I think that 161.164.248.0/21 and AS 28551 may be hijacked. To summarize AS 28551 is announcing 161.164.248.0/21 28551 is assigned to LANIC but has not been assigned to a end user. 161.164.248.0/21 is assigned to WalMart 161.164.248.0/21 is currently routed through AS35681 - VINDAVA-AS - which is in Bucharest, Romania I think that this is a bogon. Regards Marshall P.S. I have asked WalMart about this, and received no response. Begin forwarded message:
From: Lucas Graciano <hostmaster@lacnic.net> Date: July 31, 2008 1:10:25 PM EDT To: Marshall Eubanks <tme@multicasttech.com> Cc: LACNIC Hostmaster <hostmaster@lacnic.net> Subject: Re: [LN20080729.4147] RE: AS 28551
Dear Sir,
This AS number is under administration by NIC.MX, but is a resource that is not allocated yet!
Regards,
Hostmaster // Registration Service ========================================================
L A C N I C http://lacnic.net Latin American and Caribbean Internet Addresses Registry ========================================================
On Tue, Jul 29, 2008 at 04:59:02AM -0400, Marshall Eubanks wrote:
Hello;
I contacted LANIC (read below) to see if they actually did register AS 28551.
My question remains : Is there a reason for this ASN not to be in the LACNIC whois, or is this a rogue ASN ?
Regards Marshall Eubanks
On Jul 29, 2008, at 3:14 AM, Network Abuse wrote:
** This is an automatic message. ** ** Please carefully read the information below. **
You have contacted LACNIC due to some abuse activity (spam, hacking, etc), from an IP address allocated or assigned by LACNIC.
LACNIC is an RIR (Regional Internet Registry) for Latin America and the Caribbean region. What that means is that LACNIC is responsible for the IP address space and ASN allocation/assignment in this region.
As mentioned, the IP address in question was allocated by LACNIC to some other organization or ISP in the region. So the abuse activity originated in that organization's network, not in LACNIC.
You should query our whois database to get information about the source of this abuse activity and the appropriate network contact.
LACNIC's whois is available at: http://lacnic.net/cgi-bin/lacnic/whois
or via the command line: whois -h whois.lacnic.net [IP ADDRESS]
Important Note:
---------------------------------------------------------------------- Addresses allocated to "Comite Gestor da Internet no Brasil" are those allocated to the Brazilian NIR (Registro BR), and in this case you might want to query their Whois database: http://registro.br/cgi-bin/nicbr/whois whois -h whois.nic.br [IP ADDRESS] ---------------------------------------------------------------------
Please note that LACNIC has no authority to investigate spam, hacking or any other kind of network abuse activity committed by other organizations. Nor can we punish other organizations' users.
More details are available at: http://lacnic.net/abuse
If this information did not help you, please reply this message to hostmaster@lacnic.net and keep the subject line.
Regards, LACNIC Hostmaster
----------Original Header From tme@multicasttech.com Tue Jul 29 04:14:07 2008 Return-Path: <tme@multicasttech.com> X-Original-To: whois-contact@lacnic.net Delivered-To: whois-contact@lacnic.net Received: from localhost (localhost [127.0.0.1]) by mail.lacnic.net (Postfix) with ESMTP id C6A23B9C3 for <whois-contact@lacnic.net>; Tue, 29 Jul 2008 04:14:07 -0300 (BRT) X-Virus-Scanned: amavisd-new at lacnic.net X-Spam-Score: -2.407 X-Spam-Level: X-Spam-Status: No, score=-2.407 tagged_above=-99 required=4 tests=[AWL=0.192, BAYES_00=-2.599] Received: from mail.lacnic.net ([127.0.0.1]) by localhost (mail.lacnic.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7B1tNXyA0p7h for <whois-contact@lacnic.net>; Tue, 29 Jul 2008 04:14:05 -0300 (BRT) X-Greylist: delayed 3599 seconds by postgrey-1.27 at mail.lacnic.net; Tue, 29 Jul 2008 04:14:04 BRT Received: from multicasttech.com (lennon.multicasttech.com [63.105.122.7]) by mail.lacnic.net (Postfix) with ESMTP id DB5F5B9C0 for <whois-contact@lacnic.net>; Tue, 29 Jul 2008 04:14:04 -0300 (BRT) Received: from [63.105.122.7] (account marshall_eubanks HELO [IPv6:::1]) by multicasttech.com (CommuniGate Pro SMTP 3.4.8) with ESMTP-TLS id 12277392 for whois-contact@lacnic.net; Tue, 29 Jul 2008 02:14:04 -0400 Message-Id: <DBB7E3A2-E4AB-4A43-8362-720FBDE289CC@multicasttech.com> From: Marshall Eubanks <tme@multicasttech.com> To: whois-contact@lacnic.net Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Subject: AS 28551 Date: Tue, 29 Jul 2008 02:14:03 -0400 X-Mailer: Apple Mail (2.926)
----------Original Message Hello;
AS 28551 is in a ASN block assigned to LACNIC and is shwoing up in my BGP tables, but a whois returns a blank :
[tme@lennon mcast]$ lacnic_whois 28551 [lacnic.net]
% Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries
% LACNIC resource: whois.lacnic.net
% Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2008-07-29 03:13:17 (BRT -03:00)
% No match for "AS28551"
% whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
Is there a reason for this, or is this a rogue ASN ?
Regards Marshall Eubanks
Le 08-08-01 à 15:05, Marshall Eubanks a écrit :
I think that 161.164.248.0/21 and AS 28551 may be hijacked.
traceroute to 161.164.248.1 (161.164.248.1), 64 hops max, 40 byte packets <snip> 7 tengige0-3-0-3.auvtr1.Aubervilliers.opentransit.net (193.251.241.253) 78.728 ms 79.154 ms 79.548 ms 8 tengige0-3-0-1.ffttr1.FrankfurtAmMain.opentransit.net (193.251.241.254) 85.894 ms 86.476 ms 86.701 ms 9 64.208.110.229 (64.208.110.229) 86.312 ms 87.509 ms 87.463 ms 10 Alestra-S-De-R-L-De-CV-San-Pedro-Garza.so-0-2-0.ar1.MEX1.gblx.net (208.48.33.78) 266.280 ms Alestra-S-De-R-L-De-CV-Lago- Zurich.so-0-2-2.ar1.MEX1.gblx.net (64.215.25.70) 262.566 ms Alestra-S- De-R-L-De-CV-San-Pedro-Garza.so-1-1-0.ar1.MEX1.gblx.net (208.48.238.98) 473.559 ms 11 host-201-151-29-61.block.alestra.net.mx (201.151.29.61) 260.021 ms 433.502 ms 259.899 ms 12 host-201-151-29-42.block.alestra.net.mx (201.151.29.42) 661.863 ms 256.985 ms 434.032 ms 13 * * * As well AS paths shown from route-views.ip.att.net end with AS11172 (alestra) then AS28551. Perhaps Walmart is providing Internet access for its maquilladoras? ;) Cheers, -w
participants (2)
-
Marshall Eubanks
-
William Waites