North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re[2]: Get as much IP space as you ever dreamed of, was: Re: Looking to buy IPv4 addresses from class C swamp

  • From: Richard Cox
  • Date: Mon Apr 28 19:01:11 2003

On 28 Apr 2003 21:55 (UT), "Christopher L. Morrow" <[email protected]> wrote:

| Should any of the ISP community hold any responsibility to help the
| RIR's pull this space back when they are hijacked?

To me, the most important thing is that the ISP/carrier community
should ensure that inappropriate route announcements are filtered.
"Inappropriate" here means blocks that are either unallocated, or
are being used without permission from the user to whom they were
originally allocated.  The issue of whether the blocks should be
allocated (or not) doesn't come into this part if the analysis.

In the case I reported here a few weeks back, I'm glad to be able to
announce that all those six blocks are now fully de-announced and the
torrent of spam that was flowing from most of them has now stopped.
That result couldn't have been achieved without the considerable help
and advice I had from participants here, and the Security departments
of the carriers that were innocent victims of the deception.

So I'd like to thank them all for that help.

(There's obviously a lot of administrative work to do on putting the
allocations involved back in order, and handing some of the IP space
back, and that's the job in hand right now!)

What has become clear is that this was the tip of the iceberg ... the
number of "lost" blocks that are being misused seems to be far greater
than anyone expected.  Since dealing with the first six, which became
eight as a result of their association with two other blocks, two more
hijacked Class B's have come to light - one was resolved earlier today.

| I would think ARIN/RIPE/APNIC would like to see ISP's email them
| blocks that are hijacked so they can reclaim them, or put them into
| a holding pen while they attempt to contact the owners... (then
| reclaim if no contacts can be made)

I doubt if ISPs will necessarily be able to do that, as the hijacked
blocks were all in use with plausible credentials - mostly obtained
by a combination of social engineering, and creating similar domains
(or reviving old ones) to "grab" the necessary handles.  Only by the
very careful comparison of information about the original registrant
will the real situation become evident.

In response to the requests I've had, I'm now creating a mailing list
for anyone to report IP space that they believe has been hijacked, and
the security teams from the major backbones will be welcome to join
and take whatever action they see as appropriate when clear evidence
is produced - the relevant registry will also be notified and they
can, if they wish, review any potentially-problematic cases.

Ultimately it's the registries' decision as to whether the current user
is the same entity as the user to whom the space was originally assigned
(or has the necessary authority to use it, according to each registry's
stated policies); the mailing list will simply facilitate sharing the
necessary information.

The list will be hijacked at numbering~com and the normal majordomo
signup process will be available *shortly* but until then anyone who
wants to be added should send mail decodable by carbon lifeforms, to
listowner at numbering~com

-- 
Richard Cox