In message <4fcb73bf-224f-e011-f310-522193c86667@efes.iucc.ac.il>, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
Just as an observer to your long resource theft postings: - Do you attempt to contact directly the organization or person who have had their resource taken over?
To the extent that I can spare the time, and to the extent that I am able to do so, (which is often limited by time zone differences) yes, I do.
- Do they care or are they apathetic?
Before answering let me clarify first the two different classes of problems that I've most often been looking at. Everybody including myself has in the past used the term "hijack" but I'm going to try to stop doing that, in future, and instead use the more precise terms "squatting" and "theft", where "theft" involves a case where the relevant WHOIS records have been materially "fiddled" by the usurper. In both cases, the usurpers generally aim, first and foremost, for the low hanging fruit, which is to say legacy blocks that were abandoned years and years ago, sometimes even decades ago, back when IP addresses had zero monitizable value. When contacted, victims in these cases are typically at first utterly perplexed, and when I explain to them that I am trying to give them back stuff that they already own, and which in some cases is worth considerable money on the open market, they *do* look a gift horse in the mouth, and they assume, quite reasonably I think, given the current way of the world, that *I* am trying to run some kind of elaboarate scam on them. It takes a lot of talking on my part to convince them that no. I'm actually just a good samaritan, and that no, I am -not- going to be asking them to first send any sort of "release fee" via WesterUnion or Bitcoin or WebMoney before they can have their own blocks back. Even after they have been convinced that this ain't a scam and that they do own the stuff I say they own, most are often entirely lackadaisical about getting off their butts and then working with the relevant RIRs to get their own stuff back. Even when I try to get them fired up by telling them that "cybercriminals" have stolen their blocks, and the fact that evil that is being done under their names may negatively affect THEIR public reputations, it's still like watching paint dry, for me anyway. Clearly, nobody but me has any sense of urgency about these things at all.
- If the resource owner is no where to be found, why should we as a community care?
I'm so glad you asked. Before answering I should first note that it is actually quite rare when a sufficient amount of research on my part fails to turn up a relevant "successor or assign" which would, by rights, be the modern day entity with a legitimate claim on the asset. So the "nowhere to be found" case is by far the exception, rather than the rule. Regardless, in -either- the case where no heir can be found -or- in the case where the rightful heir is either just too dumb or just too lazy to take the minimal steps necessary to reclaim the property (and/or before this has ocurred) the community should care because the kind of people who either steal or squat on IPv4 blocks are, almost without exception, not the kind of people who anybody sane wants to be accepting packets from, let alone peering with. There is, in my opinion and experience, a high degree of correlation between skulduggery with respect to -obtaining- (illicitly) IPv4 address blocks and using those addresses in a manner which is not at all conducive to the general welfare of the Internet or its users.
Report it on some webpage and call it "Internet Resources stolen", document every incident as you do via email, send a copy to the appropriate RIR and upstream ISP allowing the hijack in question to show that you did the appropriate effort and we can then move on.
I can and will stop posting here, and go off an blog about this stuff instead, if the consensus is that I'm utterly off-topic or utterly uninteresting and useless. But a few folks have told me they find this stuff interesting, and it has operational significance, I think. So for now, at least, I'd like to continue to share here. As regards to reporting to RIRs or upstreams, what makes you think that either of those would care one wit? The RIRs are not the Internet Police, or so I am told. They don't configure routers. Upstreams are, in my experience utterly intransigent and unresponsive, especially in the absence of public exposure of the self-evident problem(s).... like the time I tried to get Telecom Italia to get off their asses and do something... anything... about their criminal mass squatting customer. It wasn't until much later on, after WhiteOps and Google had exposed the massive click fraud operation that was behind all that that Telecom Italia saw fit to lift even a single finger to actaully DO anything at all. And the last time I looked, Telecom Italia was *still* peering with the exact same crooked ASN, even though most or all of the people who were identified, by LE, and being behind it are nowaadays facing numerous federal criminal charges here in the U.S. Please remember also that there are two separate classes of problems involved here, i.e. mere "sqyuatting" and separately, "theft", where some clever crook has managed to get in and actually fiddle with one or more RIR-maintained WHOIS records. I very explicitly -do not- want to just report this latter class of incidents exclusively and only to the RIRs themselves. Some of these cases raise quite serious questions about the operation of and oversight of various RIRs, and I feel very strongly that those questions deserve to be kicked around in public, and not just between myself and the relevant RIRs, some of whom, at least, may have more than a little incentive to just sweep these things entirely under the carpet. I apologize for being vague and non-specific. For now, I need to be. Later I will be providing further clarity to all I have said above. Regards, rfg