North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: The in-your-face hijacking example, was: Re: Who is announcing bogons?
[summary. - What started as a posting of an example for widespread wrongful, if not criminal conduct involving hijacking of IP space is now progressing into particulars of that example that most certainly doesn't concern network operations at large, rather than the general issue of stolen/hijacked/embezzled IP allocations in use by rogue parties for rogue purposes. This I fear will be with us for some considerable time to come. Please restrain your follow-up postings to the NANOG list bearing this in mind.] On 4/30/2003 at 12:46 PM, Scott Granados <[email protected]> wrote: > When doing a look up at whois.arin.net the data looks correct, phone > numbers listed are correct, and more importantly bills sent to the address > listed get paid. So since the whois data matches the customer and nobody > else announces the block I don't see the problem. Clearly someone or Clearly you don't see the problem. Or won't. > something at Arin has given authority to this block to be used and that > authorized figure has requested service from us. ARIN has done no such thing, as I have documented with meticulous detail. ARIN assigns IP space to organizations, not individuals owning the POC, and such POCs are not authorized to act on their own and make use of such assignment for another organization on their own whim. I call on ARIN to immediately suspend the assignment of 22.214.171.124/16 based on the probable cause I and others have delivered that make it likely, if not certain, that the ARIN principles of assignment have been violated in this case. Do I need to mention "Trafalgar House Group"? > I'm not sure the mission your on but it seems like a real misuse of time. > This customer is not advertising someone elses space ie advertising > 126.96.36.199 for a goof or to be disrupting services. See "188.8.131.52/3" below to avoid me having to repeat my own arguments. I think you are quite sure about my mission about now. Some examples have to be made to deter others. On 4/30/2003 at 6:20 PM, Scott Granados <[email protected]> wrote: > Exactly, and I'm not sure what the whole reason for this thread is with > the exception of I do understand if the space is previously announced. If You are questioning the purpose of this discussion re: your direct customer's use of illicit/stolen/hijacked IP space, unless the space was 'previously used', while the purpose is, as you have certainly noticed, that the allocated space's registration is by nearly all stretches of imagination illicit, fraudulent or both? Gee, let's see: I will start to announce 184.108.40.206/3 starting NOW, because: well, it's not used, and I have somehow gained control over "iana.org": what is the big deal anyway, you say? > the requirements for arin are met and if arin makes the appropriate > changes to the whois records isn't that enough? And you have been presented with bonafide probable cause that such changes that were made BY YOUR CUSTOMER (unless you want to blame the automatic form processors at ARIN for not paying attention, as I am quite sure that no humans there were involved until now) were made in bad faith and while deceiving ARIN about matters of identity regarding that allocation? > Obviously, making anouncements can be more complex than that ie a customer > has company A ip space but buys service from copmpany B so they wish to > announce a's IPs through B. If swip or rwhois data matches again this > should be ok assuming someone refered to as a contact makes the request. Not if you are presented with an unusual request, such as authorization for the announcement of an entire /16 that had its contact details changed days before - in that case, one can reasonably expect a whole different level of scrutiny than for say: a /20 that has up-to-date contact info yet has not been updated in 2-3 years. ARIN does have a listed phone number, you know. On 4/30/2003 at 6:42 PM, Scott Granados <[email protected]> wrote: > In point of fact a credit check was done including the contacting of three > trade references and some other searches, care to share the name of the corporation and D&B number of that business you ran this check against, presuming it was the sought-after "OrgName: ISD"? On 4/30/2003 at 7:50 PM, Scott Granados <[email protected]> wrote: > I'd say our official position is that I'm not sure:). > I'm just unclear on this whole thing so forgive me, [...] > [.............] > I'm just unclear and not certain that anything improper has happened yet. I am not clear. And there is no bridge. And you are probably unclear about THIS as well: On 4/30/2003 at 6:56 PM, Kevin Brott <[email protected]> wrote on SPAM-L: > Date: Wed, 30 Apr 2003 15:56:50 -0700 > Subject: Re: BLOCK: wworks.net/AS26346, update SPEWS S2489 > At 02:17 PM 4/30/2003, Little Punk wrote: >> And the beat goes on: 220.127.116.11/16 sliced, diced and meshed by Kai over >> on the NANOG list. > All routes to/from the of the parts of that block under wworks.net are > currently suppressed at our edge routers. This was prompted by having our > senior firewall admin discover through some clever logfile