North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Fwd: [LN20080729.4147] RE: AS 28551

  • From: Marshall Eubanks
  • Date: Fri Aug 01 09:06:20 2008
I think that 161.164.248.0/21 and AS 28551 may be hijacked.

To summarize

AS 28551 is announcing 161.164.248.0/21

28551 is assigned to LANIC but has not been assigned to a end user.
161.164.248.0/21 is assigned to WalMart
161.164.248.0/21 is currently routed through AS35681 - VINDAVA-AS - which is in Bucharest, Romania

I think that this is a bogon.

Regards
Marshall

P.S. I have asked WalMart about this, and received no response.


Begin forwarded message:

From: Lucas Graciano <[email protected]>
Date: July 31, 2008 1:10:25 PM EDT
To: Marshall Eubanks <[email protected]>
Cc: LACNIC Hostmaster <[email protected]>
Subject: Re: [LN20080729.4147] RE: AS 28551

Dear Sir,

This AS number is under administration by NIC.MX, but is a resource
that is not allocated yet!

Regards,

Hostmaster // Registration Service
========================================================

L A C N I C                            http://lacnic.net
Latin American and Caribbean Internet Addresses Registry
========================================================


On Tue, Jul 29, 2008 at 04:59:02AM -0400, Marshall Eubanks wrote:
Hello;

I contacted LANIC (read below) to see if they actually did register AS
28551.

My question remains : Is there a reason for this ASN not to be in the
LACNIC whois, or is this a rogue ASN ?

Regards
Marshall Eubanks


On Jul 29, 2008, at 3:14 AM, Network Abuse wrote:


**        This is an automatic message.          **
** Please carefully read the information below.  **

You have contacted LACNIC due to some abuse activity (spam,
hacking, etc),
from an IP address allocated or assigned by LACNIC.

LACNIC is an RIR (Regional Internet Registry) for Latin America and
the Caribbean region. What that means is that LACNIC is responsible
for
the IP address space and ASN allocation/assignment in this region.

As mentioned, the IP address in question was allocated by LACNIC to
some other organization or ISP in the region. So the abuse activity
originated in that organization's network, not in LACNIC.

You should query our whois database to get information about the
source of this abuse activity and the appropriate network contact.

LACNIC's whois is available at:
http://lacnic.net/cgi-bin/lacnic/whois

or via the command line:
whois -h whois.lacnic.net [IP ADDRESS]

Important Note:

----------------------------------------------------------------------
Addresses allocated to "Comite Gestor da Internet no Brasil" are
those
allocated to the Brazilian NIR (Registro BR), and in this case you
might want to query their Whois database:
http://registro.br/cgi-bin/nicbr/whois
whois -h whois.nic.br [IP ADDRESS]
---------------------------------------------------------------------

Please note that LACNIC has no authority to investigate spam, hacking
or any other kind of network abuse activity committed by other
organizations. Nor can we punish other organizations' users.

More details are available at: http://lacnic.net/abuse

If this information did not help you, please reply this message to
[email protected] and keep the subject line.

Regards,
LACNIC Hostmaster



----------Original Header
From [email protected] Tue Jul 29 04:14:07 2008
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by mail.lacnic.net (Postfix) with ESMTP id C6A23B9C3
for <[email protected]>; Tue, 29 Jul 2008 04:14:07 -0300 (BRT)
X-Virus-Scanned: amavisd-new at lacnic.net
X-Spam-Score: -2.407
X-Spam-Level:
X-Spam-Status: No, score=-2.407 tagged_above=-99 required=4
tests=[AWL=0.192,
BAYES_00=-2.599]
Received: from mail.lacnic.net ([127.0.0.1])
by localhost (mail.lacnic.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7B1tNXyA0p7h for <[email protected]>;
Tue, 29 Jul 2008 04:14:05 -0300 (BRT)
X-Greylist: delayed 3599 seconds by postgrey-1.27 at
mail.lacnic.net; Tue, 29 Jul 2008 04:14:04 BRT
Received: from multicasttech.com (lennon.multicasttech.com
[63.105.122.7])
by mail.lacnic.net (Postfix) with ESMTP id DB5F5B9C0
for <[email protected]>; Tue, 29 Jul 2008 04:14:04 -0300 (BRT)
Received: from [63.105.122.7] (account marshall_eubanks HELO
[IPv6:::1])
by multicasttech.com (CommuniGate Pro SMTP 3.4.8)
with ESMTP-TLS id 12277392 for [email protected]; Tue, 29
Jul 2008 02:14:04 -0400
Message-Id: <[email protected]>
From: Marshall Eubanks <[email protected]>
To: [email protected]
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Subject: AS 28551
Date: Tue, 29 Jul 2008 02:14:03 -0400
X-Mailer: Apple Mail (2.926)


----------Original Message
Hello;

AS 28551 is in a ASN block assigned to LACNIC and is shwoing up in my
BGP tables,
but a whois returns a blank :

[[email protected] mcast]$ lacnic_whois 28551
[lacnic.net]

% Joint Whois - whois.lacnic.net
%  This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net


% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2008-07-29 03:13:17 (BRT -03:00)

% No match for "AS28551"

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

Is there a reason for this, or is this a rogue ASN ?

Regards
Marshall Eubanks