On 4/29/2003 at 3:10 AM, Sean Donelan wrote on NANOG-L:
So which ISPs are confused? Bogon's don't spontaneously occur in BGP. Some ASN must originate them, and ASNs must pass them to other ASNs. BGP helpfully includes the ASNs in the path.
What should be done about ASNs which repeatedly announce false or unauthorized routes?
Like: AS 15188 (rogue) ? We call them "rogue AS's" around here - AS's that are not to be trusted under any circumstances, any routes announced from them should be blocked or dropped, and complaints about them should be sent to ALL AS upstreams of the 'rogue' at all times, unless the upstream itself is rogue (in which case complaints should also go to all non-rogue upstreams of the rogue upstream, you get the idea) And to live up to Joe Provo's "Kai's post is not fiction." comment, oh, more true words have not been spoken lately. Here you have it RED HOT, for everyone to see, *in your face* : I received 2 blank emails to stolen ARIN POCs a few minutes ago, presumably to scan if they are valid: a more primitive method (and one that sets off alarm bells) than required to establish (in-)validity of registered contacts for ARIN objects: Received: from setsllg (mx110.freshnewideas.net [144.128.130.110]) by speedus.com (8.9.3p2/8.9.3) with SMTP id LAA23999 for <STOLEN_POC_FOR_AS15349>; Tue, 29 Apr 2003 11:44:53 -0400 (EDT) Received-Date: Tue, 29 Apr 2003 11:44:55 -0400 (EDT) From: Stacie <Beulafxv@24hr-savings.com> To: <STOLEN_POC_FOR_AS15349> Subject: Date: Tue, 29 Apr 2003 10:46:08 -0400 Content-Type: text/plain Received: from olfrrtg (mx219.freshnewideas.net [144.128.130.219]) by conti.nu (8.9.3p2/8.9.3) with SMTP id LAA05363 for <STOLEN_POC_FOR_KHS-ARIN>; Tue, 29 Apr 2003 11:56:53 -0400 (EDT) Received-Date: Tue, 29 Apr 2003 11:56:53 -0400 (EDT) X-Mailer-RCPT-To: <STOLEN_POC_FOR_KHS-ARIN> From: Contessa <Carinaobn@24hr-savings.com> To: <STOLEN_POC_FOR_KHS-ARIN> Subject: Date: Tue, 29 Apr 2003 10:58:03 -0400 Content-Type: text/plain And this is coming from: CIDR: 144.128.0.0/16 NameServer: NS1.DSI-NET.NET NameServer: NS2.DSI-NET.NET RegDate: 1990-12-13 Updated: 2003-04-27 Freshly updated (2 days ago). And the domain: Domain name: DSI-NET.NET Registrar of Record: TUCOWS, INC. Record last updated on 19-Apr-2003. Record expires on 19-Apr-2004. Record Created on 19-Apr-2003. Brand-spanking new, days before. And Tucows: again and again and again and again (insiders will know what I mean). Announcing AS is AS 15188: Routes transiting through or originating from AS 15188 : 128.13.0.0/24 from AS: 15188 (upstreams: 12124) 128.13.1.0/24 from AS: 15188 (upstreams: 12124) 128.13.64.0/20 from AS: 15188 (upstreams: 12124) 128.13.96.0/19 from AS: 15188 (upstreams: 12124) 144.128.64.0/20 from AS: 15188 (upstreams: 12124) 144.128.128.0/19 from AS: 15188 (upstreams: 12124) Woah. that's *TWO* stolen/hijacked /16's now. Sole upstream: thorn.net (AS 12124) - courtesy CC:'d here, so that noone can say later "you didn't tell them". http://www.ris.ripe.net shows (using RRC00): - space in 144.128.0.0/16 first announced on: 2003-04-27 - no routes from AS 15188 from 2003-01-04 until 2003-04-22, when they started announcing out of 128.13.0.0/16 An unused AS that suddenly springs to life? Suspicion: AS is hijacked. ASNumber: 15188 ASName: DIALI-INTERNETWORK-01 ASHandle: AS15188 Comment: RegDate: 2000-03-31 Updated: 2000-03-31 TechHandle: BL374-ARIN This handle however: RegDate: 2000-03-31 Updated: 2003-04-21 Phone: +1-212-284-0189 (Office) Email: bob_lowry@ureach.com Updated the day before, and the email is a drop-box at an email/communications solutions provider, the phone number is an 'all circuits busy' (fast busy). A courtesy copy is going to abuse@ureach.com here. Too bad ARIN's 'historic' records are not open for public inspection. A search for "ureach.com +abuse" on Google Groups results in 1,850 hits. Certainly a popular "destination" for people wanting a "front" to hide behind. We are giving this 9 out of 10 votes for "hijacked AS with no credibility". But hey, we got more! A quick Google search for historic records of 128.13.0.0/16 (the SECOND stolen/hijacked /16 this AS is announcing) turns up: http://www.geocities.com/alias_faq/whois.htm : NetHandle: NET-128-13-0-0-1 Parent: NET-128-0-0-0-0 NetType: Direct Assignment NameServer: NIC.DSI.NET NameServer: NOC.DSI.NET Comment: RegDate: 1983-02-24 Updated: 1992-07-17 DSI.net seems to have had new owners for quite a while, but this fits the scheme of using "similarly named" entities pretending to be the original entity owning the ARIN object(s). However, that record also shows: TechHandle: SM73-ARIN TechName: Miller, Steve TechPhone: +1-617-873-3427 TechEmail: twb_help@bbn.com