-----Original Message----- From: Ronald F. Guilmette [mailto:rfg@tristatelogic.com] Sent: Thursday, September 30, 2010 10:48 PM To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? ================================================================ 63.247.172.3 ns1.tooplacedomain10tht.info 63.247.172.4 ns2.tooplacedomain10tht.info 63.247.181.3 ns1.steadyvolumebandw57.info 63.247.181.4 ns2.steadyvolumebandw57.info 63.247.185.19 ns1.magnumfourcompkriel.info 63.247.185.20 ns2.magnumfourcompkriel.info
... I would take more of an Occam's razor approach. If you have an AS that is supposedly an ISP in North Carolina or Ohio or wherever and first of all have only one way into their network (are they an ISP or are they simply reselling someone else's service?) and none of that connectivity traces back to their region of operation, and particularly where their name has been bought by or merged with someone else and that someone else is not announcing their AS and address blocks, then that is certainly cause for suspicion. "Hijacking" of defunct resources is probably a widespread activity. Finding the hijacked resources of companies that liquidated in fairly public fashion is probably easier than finding resources for a company that has been "laundered" through several mergers over several years where the current company doesn't even realize that they "own" the resources of a company bought by a company they bought because of personnel turnover involved with layoffs and such. To the general population of this list: Have you worked for a company that has liquidated? Are those Internet resource registrations still in whois? Maybe you should inform ARIN so those resources can be reclaimed. I did that when I noticed that a company I once worked for that evaporated still had resources in the database. That is just ASKING for someone to announce those resources and nobody is probably going to blink an eye because the upstreams rarely check to see if the entity they are talking to are actually authorized to announce that space. You tell them the ASN and net blocks, the two jibe, upstream says OK. How much address space is being wasted in this way? G