RE: Hijacking of address blocks assigned to Trafalgar House Group , London UK
Maybe they should do everyone a favor and return the hijacked blocks to ARIN.... I mean hell, does anyone really think that they have 6 /16's worth of machines directly accessible via the 'net? Obviously if they have been hijacked and the admins had the time to post here about it, it's not the end of the world for them... Just a little something to fuel a Sunday flamewar :-) -Dave -----Original Message----- From: bdragon@gweep.net [mailto:bdragon@gweep.net] Sent: Saturday, April 12, 2003 7:19 PM To: richard@mandarin.com Cc: nanog@merit.edu Subject: Re: Hijacking of address blocks assigned to Trafalgar House Group, London UK
Hello!
I've been asked to draw the attention of Network administrators to the recent hijacking of various large blocks of ARIN IP-space: particularly six /16 blocks allocated to the London-based Trafalgar House Group.
Trafalgar House Group (THG): Trafalgar House Group TRAF (NET-144-176-0-0-1) 144.176.0.0/16 Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16 Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16 Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16 Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16 Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16
An example of why allocation boundary based prefix-filters are a good thing. IMPORTANT:The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
On 13 Apr 2003 15:11 UTC, David Temkin <temkin@sig.com> wrote: | Maybe they should do everyone a favor and return the hijacked blocks | to ARIN.... I mean hell, does anyone really think that they have | 6 /16's worth of machines directly accessible via the 'net? Maybe so indeed. We've been asked to help clear up the mess, and to my mind it's far more important to limit the damage to the rest of the net from the hard-to-trace abuse and the other evils that were the reason why the blocks were hijacked in the first place, than to deal with the consequential admin issues. But those issues *will* be addressed. So that's why we first gave you all an update on what was happening, while I try to reach the security teams at the networks that are still allowing the bogus announcements to go out. Sprint responded quickly, and thanks to those of you here who mailed me better contact details, I was able to reach Telia who filtered their announcements promptly. Some networks however are proving rather more difficult to "reach"! Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's management on all the issues involved and, from what I've seen so far, I'm completely satisfied that they will then "do the right thing". | Obviously if they have been hijacked and the admins had the time | to post here about it, it's not the end of the world for them... Aker Kvaerner were until last week unaware that the company they had acquired had ever had any allocations from ARIN. We've been asked to clear up the mess, and to that extent only we are the "admins". When one of the hijackers lost their connection, and was immediately able to get a new connection from another provider, we realised just how important it was to ensure that network operators were generally made aware of what was going on: firstly so that they didn't inadvertently allow anyone else to announce anything in those netblocks, and also so that any network could, if they wished, could keep traffic from those netblocks off their systems. At our request ARIN have now deleted all contact handles from those blocks, so that further identity-spoofing should be more difficult. -- Richard Cox Mandarin Technology Ltd, Penarth, UK
> On 13 Apr 2003 15:11 UTC, David Temkin <temkin@sig.com> wrote: > Maybe they should do everyone a favor and return the hijacked blocks > to ARIN. That's pronounced "RIPE" in European, that language they speak over there. -Bill
On Sun, 13 Apr 2003 16:26:36 -0700 (PDT), Bill Woodcock <woody@pch.net> wrote: |> On 13 Apr 2003 15:11 UTC, David Temkin <temkin@sig.com> wrote: |> Maybe they should do everyone a favor and return the hijacked blocks |> to ARIN. | | That's pronounced "RIPE" in European, that language they speak over there. No way. These were indeed ARIN blocks - if you check the list which I originally posted you will see that they are registered with ARIN. Possibly the date the original allocation was made may be significant? -- Richard Cox Mandarin Technology Ltd, Penarth, UK
On Mon, 14 Apr 2003, Richard Cox wrote: > No way. These were indeed ARIN blocks - if you check the list which > I originally posted you will see that they are registered with ARIN. > Possibly the date the original allocation was made may be significant? ARIN was the Registry of Last Resort for legacy allocations, yes, but that responsibiility has been divided between the RIRs based on locality of the registrant, now. -Bill
Bill Woodcock wrote:
On Mon, 14 Apr 2003, Richard Cox wrote: > No way. These were indeed ARIN blocks - if you check the list which > I originally posted you will see that they are registered with ARIN. > Possibly the date the original allocation was made may be
significant?
ARIN was the Registry of Last Resort for legacy allocations, yes, but that responsibiility has been divided between the RIRs based on locality of the registrant, now.
No, it hasn't, yet. ARIN is currently moving the legacy allocations to the appropriate RIR for the regions, but that process is done /8-at-a-time & the /8s that the Trafalgar House Group /16s are in have not been transferred yet.
On Mon, 14 Apr 2003, Roland Verlander wrote: > > ARIN was the Registry of Last Resort for legacy allocations, yes, but that > > responsibiility has been divided between the RIRs based on locality of the > > registrant, now. > > No, it hasn't, yet. ARIN is currently moving the legacy allocations to the > appropriate RIR for the regions, but that process is done /8-at-a-time & the > /8s that the Trafalgar House Group /16s are in have not been transferred > yet. Okay, okay, you've done your homework, I haven't. :-) -Bill
Richard Cox wrote:
On 13 Apr 2003 15:11 UTC, David Temkin <temkin@sig.com> wrote:
| Maybe they should do everyone a favor and return the hijacked blocks | to ARIN.... I mean hell, does anyone really think that they have | 6 /16's worth of machines directly accessible via the 'net?
Maybe so indeed. We've been asked to help clear up the mess, and to my mind it's far more important to limit the damage to the rest of the net from the hard-to-trace abuse and the other evils that were the reason why the blocks were hijacked in the first place, than to deal with the consequential admin issues. But those issues *will* be addressed.
If it is possible to get old the old whois of those blocks from around ~8 months ago from ARIN it will be much easier to find out how they were hijacked.
So that's why we first gave you all an update on what was happening, while I try to reach the security teams at the networks that are still allowing the bogus announcements to go out. Sprint responded quickly, and thanks to those of you here who mailed me better contact details, I was able to reach Telia who filtered their announcements promptly.
There are still some active routes - the block hijacker is leasing out SWIP'd chunks of 144.176.0.0/16 to spammers who have to find thier own routing. One of the SWIP'd chunks of it owned by a spammer that is been announced is 144.176.209.0/24 (Empire Towers, routed to Sprint in the USA).
Some networks however are proving rather more difficult to "reach"!
Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's management on all the issues involved and, from what I've seen so far, I'm completely satisfied that they will then "do the right thing".
| Obviously if they have been hijacked and the admins had the time | to post here about it, it's not the end of the world for them...
Aker Kvaerner were until last week unaware that the company they had acquired had ever had any allocations from ARIN. We've been asked to clear up the mess, and to that extent only we are the "admins". When one of the hijackers lost their connection, and was immediately able to get a new connection from another provider, we realised just how important it was to ensure that network operators were generally made aware of what was going on: firstly so that they didn't inadvertently allow anyone else to announce anything in those netblocks, and also so that any network could, if they wished, could keep traffic from those netblocks off their systems.
At our request ARIN have now deleted all contact handles from those blocks, so that further identity-spoofing should be more difficult.
There are still a lot of SWIPs made to spammers out out of those blocks w/ contact handles such as 144.176.208.0/20.
participants (4)
-
Bill Woodcock -
Richard Cox -
Roland Verlander -
Temkin, David