157.112.0.0/16 ARIN info updated, AT&T still announcing /16
From the [Hijacked] list:
The ARIN information has been updated to have up-to-date contact info for the original owner, the original owners' ISP is announcing 4 /18s but AT&T is still announcing 157.112.0.0/16. Can whoever's been bugging AT&T to stop announcing it to bug them some more?
abuse@att.net seems to be a dead horse - demands from numerous parties, including the owner of this /16 (the true source of records is JPNIC: whois -h whois.nic.ad.jp "157.112.0.0 /e" , ARIN has not proceeded with 'early registration' transfer of this group of records to JPNIC, it seems) that have been mailed there and to various other @att.net addresses, including their so-called "legal demands center" (that is reportedly hard to reach via email) have been summarily ignored, and we mean "/dev/null'd". AT&T, for lack of presenting any TRO forcing them to keep routing this, appears to willingly conspire with the Empire Towers IP space hijackers while presented with overwhelming evidence that whatever forged documents Empire Towers and Thomas Cowles may have presented to them are indeed that - forged. ARIN zapping the legacy record for this block apparently isn't convincing enough for them to stop announcing this route. The ISP for Systems Clipper Inc. (AS 23720) had started announcing a competing /16 almost 2 weeks ago, but for reasons obvious to nearly all members of this list, that of course wasn't good enough: it's four /18's now, and AT&T should be seeing none of the traffic just about now. If you are peering with AS 7018, a nicely worded email to your peering contacts expressing your concern with AT&T's non-existent cooperation in IP space hijacking cases would be appreciated. Thank you. bye,Kai ps: and this says nothing about the amount and nature of actual abuse that's been reported from this /16 while it originated from AS 7018.
--On Thursday, September 11, 2003 11:52 AM -0400 Kai Schlichting <kai@pac-rim.net> wrote:
From the [Hijacked] list:
The ARIN information has been updated to have up-to-date contact info for the original owner, the original owners' ISP is announcing 4 /18s but AT&T is still announcing 157.112.0.0/16. Can whoever's been bugging AT&T to stop announcing it to bug them some more?
abuse@att.net seems to be a dead horse - demands from numerous parties, including the owner of this /16 (the true source of records is JPNIC: whois -h whois.nic.ad.jp "157.112.0.0 /e" , ARIN has not proceeded with 'early registration' transfer of this group of records to JPNIC, it seems) that have been mailed there and to various other @att.net addresses, including their so-called "legal demands center" (that is reportedly hard to reach via email) have been summarily ignored, and we mean "/dev/null'd".
You might want to check your data. I stopped seeing 157.112.0.0/16 announced via AT&T earlier this week.
On Thu, Sep 11, 2003 at 12:32:58PM -0400, John Payne wrote:
--On Thursday, September 11, 2003 11:52 AM -0400 Kai Schlichting <kai@pac-rim.net> wrote:
From the [Hijacked] list:
The ARIN information has been updated to have up-to-date contact info for the original owner, the original owners' ISP is announcing 4 /18s but AT&T is still announcing 157.112.0.0/16. Can whoever's been bugging AT&T to stop announcing it to bug them some more?
abuse@att.net seems to be a dead horse - demands from numerous parties, including the owner of this /16 (the true source of records is JPNIC: whois -h whois.nic.ad.jp "157.112.0.0 /e" , ARIN has not proceeded with 'early registration' transfer of this group of records to JPNIC, it seems) that have been mailed there and to various other @att.net addresses, including their so-called "legal demands center" (that is reportedly hard to reach via email) have been summarily ignored, and we mean "/dev/null'd".
You might want to check your data. I stopped seeing 157.112.0.0/16 announced via AT&T earlier this week.
route-views.oregon-ix.net>sh ip bgp 157.112.0.0/16 | i 7018 5056 7018 3277 3267 3343 2603 3356 7018 11608 6461 7018 3356 7018 4513 7018 7018 1668 7018 852 3561 7018 6939 6461 7018 6395 7018 6395 7018 1299 7018 286 209 7018 5056 7018 3277 3267 3343 2603 3356 7018 11608 6461 7018 3356 7018 4513 7018 7018 1668 7018 852 3561 7018 6939 6461 7018 6395 7018 6395 7018 1299 7018 286 209 7018 [....more of the same] -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On Thu, 11 Sep 2003 16:32 UTC John Payne <john@sackheads.org> wrote: | I stopped seeing 157.112.0.0/16 announced via AT&T earlier this week. So did many people. That route came back again soon afterwards. I have received an assurance directly from senior AT&T management that the route has - in the last few minutes - been removed with prejudice. It will not be returning. We will now be working with AT&T management to help them to identify exactly and how where their internal processes failed on this issue. Way back on Thu, 10 Apr 2003 01:06 UTC I wrote: | I've been asked to draw the attention of Network administrators to the | recent hijacking of various large blocks of ARIN IP-space: particularly | six /16 blocks allocated to the London-based Trafalgar House Group. | | Trafalgar House Group (THG): | Trafalgar House Group TRAF (NET-144-176-0-0-1) 144.176.0.0/16 | Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16 | Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16 | Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16 | Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16 | Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16 The other good news is that all those blocks have now been either returned to Aker Kvaerner Group (successors-in-title to Trafalgar House Group) or returned to ARIN for reuse, as appropriate. Any filters you routing people may have put in place to prevent abuse from those blocks can be - and, please, SHOULD be, removed as soon as practicable. The DNSBL entries for them at Spamhaus and SORBS have already been removed. Anyone wanting more information is welcome to join the "Hijacked" list (mailto:majordomo@numbering.com?subject="subscribe hijacked") which is where we discuss and resolve the Hijacking incidents as they occur. Most network operators are now represented there, and as a result we have been able to resolve most of the hijacking incidents within a very short time of their coming to notice. -- Richard Cox (Listowner, Hijacked List) Mandarin Technology Ltd, Wales \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/
Richard Cox wrote:
The other good news is that all those blocks have now been either returned to Aker Kvaerner Group (successors-in-title to Trafalgar House Group) or returned to ARIN for reuse, as appropriate. Any filters you routing people may have put in place to prevent abuse from those blocks can be - and, please, SHOULD be, removed as soon as practicable. The DNSBL entries for them at Spamhaus and SORBS have already been removed.
As a FYI, that class B appears to have gone totally silent on the spamming front on the 9th of Sept or thereabouts. We were getting ~40 attempts per day from it. If anybody needs samples, contact me - quickly. We only retain it for about two weeks. Spams all referencing www.dnt.opt.listaudit.biz (resolves to 141.152.34.207, apparently Verizon, also blacklisted as being part of Empire Towers) It's still listed on SPEWS. I killed our manual blacklisting.
On Thu, 11 Sep 2003, Kai Schlichting wrote:
AT&T, for lack of presenting any TRO forcing them to keep routing this, appears to willingly conspire with the Empire Towers IP space hijackers while presented with overwhelming evidence that whatever forged documents Empire Towers and Thomas Cowles may have presented to them are indeed that - forged.
Has anyone reported this to the FBI yet, along with a complaint that AT&T is a willing participant in the hijacking? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
participants (6)
-
Chris Lewis -
Dan Hollis -
John Payne -
Kai Schlichting -
Richard Cox -
william+nanog@hq.dreamhost.com