As some of you have seen from sessions today, hijacking of ips has been noticed by many. I want to give report of what the current situation is as I've been monitoring known hijacked ip ranges and active use of those. The active list is included later in this email and is available online at http://www.completewhois.com/hijacked/hijacked_flist-bgp_routed_asannounced-... First I want to thank quite a number of companies both large and smaller for helping to deal with this problem. By now very few ip blocks are left that were hijacked and are still in active use, in fact 1/2 of the ones left announcing space are victims that were resold the space (particularly in 146.20.0.0/8 block; I wish they would finally renumber out of these blocks, some of them have had 4 months to do it from original notice). New hijacked blocks do not appear to be such a common occurance by spammers which makes things easier (but we must still remember what happened before and all of you must remember to take care of the resources where you maybe listed as an admin for. If your company is beeing aquired - make sure when you leave the company new administrator is assigned from new company (if this is not possible, inform ARIN ip block will be left without active administrator and what led to this). Those of you that were administrators for companies no longer in business (even going back up to 10 years), please at some if you remember what ip block were to check on what whois currently looks like and who that companie's domains are registered to. If you find problems, address them to ARIN or to completewhois for investigation about what happend to original company. Now today at NANOG meeting I was approached by a group of people concerned that the are too many names of network engineers listed on the site. I have to point it that I make all possible efforts to contact network engineers and have them resolve questionable problems on their own - some just do not answer such emails, but others did and netblocks with references to those people no matter if those people may have been involved in hijacking or not are not mentioned on the site. I would hope that I would not have to approach you in the first place and considering recent ARIN announcement http://www.arin.net/announcements/20031014.html (with which BTW I do not fully agree with - reporting every case to authorities maybe going too far - but they may not have any choice, either do it for all or for none) So I hope that any of you that may have questinable blocks in current use would on your stop and return them to the state they were before in whois or return them to arin or continue using the blocks and apply to officially transfer them (remember ARIN currently does transfers at no extra charge, this will not last forever!!!). The group that approached me had specific concerns because while some may have been mentioned on site as directly involved in hijacking, which I think is appropriate to them; others may have been mentioned indirectly when their whois records were listed under some blocks current use section. I want to stress out that active use in no way implies any connection to hijacking, it is simply result of dns and related whois info on what active use of the block and what it has been (i.e. isp customers, irc, spam sites, etc) and having it comes very usefull for correlation between different cases and people previously asked me to include it in fact. To differentiate about this data, I'm willing to put a desclaimer up in each file regarding data listed in active use section. Please make your suggestions on the best text for this to me privately or on hijacked mail list when I bring this topic up there. I also understand that number of people do not want google and other search engines to be able to reference their names and other data if its in the current use section. Please make a suggestions on how to best achieve this without stopping google from searching other sections of the site. Would the solution of separating current use data into separate files in separate directory and putting robots.txt file there work? Should I also make sure that people are only able to reference those files when they first looked at the data in primary data file? And understand that if I do not hear your concerns, I would not know what maybe wrong with the completewhois hijacked section or what is done wrong as far as investigations go. I do answer emails even if it may take several days sometimes and have in the past made changes based on what has been suggested. Now going back to the top of this post, below is the list of actively advertised hijacked blocks (same program as has been used for bogon advertisements has been used here as well): 142.105.220.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc. 142.105.224.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc. 142.105.228.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc. 142.105.232.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc. 146.20.36.0/22 ## AS20473 : NETTRANS : NetTransactions, LLC 146.20.40.0/21 ## AS20473 : NETTRANS : NetTransactions, LLC 146.20.48.0/20 ## AS23131 : STARLAN : Starlan Communications Inc. 146.20.64.0/19 ## AS12277 : TRACON : Tracon Industries 146.20.80.0/22 ## AS3638 : GLOBALI : Shaman Exchange, Inc. 146.20.80.0/21 ## AS12277 : TRACON : Tracon Industries 146.20.88.0/22 ## AS12277 : TRACON : Tracon Industries 192.107.49.0/24 ## AS30080 : BA-CONSULTING : BA Consulting 198.182.182.0/24 ## AS16631 : COGENT-ASN : Cogent Communications 199.245.138.0/24 ## AS30080 : BA-CONSULTING : BA Consulting 203.29.33.0/24 ## AS3491 : CAIS-ASN : CAIS Internet 203.29.34.0/24 ## AS16631 : COGENT-ASN : Cogent Communications 203.30.20.0/24 ## AS3491 : CAIS-ASN : CAIS Internet 203.30.26.0/23 ## AS3491 : CAIS-ASN : CAIS Internet 203.55.84.0/22 ## AS3409 : INET-1-AS : Internetworks, Inc. 204.155.240.0/20 ## AS16631 : COGENT-ASN : Cogent Communications And for for comparison here is what this looked like on Sep 26th when I started active monitoring (I also have manual data from early August, but it would take too long to put it into email. I can say though, that there were twice as many hijacked announcements then, things have really changed for good in the last several months as more people and RIRs themselve became aware of these issues). 139.81.128.0/17 # AS22653 - GlobalCompass 142.105.0.0/21 # AS19800 - Grant County Public Utility 142.105.220.0/22 # AS3908 - Supernet 142.105.224.0/22 # AS3908 - Supernet 142.105.228.0/22 # AS3908 - Supernet 142.105.232.0/22 # AS3908 - Supernet 142.247.0.0/16 # AS577 - bell.ca (Note - this is proper announcement on behalf on behalf of MDS) 146.20.36.0/22 # AS20473 - NetTransactions 146.20.40.0/21 # AS20473 - NetTransactions 146.20.48.0/20 # AS23131 - Starlan 146.20.64.0/19 # AS12277 - Tracon 146.20.80.0/22 # AS3638 - Globali 146.20.80.0/21 # AS12277 - Tracan 146.20.88.0/22 # AS12277 - Tracan 150.112.0.0/16 # AS8121 - TCH/Layer42.net 157.112.0.0/16 # AS23720 - FUSIONGOL-AS-AP (Note - this is proper announcement, on behalf of Clipper) 166.88.0.0/16 # AS8121 - TCH/Layer42.net 167.179.0.0/16 # AS4768 - Clear Communications 192.107.49.0/24 # AS30080 - BA Consulting (hijacker used named), routed by AS3568 CW 198.133.167.0/24 # AS8121 - TCH/Layer42 199.245.138.0/24 # AS30080 - BA Consulting 203.4.160.0/24 # AS9826 - ILink.net 203.29.32.0/24 # AS9826 - ILink.Net 203.29.33.0/24 # AS3491 - CAIS 203.30.20.0/24 # AS3491 - CAIS 203.30.26.0/23 # AS3491 - CAIS 204.155.240.0/20 # AS16631 - Cogent 205.235.64.0/24 # AS29698 - Internet America LLC (hijacker named used) 205.235.69.0/24 # AS29698 - Internet America LLC