I must have missed the thread on this, but is there a good summary available of exactly _how_ these netblocks are getting hijacked? Are they taking advantage of sloppy redistribution configurations, 0wning routers, spoofing OSPF updates, taking advantage of default static routes, or is there something more complicated at work? Are these attacks actually generating bogons, or are they isolated to ASN's they have at one point been legitimately announced by, and forgotten? I can think up many more interesting applications for these kind of ghost-nets than spamming, all of which are quite, if you'll pardon the pun, haunting. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"chuck goolsbee" <chucklist@forest.net> 11/03/03 03:56pm >>>
All, Sorry, to interrupt any off-topic rambles, but I had a client call last week who had just had some telephone abuse heaped on them, by somebody accusing them of spamming. It turns out our client had a netblock assigned to them back in the mid-90's. They used to put on networking trade shows, and used the space for making show networks. They haven't put on a networking trade show (with a public network) since about 1997. Of course to complicate the matter, the sole contact listed in whois no longer works there. I informed our client how to remove their name from the whois record and relinquish the netblock back to ARIN, which I hope they are doing now. I also have (at the suggestion of some research through the nanog archives) submitted the netblock to the completewhois site. [I have no interest in commenting on the current inane OT nanog thread about that subject, so don't even try me.] Mr. Thomas' cymru.com service was offline when I tried to contact it last week (he replied via email about an outage... sorry to hear... coffee will get there eventually. Order put to the roaster today. - hang in there.) Of course I have no hard data, other than my client's phone call about another phone call, so I can't query based on a timestamp to see where this was being announced from. It appears to vanished, and has remained so according to my casual glances here and there. The netblock in question is: 204.89.0.0/21 So, my question is: Other than the above, and mentioning it here, is there anything else *I* can do to assist my client? Especially since I am not at all directly related to this netblock in any way. Additionally, it would not hurt to know if anyone here *does* know when or where the announcement came from. The client in question are good folks, and I hate to see their reputation tainted by the actions of others. Thanks, --chuck goolsbee, digital.forest