correlations > that they were the source of daily vigorous open-proxy scans across > portions (if not the entirety) of all of our registered netblocks. > Notices to wworks.net only resulted in claimed null-routes, whereupon the > IP of the source shifted at the next expected scan-time. > Our engineering staff is currently working on a more 'permanent' fix. > === Today's Fortune === > He who hesitates is last. (the fortune has an eery significance here, I think) And following up on that, I have personal email in my Inbox that has a few similar things to say about you and your downstream Atrivo to that effect, Scott. I think your credibility with me is reaching a very deep low very fast, and the fact that abuse.net is listing no less than 3 of your upstreams as contacts for complaints relating to wworks.net is a very big hint that some people out there are not very satisfied with your handling of abuse issues, with some of these issues being pointed out to you by other people in this thread. It makes me think that it will become necessary to address abuse issues involving IP space announced with your AS in the AS path directly with AS's 11608, 8121, 293, 6517, 6939 instead of you. Not the the latter 2 would care to address such issues one bit. On 4/30/2003 at 8:04 PM, Scott Granados <s[email protected]> wrote: > [...] So sincerely I'm not sure what the problem is. > Now someone mentioned that LAnet owned the block. If LAnet calls me up > or sends me proper proof its their block I'd pull the announcement. Else, > if someone here convinces me that its improper, I'll pull the announcement, <sarcasm mode on> "gee kid! you can't continue to hit up stores and gas stations like that! If I catch you the next time, there'll be SERIOUS consequences! Now, move along!" *pad-on-back* </sarcasm> That reminds me of UUnet and Teleglobe's treatment of rogue AS 16506 (ayayai.com/eveloz.com/SPEWS S1348) recently, when confronted with the unlikely possibility that a german steel mill had moved to the swamps of Panama (18.104.22.168/16). Teleglobe filtered the announcement after other people's intervention (but after ignoring 2 complaints pointing out the obvious from me) or made AS 16505 stop it with a "friendly warning", while UUnet outright denied being responsible, or AS 16506 being their customer to begin with (at least that's what the official email correspondence would make any reader believe); then went on with business as usual. [ Nice going, UUnet. Are your managers and VPs-of-something-or-other drawing matches over who will take the blame and go to prison for housing relay- and proxy-raping spamware sites ("burglary tools") in violation of the new Virginia spam law, and defending such hosting up to VP level for 2-3 years ? (see www.spamhaus.org, there was a reference to that a while ago)] > but on the surface I do think he's on ok Ground. I actually asked Emil to > join the list and discussion on this I'm assuming its on topic. Oh, didn't we look forward to that. On 5/1/2003 at 1:42 AM, [email protected] wrote: [reformatted to 78 columns - which some folks here will appreciate] > Let's see if we can clarify this once and for all. ISD owner was a good > friend of mine and helped me when I ran a computer store. good friends/individuals do not have /16's allocated to them. Big institutions have /16's. Such institutions are decidedly too busy and not in the business of helping other people run their computer stores. > Without him I couldn't run the store and over the years I have repaid him > for his contributions. so nice! > A few years ago I closed the computer store and started Atrivo. Do you pay taxes in California, Emil? Is your business incorporated? If it's not incorporated, have you filed a D/B/A "Atrivo" with the state? (With apologies to Hank and Barry: http://www.nanog.org/mtg-0302/ppt/hank.pdf) "Pull over and show us your state incorporation certificate and business seal!" > After discussing our expansion plans to Rob, I came to find out that he did > posses a /16 which his now defunct company wasn't using anymore. So his name is "Rob", hmm? Rob who? Care to name the defunct corporation, its corporate officers and provide us with the obvious link through http://kepler.ss.ca.gov/list.html ? ARIN will be most interested to hear that Rob believes he owns a /16. Is Rob the legal receiver of assets of his defunct corporation? (never mind that allocated space is not a tangible asset that can be owned by ARIN's understanding). But if we follow Richard Cox's posted lead: http://euclid.math.brandeis.edu/turtschi/whois/netb22.html dated Sept 19, 1999, containing the then-registrant of this /16: 22.214.171.124 ISD NET-LANET-1 9150 E. Imperial Hwy. Downey, CA 90242 which leads us directly to: http://www.google.com/url?sa=U&start=10&q=http://ops.co.la.ca.us/scripts/BrdLtExtnd4Cntrcts.9.23.02%2520for%2520WEB.pdf&e=912 dated Sept 19, 2002 : "5. ISD-Downey Data Processing Center 9150 East Imperial Highway, Downey 90242" Leading me to believe that this /16 is allocated to Los Angeles County's data processing center, and not "Rob" . How telling: points 2. through 4. in the document describe "District Attorney" facilities - en entity I took the liberty of Cc:'ing