On 28 Apr 2003 21:55 (UT), "Christopher L. Morrow" <chris@UU.NET> wrote: | Should any of the ISP community hold any responsibility to help the | RIR's pull this space back when they are hijacked? To me, the most important thing is that the ISP/carrier community should ensure that inappropriate route announcements are filtered. "Inappropriate" here means blocks that are either unallocated, or are being used without permission from the user to whom they were originally allocated. The issue of whether the blocks should be allocated (or not) doesn't come into this part if the analysis. In the case I reported here a few weeks back, I'm glad to be able to announce that all those six blocks are now fully de-announced and the torrent of spam that was flowing from most of them has now stopped. That result couldn't have been achieved without the considerable help and advice I had from participants here, and the Security departments of the carriers that were innocent victims of the deception. So I'd like to thank them all for that help. (There's obviously a lot of administrative work to do on putting the allocations involved back in order, and handing some of the IP space back, and that's the job in hand right now!) What has become clear is that this was the tip of the iceberg ... the number of "lost" blocks that are being misused seems to be far greater than anyone expected. Since dealing with the first six, which became eight as a result of their association with two other blocks, two more hijacked Class B's have come to light - one was resolved earlier today. | I would think ARIN/RIPE/APNIC would like to see ISP's email them | blocks that are hijacked so they can reclaim them, or put them into | a holding pen while they attempt to contact the owners... (then | reclaim if no contacts can be made) I doubt if ISPs will necessarily be able to do that, as the hijacked blocks were all in use with plausible credentials - mostly obtained by a combination of social engineering, and creating similar domains (or reviving old ones) to "grab" the necessary handles. Only by the very careful comparison of information about the original registrant will the real situation become evident. In response to the requests I've had, I'm now creating a mailing list for anyone to report IP space that they believe has been hijacked, and the security teams from the major backbones will be welcome to join and take whatever action they see as appropriate when clear evidence is produced - the relevant registry will also be notified and they can, if they wish, review any potentially-problematic cases. Ultimately it's the registries' decision as to whether the current user is the same entity as the user to whom the space was originally assigned (or has the necessary authority to use it, according to each registry's stated policies); the mailing list will simply facilitate sharing the necessary information. The list will be hijacked at numbering~com and the normal majordomo signup process will be available *shortly* but until then anyone who wants to be added should send mail decodable by carbon lifeforms, to listowner at numbering~com -- Richard Cox