North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[2]: Hijacking of address blocks assigned to Trafalgar House Group , London UK
Richard Cox wrote: > On 13 Apr 2003 15:11 UTC, David Temkin <[email protected]> wrote: > > | Maybe they should do everyone a favor and return the hijacked blocks > | to ARIN.... I mean hell, does anyone really think that they have > | 6 /16's worth of machines directly accessible via the 'net? > > Maybe so indeed. We've been asked to help clear up the mess, and to my > mind it's far more important to limit the damage to the rest of the net > from the hard-to-trace abuse and the other evils that were the reason > why the blocks were hijacked in the first place, than to deal with the > consequential admin issues. But those issues *will* be addressed. If it is possible to get old the old whois of those blocks from around ~8 months ago from ARIN it will be much easier to find out how they were hijacked. > So that's why we first gave you all an update on what was happening, > while I try to reach the security teams at the networks that are still > allowing the bogus announcements to go out. Sprint responded quickly, > and thanks to those of you here who mailed me better contact details, > I was able to reach Telia who filtered their announcements promptly. There are still some active routes - the block hijacker is leasing out SWIP'd chunks of 144.176.0.0/16 to spammers who have to find thier own routing. One of the SWIP'd chunks of it owned by a spammer that is been announced is 144.176.209.0/24 (Empire Towers, routed to Sprint in the USA). > Some networks however are proving rather more difficult to "reach"! > > Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's > management on all the issues involved and, from what I've seen so far, > I'm completely satisfied that they will then "do the right thing". > > | Obviously if they have been hijacked and the admins had the time > | to post here about it, it's not the end of the world for them... > > Aker Kvaerner were until last week unaware that the company they had > acquired had ever had any allocations from ARIN. We've been asked to > clear up the mess, and to that extent only we are the "admins". When > one of the hijackers lost their connection, and was immediately able > to get a new connection from another provider, we realised just how > important it was to ensure that network operators were generally made > aware of what was going on: firstly so that they didn't inadvertently > allow anyone else to announce anything in those netblocks, and also so > that any network could, if they wished, could keep traffic from those > netblocks off their systems. > > At our request ARIN have now deleted all contact handles from those > blocks, so that further identity-spoofing should be more difficult. There are still a lot of SWIPs made to spammers out out of those blocks w/ contact handles such as 144.176.208.0/20.
|