Re[2]: Another possibly hijacked block - 160.116.0.0/16

[william () elan net]

> On Sun, 11 May 2003 22:26:46 -0700 (PDT), william () elan net wrote:
> | In any case, this calls for active blocking of this /16 from anybody
> | who does not want to provide services to spammers and ip hijackers.
> | As for XO and Internap, (I'm sure somebody is here from these
> | companies) - take notice and get rid of this customer!!!
>
> Since clearing up the "Trafalgar House" hijacks, several people have
> written me pointing out an even larger number of probably-hijacked
> blocks that they think should be investigated.  I've researched what
> I can, and drawn the attention of ARIN, and the relevant upstreams,
> to BGP announcements that research suggests may be inappropriate.
>
> What I have avoided doing is reporting all the gory details here,
> except where there was some specific relevance in doing so.

  I agree with this, but I could not go any futher on the South African 
block, needed help from somebody local to find out what company the block 
should belong now. But on my own I also did research on two other blocks 
hijacked by "Naronda/Publicom Gang" and announced through AS8143 - 
162.73.0.0/16 and 134.33.0.0/16. Owners of both of the blocks have been 
definetly identified (a lot more certain there then for 160.116.0.0/16 
block) and I've sent reports to these companies and to ARIN. 

  Based on these and other information, XO yesterday has stopped announcement
from AS8143 on ther network. Only Internap remains, but I'v been completely
unsussfull on getting ANY response from their abuse team. As such I've 
focused on Internap upstreams - Verio and Global Crossing. Verio is more 
responsive and has already received all necessary information and will 
probably shut down their announcements after reviewing that, Global Crossing
security team still has not responded back to me though, I'm however still
hopefull that by tomorrow both Verio and Global Crossing will shut down
the hijacked block announcements through their networks.
 
> I have, as promised, set up the mailing list - hijacked () numbering com
> for reports and evaluation of likely incidents of IP block hijacking,
> and if the outcome of any evaluation is that hijacking is confirmed,
> the details can be sent to the upstreams and ARIN for consideration.
> I would hope that ARIN and the major networks will want to join that
> list and follow the discussions there anyway.

Great, I'll work with others on that list now.
And if anybody is interested in seeing details on findings on who the 
blocks hijacked by Naronda/Publicom Gang belong too, I'll post information
on that mailing list shortly.

> That list is now open; initial requests have been added manually, and
> anyone else who wishes to join will need to send the usual incantation
> to majordomo () numbering com and then respond to the email challenge.
>
> To avoid misunderstanding can I say very clearly that the "hijacked"
> list will not be discussing any aspect of ARIN's (or indeed any other
> registries') procedure or policies: such matters are more appropriate
> to the individual policy fora of each registry/community.
>
> At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked
> IP blocks is now live and available as a separate specific zone within
> the SORBS project; details at http://www.dnsbl.sorbs.net  Networks can
> therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL.
>
> Richard Cox