nanog mailing list archives
Re: Prefix hijacking by Michael Lindsay via Internap
From: Denis Spirin <noc () link-telecom net>
Date: Wed, 31 Aug 2011 12:56:07 +0200
Hello All, let me tell you the final of the story with the hijacking of our networks. So, in the end of July, we found some of our networks are announced somewhere without our permission. That was the illegal announce from Internap. We sent the letter to Internap on August, 11th. Internap replied with the forward of the fake LOA someone sent from the domain link-telecom.biz on June, 9th. Then Internap refused to reply any mail from us until now. Further investigation found link-telecom.biz was the old our domain we lost in February, and it was the contact e-mail listed at the RIPE database. In February our company was on the way to close, nobody believed we will survive so nobody cared about it. Then when things went good, all people just forget about old lost domain, as well as to update the RIPE database with a new contacts. I understand well why Internap announced our networks after the first letter from actual RIPE DB contact email. But I don't understand why they didn't stop the announcement after the second (our) letter from updated actual contact with our explanation of that situation. Worst of that, the reverse DNS was delegated to old lost domain, so crime got the rDNS too. After the mail we sent to Internap, someone named Michael Lindsay contacted us and said it is his network! A bit of google found he is a well-known hijacker and spammer, so we have forwarded it to Internap of course. Without any reaction at all. In this list (thank you a lot!!!) I got the advice to mail to uplinks of Internap, so I did it on August, 25th. First reply was from NTT, they started the investigation, on 29th, they filtered announces. On 29th Cogent replied too, and filtered out the illegal announce. These was all the replies I got. Parallel, I started to announce not only our networks, but more specific prefixes to our uplink in Moscow. Together with rDNS redelegation, this makes the Internap impossible to use our networks (i.e. to do spamming), so they have stopped the illegal activity yesterday. This is almost done, except a long work to write a lot of mail reputation and blacklists operators to get our networks delisted from. So, noone is protected from IP network stealing. And noone cares. If Internap or it's uplinks was more clever and more insistent - we really had a chance to lost our networks forever. I definitely sure we need to found and implement some practice for prevent IP hijacking. I dug a lot of things about secure routing, PKI signing and so on - there are no working solutions now, as well as will not be in near future. But it is possible to negotiate and arrange the formal (administrative) best practice for resolving and preventing such issues. Is there any ideas?
Current thread:
- Re: Prefix hijacking by Michael Lindsay via Internap, (continued)
- Re: Prefix hijacking by Michael Lindsay via Internap Denis Spirin (Aug 20)
- Re: Prefix hijacking by Michael Lindsay via Internap Suresh Ramasubramanian (Aug 20)
- Re: Prefix hijacking by Michael Lindsay via Internap William Herrin (Aug 20)
- Re: Prefix hijacking by Michael Lindsay via Internap Suresh Ramasubramanian (Aug 20)
- Re: Prefix hijacking by Michael Lindsay via Internap Adrian (Aug 20)
- Re: Prefix hijacking by Michael Lindsay via Internap Denis Spirin (Aug 25)
- Message not available
- Fwd: Prefix hijacking by Michael Lindsay via Internap Denis Spirin (Aug 21)
- Re: Prefix hijacking by Michael Lindsay via Internap Denis Spirin (Aug 28)
- Re: Prefix hijacking by Michael Lindsay via Internap Denis Spirin (Aug 31)