nanog mailing list archives
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
From: "Ronald F. Guilmette" <rfg () tristatelogic com>
Date: Wed, 30 Mar 2011 20:26:15 -0700
In message <AANLkTikEmpr3QvVDOrvUgRNZn0CnkoA4vTBta5Q3mBuN () mail gmail com>, you wrote:
This is an old enough "technique" dating back to a few years - re-registering an expired domain that belonged to the ARIN contact, and filling out the ISP paperwork.
FYI - That does not seem to have been what occured in the two particular cases I reported on today. The e-mail contact domain for the two relevant ARIN allocation records seems to still be in use by the chemical company, Hoechst Celanese. So that _really_ begs the question... Why did Circle Internet and (apparently) Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the crook who hijacked these two /16s had the right to use them? % traceroute to 148.163.5.2 (148.163.5.2), 64 hops max, 40 byte packets ... 8 ae-62-62.csw1.SanJose1.Level3.net (4.69.153.18) 42.796 ms ae-82-82.csw3.SanJose1.Level3.net (4.69.153.26) 44.268 ms ae-72-72.csw2.SanJose1.Level3.net (4.69.153.22) 43.296 ms 9 ae-4-90.edge8.SanJose1.Level3.net (4.69.152.212) 44.877 ms ae-3-80.edge8.SanJose1.Level3.net (4.69.152.148) 44.731 ms ae-1-60.edge8.SanJose1.Level3.net (4.69.152.20) 44.426 ms 10 BANDCON.edge8.SanJose1.Level3.net (4.53.30.42) 45.018 ms 45.779 ms 45.043 ms 11 148.163.5.2 (148.163.5.2) 44.820 ms 45.651 ms 44.571 ms In the case of Circle Internet, I feel sure that the check cleared, so they didn't see it as either necessary or useful to inquire further. But the question that I'd most like to get an answer to... and the one that nobody will likely ever get an answer to... is "Did BandCon likewise see that the check which was made out to them cleared, and that thus they didn't see fit to inquire any further?" Separately, Jim Gonzalez raised an interesting and related point... If I were to simply forge the sender address of an e-mail message, send it to Level3, and ask Level3 to route some arbitrary hunk of IP space for me, would Level3 just blindly do it? If so, I may perhaps see if I can have a bit of fun, at their expense, this weekend. I mean what the hay! It's pretty obvious that nobody from law enforcement has any interest in any of this crap, and that random bad actors can perpetrate whatever kinds of frauds they wish on the net with virtual impunity. So why should this hijacking crap only be a spectator's sport? Regards, rfg
Current thread:
- HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ronald F. Guilmette (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Bill Woodcock (Mar 30)
- RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Jim Gonzalez (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ronald F. Guilmette (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ronald F. Guilmette (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Brandon Ross (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ross Harvey (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Brandon Ross (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Paul Ferguson (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Christopher Morrow (Mar 31)
- RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Jim Gonzalez (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Bill Woodcock (Mar 30)