 - NET-199-192-16-0-1
199.196.192.0/19 - NET-199-196-192-0-1
200.107.216.0/21 - GT-AGSA1-LACNIC
204.147.240.0/20 - NET-204-147-240-0-1
207.22.224.0/19 - (NET-207-22-192-0-1

Routing to a few of the above IP blocks has now been terminated, however
at present I find that several of them are still very much alive and well,
in particular:

199.88.32.0/20 - NET-199-88-32-0-1
199.196.192.0/19 - NET-199-196-192-0-1
200.107.216.0/21 - GT-AGSA1-LACNIC
204.147.240.0/20 - NET-204-147-240-0-1

As I previously mentioned, these are being used by high-end snowshoe spamming
operations.

Simple question: Does anybody give a damn?

Regards,
rfg

P.S. Routing for the still-live hijacked blocks is as follows:

199.88.32.0/20 hijacked via AS29987 (hijacked ASN) via AS3257 (tiscali.net)

199.196.192.0/19 hijacked via AS8143 (hijacked ASN) via AS19844 (gorack.com)
via AS4323/TimeWarner & AS3356/Level3

200.107.216.0/21 hijacked via AS8143 (hijacked ASN) via AS19844 (gorack.com)
via AS4323/TimeWarner & AS3356/Level3

204.147.240.0/20 hijacked via AS47024 (hijacked ASN) via AS3257 (tiscali.net)

P.P.S. As I also mentioned previously, GoRack seems to have some non-trivial
connection to another South Florida company, Joytel Wireless, which itself
was caught red-handed performing a sizable number of rather brazen IP block
hijackings back in October:

http://mailman.nanog.org/pipermail/nanog/2010-October/025997.html

Given that Joytel/GoRack are clearly not at all bashful about what they
are up to, it seems to me that it is incumbant upon TimeWarner and Level3
to take some action here. Otherwise, these hijackings are obviously just
going to go on and on and on.

As for Tiscali, and its obvious part in all this... well... if anyone is
aware of any concious entity @ Tiscali who might actually give a damn about
anything other than short-term profits, please do let me know. The people
I've talked to, and the evidence above all indicates that Tiscali is, quite
simply, ready, willing, and able to whore itself out to just about anybody.

David_Conrad3 · April 25, 2011, 10:58pm

Ron,

Ronald_F_Guilmette1 · April 25, 2011, 11:43pm

In message <AEA8602C-29BD-4585-A723-8A62E71DC0A8@virtualized.org>,

Simple question: Does anybody give a damn?

I suspect a lot of folks do, however giving a damn and having the
ability to do anything about it may not coincide.

Do you or your company connect to Level3, TimeWarner, or Tiscali?

For those that do, maybe this is an opportunity to make your opinions
regarding the apparently ongoing support of these companies to hijacked
ASNs and IP blocks known.

Where can people go to gain more understanding of the methodologies you
use to establish probable hijacks?

Find? Or establish?

As regards to finding them in the first place, my methodology involves
specialized tools I've invented and constructed, and these employ methods
that are currently maintained as trade secrets for obvious reasons.

Verifying the status of a given block or ASN as being a probable hijack
involves simply looking at the publically available evidence, and checking
for a number of factors. Among these are (in no particular order):

    *) Was the block or ASN first allocated prior to the 1997 formation of
  ARIN? (If so, then it is a "legacy" resource, and these are the
  ones most frequently hijacked by far.)

*) Does the company or other legal entity to which the block or ASN was
allocated still even exist? (Google is your friend.)

    *) Has the relevant WHOIS record been altered recently, in particular
  the contact information (name, phone, e-mail) ? If so, that alone
  is somewhat suspicious, but especially so if the current e-mail
  contact address for the relevant number resource is in a domain
  which itself was only registered (or re-registered) recently.

    *) Is it possible to still make contact with the legal entity to which
  the number resource was allocated via the phone number given in the
  relevant WHOIS record? (Only meaningful if the relevant WHOIS record
  has NOT been recently altered.)

    *) Is it possible to still make contact with the legal entity to which
  the number resource was allocated via the e-mail address given in the
  relevant WHOIS record? (Only meaningful if the relevant WHOIS record
  has NOT been recently altered.)

    *) Does the block (or the blocks routed by the ASN in question) contain
  a lot of self-evident snowshoe spamming domains, e.g. domains with
  nonsense names, or with no web sites, or with no mail servers, or
  all created relatively recently, perhaps all via the same single
  registrar? (In the cases I look at, sometimes all of these factors
  are present.)

*) In the case of an IP block, does the company that's routing the block
have a prior track record of being involved in hijacking incidents?

    *) In the case of an ASN that is providing routing to one or more
  suspicious blocks, does the ASN in question have only a single
  upstream, as per www.robtex.com?

    *) In the case of an ASN that is providing routing to one or more
  suspicious blocks, does the ASN in question have only a single
  upstream, as per www.robtex.com, AND does that single upstream
  have a prior track record of being involved in hijacking incidents?

Regards,
rfg