on this mail. Why don't you turn yourself in for this great stunt at this point, Emil? I am sure that'll avoid unnecessary time spent in Lompoc or at the Pelican Bay State penitentiary. > From that point I found out what it would take from Arin to have us use > the space. We followed all the steps that Arin had told us to do. I am sure that ARIN will make any emails regarding this available for scrutiny by a trusted party and the the LA County's DA's office. > We of course wanted to update contact information to reflect the new change > and so we can respond to any issues that may arrive running a ISP. I am wondering what we will get if someone faxes the UPS Store and demands to see what you list as your corporate HQ on the paperwork when you opened that PO BOX. You ARE using the box for commercial purposes and in public, after all, which is enough to satisfy the disclosure requirements under Postal CMRA regulations. > All our providers and vendors know us as a respectable company. As long as the bills get paid on time, they will hardly if ever have a problem with the ongoing abuse from your netblock and the /16 that I continue to say is hijacked, for lack of further evidence beyond the information we have, and which evidence is establishing probable cause for that statement. > There is nothing wrong that we have done and all this witch hunting is > unjust and unfair. Might I mention that Spews, SpamHaus or anyone that has ugh, oh. The words "Witch hunt" and "SPEWS, Spamhaus" were uttered in the same breath. History will repeat itself. > made these claims has not even attempted to give me a call. You run an 'ISP' and expect to deal with such an affair without email, given the complexity of the affair? On 5/1/2003 at 2:28 AM, Dan Hollis wrote and summed this up: > Maybe because they expect your email to actually work, and dont > care to spend money calling you long distance? > You have got porno spammers in these netblocks scanning for open > relays and relay raping innocent third parties. read: repeat 'business' as far as abuse is concerned, and I think I have heard the word "null-route" once too many times by now. Null-route is not customer "termination and sanctions". Especially not when the source of abuse is going elsewhere in your space within a short period of time. > I have even tried to make arrangements to meet up at the colo and to > show anyone that we are for real. Of course this has been always declined. noone here wants proof that you operate equipment in a datacenter. We already knew that. > Well I don't know how much this will help, since it's seems that no matter > what I offer or do is just not enough. Maybe I have to give my DNA just to > prove who I am? Oh, we will reasonably believe that you exist and are a real person. Just like Nick Geyer. What we want is proof beyond a reasonable doubt that you didn't deceive ARIN or violated ARIN allocation rules in taking over that /16. And that proof can't come from you at this point, for obvious lack of credibility, given the allegations and probable cause. > Atrivo - Web Innovation > Emil Kacperski > Phone: 925-550-3947 > E-mail: [email protected] > ICQ: 23531098 The unincorporated corporation operating out of a UPS Store, armed with a PacBell cell phone and and ICQ account, and proud POC of a /16. Are you implying that 1372 North Main Street, Ste #205, Walnut Creek, CA 94596, 925-627-2000 is no longer your business address/number? And last but not least: On 5/1/2003 at 2:20 AM, Scott Granados <[email protected]> wrote: > I would also like to state on Emil's behalf [...] > Emil has on many occasions restarted machines or helped with server > work in the colos we occupy together We see. I think that cooperation will be the subject of further questioning. > I'll also publically offer here to assist Emil in obtaining a direct > allocation which would be entirely new if he wishes that may put this matter > to bed as well. I don't think the state allows routed Internet connections to where Emil might be heading next, so he might not be needing it. And if you are indeed sharing facilities like that, why did he need his own ASN? > I'm quite certain that this has gone way way off topic however so I'll stop > here and hopefully we can get back to more operational discussions. "How to set up your route-prefix filters to drop all routes received with a specific AS present in the AS path" - but that wouldn't teach anyone here anything new. Current routes for the /16: 126.96.36.199/19 16631 27595 188.8.131.52/24 16631 184.108.40.206/24 16631 (was 6939 26346 27595 earlier today) 220.127.116.11/24 16631 (was 6939 26346 27595 earlier today) 18.104.22.168/24 16631 22.214.171.124/24 11608 26346 126.96.36.199/32 11608 26346 (how does 11608 leak that into the Oregon-IX?) (Scott said: "Can't have one on 188.8.131.52 I null routed it some time ago as it was a compromised machine." Gee. So has anyone recorded this route, and if yes: when?) 184.108.40.206/24 11608 26346 Moved 2 /24's to Cogent in a hurry? And obviously, filtering 220.127.116.11/24 and 18.104.22.168/24 to world (except AS 27595 peering, with no-export set) would have been a grand idea for wworks.net (26346), but whaddaya know. bye,Kai