On Sun, 11 May 2003 22:26:46 -0700 (PDT), william@elan.net wrote: | In any case, this calls for active blocking of this /16 from anybody | who does not want to provide services to spammers and ip hijackers. | As for XO and Internap, (I'm sure somebody is here from these | companies) - take notice and get rid of this customer!!!
Since clearing up the "Trafalgar House" hijacks, several people have written me pointing out an even larger number of probably-hijacked blocks that they think should be investigated. I've researched what I can, and drawn the attention of ARIN, and the relevant upstreams, to BGP announcements that research suggests may be inappropriate.
What I have avoided doing is reporting all the gory details here, except where there was some specific relevance in doing so.
I agree with this, but I could not go any futher on the South African block, needed help from somebody local to find out what company the block should belong now. But on my own I also did research on two other blocks hijacked by "Naronda/Publicom Gang" and announced through AS8143 - 162.73.0.0/16 and 134.33.0.0/16. Owners of both of the blocks have been definetly identified (a lot more certain there then for 160.116.0.0/16 block) and I've sent reports to these companies and to ARIN. Based on these and other information, XO yesterday has stopped announcement from AS8143 on ther network. Only Internap remains, but I'v been completely unsussfull on getting ANY response from their abuse team. As such I've focused on Internap upstreams - Verio and Global Crossing. Verio is more responsive and has already received all necessary information and will probably shut down their announcements after reviewing that, Global Crossing security team still has not responded back to me though, I'm however still hopefull that by tomorrow both Verio and Global Crossing will shut down the hijacked block announcements through their networks.
I have, as promised, set up the mailing list - hijacked@numbering.com for reports and evaluation of likely incidents of IP block hijacking, and if the outcome of any evaluation is that hijacking is confirmed, the details can be sent to the upstreams and ARIN for consideration. I would hope that ARIN and the major networks will want to join that list and follow the discussions there anyway.
Great, I'll work with others on that list now. And if anybody is interested in seeing details on findings on who the blocks hijacked by Naronda/Publicom Gang belong too, I'll post information on that mailing list shortly.
That list is now open; initial requests have been added manually, and anyone else who wishes to join will need to send the usual incantation to majordomo@numbering.com and then respond to the email challenge.
To avoid misunderstanding can I say very clearly that the "hijacked" list will not be discussing any aspect of ARIN's (or indeed any other registries') procedure or policies: such matters are more appropriate to the individual policy fora of each registry/community.
At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked IP blocks is now live and available as a separate specific zone within the SORBS project; details at http://www.dnsbl.sorbs.net Networks can therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL.
Richard Cox