Re: The in-your-face hijacking example, was: Re: Who is announcing bogons?

[Scott Granados <scott () wworks net>]

When doing a look up at whois.arin.net the data looks correct, phone
numbers listed are correct, and more importantly bills sent to the address
listed get paid.  So since the whois data matches the customer and nobody
else announces the block I don't see the problem.  Clearly someone or
something at Arin has given authority to this block to be used and that
authorized figure has requested service from us.

I'm not sure the mission your on but it seems like a real misuse of time.
This customer isnot advertising someone elses space ie advertising
18.0.0.0 for a goof or to be disrupting services.  The customer has his
name attached to a block which appears in a public database and matches
the records we have internally for the customer.  I checked before
announcing the block and no other announcements existed not eeven from the
same AS at that time.  And this AS is a real AS so far as I can tell paid
for.  Unless I'm missing something obvious <which is possible> I don't see
the problem.


On Wed, 30 Apr 2003, Kai Schlichting wrote:

> On 4/30/2003 at 3:26 AM, Hank Nussbacher  wrote:
>
>
> > At 06:09 AM 30-04-03 +0000, Christopher L. Morrow wrote:
>
> > > That may be true, but what does a provider do when they are presented with
> > > written 'authority to use address space' from a customer? Certianly if the
> > > customer provides 'proper' documentation that the ip space is available
> > > for them to route, and that they have authority from the 'owner' to do
> > > this... what is an ISP to do? Aside from route the blocks?
>
> > A very valid question and one that all too few ISPs handle.  How many ISPs
> > have as part of their implementation/provisioning process an item called
> > "check IP address space against IRRs"?
>
> > I would suggest that written proof of ownership is not enough and that part
> > of the legal framework each ISP has customers complete that it state
> > something to the effect "IP address space and ASNs announced by the
> > customer must be properly registered in one of the online IRRs such as
> > ARIN, RADB, APNIC or RIPE and must reflect the name of the organization
> > placing the request."
>
> > -Hank
>
> It has been brought to my attention that such written/faxed authorization
> letters are outright forged at times. Copy&Paste job on the letterhead,
> an imaginary letterhead for a company that hasn't been in existence for
> years, etc.
>
> In light of the recent hijackings, any customer coming in the door with
> a /16 or with purported IP space located in a /16  that has been recently
> updated, but not routed, should be given the full royal treatment of a
> background check: Pull over and show us your state incorporation certificate
> and your seal...and dare you if the corporation is listed as "inactive"
> with the state, or the incorporation date is past the date the space was
> registered, or you don't have the paperwork showing your legal successorship
> to such corporation.
>
> The fact that a customer owns a domain that includes DNS servers and
> MX's for the registered POCs for a space means nothing (paging Scott
> Granados!). Just have a look at rogue AS 27595 (RegDate: 2003-04-07)
> (atrivo.com) interesting 'ownership' of some of their announced space:
>
>    OrgName:    ISD
>    OrgID:      ISD-1
>    Address:    180 Golf Club Road #118
>    City:       Pleasant Hill
>    StateProv:  CA
>    PostalCode: 94523
>
>    NetRange:   170.208.0.0 - 170.208.255.255
>    CIDR:       170.208.0.0/16
>    NetName:    LANET-1
>    NetHandle:  NET-170-208-0-0-1
>    Parent:     NET-170-0-0-0-0
>    NetType:    Direct Allocation
>    NameServer: MAIL.ATRIVO.COM
>    NameServer: PAVEL.ATRIVO.COM
>    Comment:
>    RegDate:    1995-01-05
>    Updated:    2003-03-04
>
> How many owners of a /16 do you know that use an MBE/UPS Store address
> as their primary place of business?
>
> This is matching the current ARIN POC for the space:
> Name:       Kacperski, Emil
> Handle:     EKA4-ARIN
> Company:    Atrivo
> Address:    180 Golf Club Road #118
> City:       Pleasant Hill
> StateProv:  CA
> PostalCode: 94523
>
> http://kepler.ss.ca.gov/list.html shows no fitting matches for "ISD"
> or "I.S.D." residing anywhere near Pleasanton, nor is there any
> corporation by the name of "Atrivo" in the California Republic.
>
>
> And comparing this record with a historical one shown at:
> http://spews.org/html/S2489.html shows:
>
>      OrgName:    ISD
>      OrgID:      ISD-1
>      Address:    1324 South Ridge Parkway
>      City:       Beverly Hills
>      StateProv:  CA
>      PostalCode: 90210
>      Updated:    2003-01-23
>
>      TechHandle: DS127-ARIN
>      TechName:   Shelley, Dennis
>      TechPhone:  +1-213-246-6565
>      TechEmail:  dshelley58 () netscape net
>
> This is a non-existing address as shown by Yahoo Maps, Mapquest and Mapsonus,
> in other words: pure fiction.
>
> Any other owners of freemail accounts in possession of a free /16 ?
>
> Paging ARIN: who or what is that "ISD" corporation that this /16 was
> originally assigned to, back in 1995 (a year before ARIN was formed)?
>
>
>
> In unrelated news: can someone explain to me the exact meaning of multiple
> AS numbers enclosed in {}'s (or []'s as far as RIS RIPE's display is
> concerned) at the end of the AS path?
>
> *  162.33.64.0/19   207.246.129.6                          0 11608 2914 3356 14390 {22714,27481} i
> *                   4.0.4.90              1080             0 1 701 14390 {22714,27481} i
> *                   203.194.0.5                            0 9942 1 701 14390 {22714,27481} i
> *                   192.205.31.33                          0 7018 3356 14390 {22714,27481} i
> *                   195.66.224.82        31502             0 4513 3356 14390 {22714,27481} i
> *                   216.140.2.59           981             0 6395 3356 14390 {22714,27481} i
>
> I am familiar with announcements with inconsistent AS's, but what exactly does
> the above mean?
>
> bye,Kai