North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Hijacked IP blocks

  • From: william
  • Date: Tue Oct 21 00:42:14 2003

As some of you have seen from sessions today, hijacking of ips has been 
noticed by many. I want to give report of what the current situation is as 
I've been monitoring known hijacked ip ranges and active use of those.
The active list is included later in this email and is available online at

First I want to thank quite a number of companies both large and smaller 
for helping to deal with this problem. By now very few ip blocks are left 
that were hijacked and are still in active use, in fact 1/2 of the ones 
left announcing space are victims that were resold the space (particularly
in block; I wish they would finally renumber out of these 
blocks, some of them have had 4 months to do it from original notice). 

New hijacked blocks do not appear to be such a common occurance by 
spammers which makes things easier (but we must still remember what 
happened before and all of you must remember to take care of the resources 
where you maybe listed as an admin for. If your company is beeing aquired 
- make sure when you leave the company new administrator is assigned from 
new company (if this is not possible, inform ARIN ip block will be left 
without active administrator and what led to this). Those of you that were 
administrators for companies no longer in business (even going back up to 
10 years), please at some if you remember what ip block were to check on 
what whois currently looks like and who that companie's domains are 
registered to. If you find problems, address them to ARIN or to completewhois
for investigation about what happend to original company.

Now today at NANOG meeting I was approached by a group of people concerned 
that the are too many names of network engineers listed on the site. I 
have to point it that I make all possible efforts to contact network engineers
and have them resolve questionable problems on their own - some just do 
not answer such emails, but others did and netblocks with references to 
those people no matter if those people may have been involved in hijacking
or not are not mentioned on the site. I would hope that I would not have 
to approach you in the first place and considering recent ARIN announcement (with which BTW I do not 
fully agree with - reporting every case to authorities maybe going too 
far - but they may not have any choice, either do it for all or for none)
So I hope that any of you that may have questinable blocks in current 
use would on your stop and return them to the state they were before in 
whois or return them to arin or continue using the blocks and apply to
officially transfer them (remember ARIN currently does transfers at no 
extra charge, this will not last forever!!!).

The group that approached me had specific concerns because while some may
have been mentioned on site as directly involved in hijacking, which I 
think is appropriate to them; others may have been mentioned indirectly 
when their whois records were listed under some blocks current use 
section. I want to stress out that active use in no way implies any 
connection to hijacking, it is simply result of dns and related whois
info on what active use of the block and what it has been (i.e. isp 
customers, irc, spam sites, etc) and having it comes very usefull for 
correlation between different cases and people previously asked me to 
include it in fact. To differentiate about this data, I'm willing to 
put a desclaimer up in each file regarding data listed in active use 
section. Please make your suggestions on the best text for this to me 
privately or on hijacked mail list when I bring this topic up there. I 
also understand that number of people do not want google and other search 
engines to be able to reference  their names and other data if its in the 
current use section. Please make a suggestions on how to best achieve this 
without stopping google from searching other sections of the site. Would 
the solution of separating current use  data into separate files in separate
directory and putting robots.txt file there work? Should I also make sure 
that people are only able to reference those files when they first looked 
at the data in primary data file?

And understand that if I do not hear your concerns, I would not know what 
maybe wrong with the completewhois hijacked section or what is done wrong 
as far as investigations go. I do answer emails even if it may take several 
days sometimes and have in the past made changes based on what has been 

Now going back to the top of this post, below is the list of actively 
advertised hijacked blocks (same program as has been used for bogon 
advertisements has been used here as well): ## AS3908 : SUPERNETASBLK : SuperNet, Inc. ## AS3908 : SUPERNETASBLK : SuperNet, Inc. ## AS3908 : SUPERNETASBLK : SuperNet, Inc. ## AS3908 : SUPERNETASBLK : SuperNet, Inc. ## AS20473 : NETTRANS : NetTransactions, LLC ## AS20473 : NETTRANS : NetTransactions, LLC ## AS23131 : STARLAN : Starlan Communications Inc. ## AS12277 : TRACON : Tracon Industries ## AS3638 : GLOBALI : Shaman Exchange, Inc. ## AS12277 : TRACON : Tracon Industries ## AS12277 : TRACON : Tracon Industries ## AS30080 : BA-CONSULTING : BA Consulting ## AS16631 : COGENT-ASN : Cogent Communications ## AS30080 : BA-CONSULTING : BA Consulting ## AS3491 : CAIS-ASN : CAIS Internet ## AS16631 : COGENT-ASN : Cogent Communications ## AS3491 : CAIS-ASN : CAIS Internet ## AS3491 : CAIS-ASN : CAIS Internet ## AS3409 : INET-1-AS : Internetworks, Inc. ## AS16631 : COGENT-ASN : Cogent Communications

And for for comparison here is what this looked like on Sep 26th when I 
started active monitoring (I also have manual data from early August, but 
it would take too long to put it into email. I can say though, that there 
were twice as many hijacked announcements then, things have really 
changed for good in the last several months as more people and RIRs 
themselve became aware of these issues). # AS22653 - GlobalCompass # AS19800 - Grant County Public Utility # AS3908 - Supernet # AS3908 - Supernet # AS3908 - Supernet # AS3908 - Supernet # AS577 - 
(Note - this is proper announcement on behalf on behalf of MDS) # AS20473 - NetTransactions # AS20473 - NetTransactions # AS23131 - Starlan # AS12277 - Tracon # AS3638 - Globali # AS12277 - Tracan # AS12277 - Tracan # AS8121 - TCH/ # AS23720 - FUSIONGOL-AS-AP
(Note - this is proper announcement, on behalf of Clipper) # AS8121 - TCH/ # AS4768 - Clear Communications # AS30080 - BA Consulting (hijacker used named),
		  routed by AS3568 CW # AS8121 - TCH/Layer42 # AS30080 - BA Consulting # AS9826 - # AS9826 - ILink.Net # AS3491 - CAIS # AS3491 - CAIS # AS3491 - CAIS # AS16631 - Cogent # AS29698 - Internet America LLC (hijacker named used) # AS29698 - Internet America LLC