And SM73-ARIN is now, you guessed it: the POC for both CIDR: 128.13.0.0/16 RegDate: 1983-02-24 Updated: 2003-04-20 and CIDR: 144.128.0.0/16 RegDate: 1990-12-13 Updated: 2003-04-27 With the SM73-ARIN handle now being: Name: Miller, Steve Handle: SM73-ARIN Company: Address: 30 west 32nd st City: New York StateProv: NY PostalCode: 10016 Country: US Comment: RegDate: 1992-05-14 Updated: 2003-04-19 Phone: +1-212-431-4321 (Office) Email: hostmaster@dsi-net.net bbn.com (Genuity) most certainly wants to find out who twb_help@bbn.com was going to in recent times. That phone number (212-431-4321) sure looks bogus as well, and the fact that it's ring-no-answer in the middle of the business day in New York certainly shows that it's not an "Office" number. A quick Google search turns up the phone number as the fax number of mouse.org, the "NYC Schools Volunteer Organizaton". Everything covered? That leaves a few more suspects: any and all domain names that follow have been registered in the last few days: freshnewideas.net aka digitalstore-network.net with nameservers in the stolen/hijacked space: NS1.DIGITALSTORE-NETWORK.NET 128.13.0.90 NS2.DIGITALSTORE-NETWORK.NET 128.13.0.92 And that is: Rita Lee Marketing Inc 901 Parkview Drive King of Prussia, PA 19406 Lee, Rita funnelcake@rock.com Lee, Rita gallopinto@rock.com 781.394.5655 (and remember, if it's "optin" by name, you can *really trust them* !) Courtesy copy to rock.com (free email), to see if they really want to be implicated in a hijacked/stolen network case. And the two domains: well, HELLO WORLD! Nice to see you! (reg'd 2/7 days ago) And always and again, the favorite registrar of IP space hijackers: Tucows. Domain name: FRESHNEWIDEAS.NET Registrar of Record: TUCOWS, INC. Record last updated on 26-Apr-2003. Record expires on 26-Apr-2004. Record Created on 26-Apr-2003. Domain name: DIGITALSTORE-NETWORK.NET Registrar of Record: TUCOWS, INC. Record last updated on 25-Apr-2003. Record expires on 21-Apr-2004. Record Created on 21-Apr-2003. And now a little rDNS-scanning: 144.128.129.1 mx1.freshgoods-2urdoorstep.com through 144.128.129.254 mx254.freshgoods-2urdoorstep.com Domain name: FRESHGOODS-2URDOORSTEP.COM Registrar of Record: TUCOWS, INC. Record last updated on 26-Apr-2003. Record expires on 26-Apr-2004. Record Created on 26-Apr-2003. And: 144.128.130.1 mx1.freshnewideas.net through 144.128.130.254 mx254.freshnewideas.net And: 144.128.131.1 mx1.hightech-goods.com through 144.128.131.254 mx254.hightech-goods.com Domain name: HIGHTECH-GOODS.COM Registrar of Record: TUCOWS, INC. Record last updated on 26-Apr-2003. Record expires on 26-Apr-2004. Record Created on 26-Apr-2003. 144.128.65.2 server2.digital-superstore.net Domain name: DIGITAL-SUPERSTORE.NET Registrar of Record: TUCOWS, INC. Record last updated on 25-Apr-2003. Record expires on 21-Apr-2004. Record Created on 21-Apr-2003. And now for the 128.13.0.0/16 space: 128.13.0.1 router.dsi-net.net 128.13.0.2 one.dsi-net.net 128.13.0.3 ns1.infinite-hosting.net 128.13.0.4 dnscache.dsi-net.net 128.13.0.5 mail.dsi-net.net 128.13.0.6 ns2.infinite-hosting.net Domain name: INFINITE-HOSTING.NET Hartford, Harry admin@infinite-hosting.com 732 Marysville Dr. Jersey City, NJ 07305 US 201-239-6725 Registrar of Record: TUCOWS, INC. Record last updated on 19-Apr-2003. Record expires on 19-Apr-2004. Record Created on 19-Apr-2003. "Infinite", eh? Yeah, with 2 /16's under the belt, it certainly feels that way - until sometime later this afternoon, I am sure! 128.13.0.30 ns1.hosted-here.com 128.13.0.32 ns2.hosted-here.com Domain name: HOSTED-HERE.COM Gee, there's Lee, Rita funnelcake@rock.com again! Registrar of Record: TUCOWS, INC. Record last updated on 25-Apr-2003. Record expires on 25-Apr-2004. Record Created on 25-Apr-2003. There's certainly a party here: 128.13.64.128 mail.infinite-hosting.net 128.13.64.130 mail.hosted-here.com 128.13.64.132 mail.digital-superstore.net 128.13.64.134 mail.digitalstore-network.net And a 2 very lonely hosts: 128.13.96.7 server1.digital-superstore.net 128.13.126.7 test1.digital-superstore.net Last but not least: the domain used for the From: address of the probing mails: 24hr-savings.com Domain name: 24HR-SAVINGS.COM Registrar of Record: TUCOWS, INC. Record last updated on 10-Apr-2003. Record expires on 10-Apr-2004. Record Created on 10-Apr-2003. NS1.INFINITE-HOSTING.COM 144.2.0.101 NS2.INFINITE-HOSTING.COM 144.2.0.102 Henderson, Dave contact@ultimate-savings.com Ultimate Savings 1321 Mill Creek Drive Cincinnati, OH 45221 513-261-1254 This is a bogus address, as far as Mapquest.com and Mapsonus.com are concerned. This is one very big forged-identity, throwaway-domains fest here. AS 15188 routes off into Null0 ....