Maybe they should do everyone a favor and return the hijacked blocks to
ARIN.... I mean hell, does anyone really think that they have 6 /16's worth
of machines directly accessible via the 'net? Obviously if they have been
hijacked and the admins had the time to post here about it, it's not the end
of the world for them...
Just a little something to fuel a Sunday flamewar 
-Dave
Maybe they should do everyone a favor and return the hijacked blocks
to ARIN.... I mean hell, does anyone really think that they have
6 /16's worth of machines directly accessible via the 'net?
Maybe so indeed. We've been asked to help clear up the mess, and to my
mind it's far more important to limit the damage to the rest of the net
from the hard-to-trace abuse and the other evils that were the reason
why the blocks were hijacked in the first place, than to deal with the
consequential admin issues. But those issues *will* be addressed.
So that's why we first gave you all an update on what was happening,
while I try to reach the security teams at the networks that are still
allowing the bogus announcements to go out. Sprint responded quickly,
and thanks to those of you here who mailed me better contact details,
I was able to reach Telia who filtered their announcements promptly.
Some networks however are proving rather more difficult to "reach"!
Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's
management on all the issues involved and, from what I've seen so far,
I'm completely satisfied that they will then "do the right thing".
Obviously if they have been hijacked and the admins had the time
to post here about it, it's not the end of the world for them...
Aker Kvaerner were until last week unaware that the company they had
acquired had ever had any allocations from ARIN. We've been asked to
clear up the mess, and to that extent only we are the "admins". When
one of the hijackers lost their connection, and was immediately able
to get a new connection from another provider, we realised just how
important it was to ensure that network operators were generally made
aware of what was going on: firstly so that they didn't inadvertently
allow anyone else to announce anything in those netblocks, and also so
that any network could, if they wished, could keep traffic from those
netblocks off their systems.
At our request ARIN have now deleted all contact handles from those
blocks, so that further identity-spoofing should be more difficult.
That's pronounced "RIPE" in European, that language they speak over there.
                                -Bill
No way. These were indeed ARIN blocks - if you check the list which
I originally posted you will see that they are registered with ARIN.
Possibly the date the original allocation was made may be significant?
Richard Cox wrote:
> Maybe they should do everyone a favor and return the hijacked blocks
> to ARIN.... I mean hell, does anyone really think that they have
> 6 /16's worth of machines directly accessible via the 'net?Maybe so indeed. We've been asked to help clear up the mess, and to my
mind it's far more important to limit the damage to the rest of the net
from the hard-to-trace abuse and the other evils that were the reason
why the blocks were hijacked in the first place, than to deal with the
consequential admin issues. But those issues *will* be addressed.
If it is possible to get old the old whois of those blocks from around ~8
months ago from ARIN it will be much easier to find out how they were
hijacked.
So that's why we first gave you all an update on what was happening,
while I try to reach the security teams at the networks that are still
allowing the bogus announcements to go out. Sprint responded quickly,
and thanks to those of you here who mailed me better contact details,
I was able to reach Telia who filtered their announcements promptly.
There are still some active routes - the block hijacker is leasing out
SWIP'd chunks of 144.176.0.0/16 to spammers who have to find thier own
routing.
One of the SWIP'd chunks of it owned by a spammer that is been announced is
144.176.209.0/24 (Empire Towers, routed to Sprint in the USA).
Some networks however are proving rather more difficult to "reach"!
Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's
management on all the issues involved and, from what I've seen so far,
I'm completely satisfied that they will then "do the right thing".> Obviously if they have been hijacked and the admins had the time
> to post here about it, it's not the end of the world for them...Aker Kvaerner were until last week unaware that the company they had
acquired had ever had any allocations from ARIN. We've been asked to
clear up the mess, and to that extent only we are the "admins". When
one of the hijackers lost their connection, and was immediately able
to get a new connection from another provider, we realised just how
important it was to ensure that network operators were generally made
aware of what was going on: firstly so that they didn't inadvertently
allow anyone else to announce anything in those netblocks, and also so
that any network could, if they wished, could keep traffic from those
netblocks off their systems.At our request ARIN have now deleted all contact handles from those
blocks, so that further identity-spoofing should be more difficult.
There are still a lot of SWIPs made to spammers out out of those blocks w/
contact handles such as 144.176.208.0/20.
ARIN was the Registry of Last Resort for legacy allocations, yes, but that
responsibiility has been divided between the RIRs based on locality of the
registrant, now.
                                -Bill
Bill Woodcock wrote:
    > No way. These were indeed ARIN blocks - if you check the list which
    > I originally posted you will see that they are registered with ARIN.
    > Possibly the date the original allocation was made may be
significant?
ARIN was the Registry of Last Resort for legacy allocations, yes, but that
responsibiility has been divided between the RIRs based on locality of the
registrant, now.
No, it hasn't, yet. ARIN is currently moving the legacy allocations to the
appropriate RIR for the regions, but that process is done /8-at-a-time & the
/8s that the Trafalgar House Group /16s are in have not been transferred
yet.
Okay, okay, you've done your homework, I haven't.
                                -Bill