"chuck" == chuck goolsbee <chucklist@forest.net> writes:
chuck> Of course I have no hard data, other than my client's phone chuck> call about another phone call, so I can't query based on a chuck> timestamp to see where this was being announced from. It chuck> appears to vanished, and has remained so according to my chuck> casual glances here and there. chuck> The netblock in question is: chuck> 204.89.0.0/21 No announcement for that block has been visible here at any time in the past couple of weeks (specifically, since Oct 13). We might have missed it if it was never announced for more than a few minutes at a time, but it's _much_ more likely that the block was never announced and was merely forged into headers of a spam. -- Andrew, Supernews
On Mon, Nov 03, 2003 at 09:17:38PM +0000, Andrew - Supernews wrote:
"chuck" == chuck goolsbee <chucklist@forest.net> writes:
chuck> Of course I have no hard data, other than my client's phone chuck> call about another phone call, so I can't query based on a chuck> timestamp to see where this was being announced from. It chuck> appears to vanished, and has remained so according to my chuck> casual glances here and there.
chuck> The netblock in question is:
chuck> 204.89.0.0/21
No announcement for that block has been visible here at any time in the past couple of weeks (specifically, since Oct 13). We might have missed it if it was never announced for more than a few minutes at a time, but it's _much_ more likely that the block was never announced and was merely forged into headers of a spam.
Our system reports that neither that prefix, nor any of its more-specifics, has been seen in the global routing tables at any moment since January 1st, 2002. [ http://www.renesys.com ] ---------- James Cowie Renesys Corporation cowie at renesys.com
James Cowie wrote:
On Mon, Nov 03, 2003 at 09:17:38PM +0000, Andrew - Supernews wrote:
No announcement for that block has been visible here at any time in the past couple of weeks (specifically, since Oct 13). We might have missed it if it was never announced for more than a few minutes at a time, but it's _much_ more likely that the block was never announced and was merely forged into headers of a spam.
Our system reports that neither that prefix, nor any of its more-specifics, has been seen in the global routing tables at any moment since January 1st, 2002. [ http://www.renesys.com ]
We haven't seen anything from that block in our spamtrap either for at least a week. The .224/24, on the other hand, it a real sewer.
On Mon, Nov 03, 2003 at 04:47:44PM -0500, Chris Lewis wrote:
[ re: 204.89.0/21...]
No announcement for that block has been visible here at any time in the past couple of weeks (specifically, since Oct 13). We might have missed it if it was never announced for more than a few minutes at a time, but it's _much_ more likely that the block was never announced and was merely forged into headers of a spam.
Our system reports that neither that prefix, nor any of its more-specifics, has been seen in the global routing tables at any moment since January 1st, 2002. [ http://www.renesys.com ]
We haven't seen anything from that block in our spamtrap either for at least a week.
The .224/24, on the other hand, it a real sewer.
Correct. Unfortunately, that's my old block and I wasn't quite ready to hand it back since I'd sort of wanted to announce it again. I've been trying to chase down C&W as the upstream of AS 30080, the jokers who've been pulling this stuff for quite some time with other blocks. My POC updates to ARIN keep getting rejected, so yes, it looks like an abandoned block with an old netcom.com address. I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh* That's what I get for trying to find low-cost ISPs willing to announce portable space. -- Ray Wong rayw@rayw.net
On Mon, 3 Nov 2003, Ray Wong wrote:
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space.
So a RIR giving out that /24 would in fact be selling "damaged goods" and the customer who got it would be able to sue. I think RIRs have to make a larger effort to protect their assets.
Ray Wong rayw@rayw.net
-Hank
On Tue, Nov 04, 2003 at 07:10:27AM +0200, Hank Nussbacher wrote:
On Mon, 3 Nov 2003, Ray Wong wrote:
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space.
So a RIR giving out that /24 would in fact be selling "damaged goods" and the customer who got it would be able to sue. I think RIRs have to make a larger effort to protect their assets.
But the RIRs are not selling any goods; are they not simply selling a directory service? -ron
On Tue, 4 Nov 2003, Ron da Silva wrote:
On Tue, Nov 04, 2003 at 07:10:27AM +0200, Hank Nussbacher wrote:
On Mon, 3 Nov 2003, Ray Wong wrote:
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space.
So a RIR giving out that /24 would in fact be selling "damaged goods" and the customer who got it would be able to sue.I think RIRs have to make a larger effort to protect their assets.
But the RIRs are not selling any goods; are they not simply selling a directory service?
They view themselves as "leasing" out IP address space. Although they never reclaim IP address space that has long since never been announced. But even if it is leasing - if I lease an apartment that has termites and can prove that the owner of the building knew about the termites - then I would probably have a good case to sue. -Hank
-ron
Hank Nussbacher
HN> Date: Tue, 4 Nov 2003 07:25:12 +0200 (IST) HN> From: Hank Nussbacher HN> They view themselves as "leasing" out IP address space. HN> Although they never reclaim IP address space that has long HN> since never been announced. Perhaps if netblocks _were_ reclaimed, 1. Fewer hijackings would happen 2. Admins would be less likely to let IP lists rot. Right now, it almost seems like the combination of hijackers and public beatings is doing part of the RIRs' jobs for them... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
No, they do not view themseleves as leasing address space. They view themseleves as registering it. They are quite clear about this. The term leasing is commonly misapplied by people outside the RIR, but, I have never seen any RIR claim that they are leasing the address space. Certainly not in the financial sense. What they do say is that as long as they are paid the correct fees for registering the address space, they will not make a duplicate registration for another party. They just register the address space. They do not lease it. They do not claim to own it. They make no claims on the actions of others with regard to the address space. By common consent the majority of the internet regards the RIR registrations as binding effective ownership, but, that is voluntary on the part of each and every network provider. Owen --On Tuesday, November 4, 2003 7:25 AM +0200 Hank Nussbacher <hank@att.net.il> wrote:
On Tue, 4 Nov 2003, Ron da Silva wrote:
On Tue, Nov 04, 2003 at 07:10:27AM +0200, Hank Nussbacher wrote:
On Mon, 3 Nov 2003, Ray Wong wrote:
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space.
So a RIR giving out that /24 would in fact be selling "damaged goods" and the customer who got it would be able to sue.I think RIRs have to make a larger effort to protect their assets.
But the RIRs are not selling any goods; are they not simply selling a directory service?
They view themselves as "leasing" out IP address space. Although they never reclaim IP address space that has long since never been announced. But even if it is leasing - if I lease an apartment that has termites and can prove that the owner of the building knew about the termites - then I would probably have a good case to sue. -Hank
-ron
Hank Nussbacher
-- If it wasn't signed, it probably didn't come from me.
At 12:33 AM 04-11-03 -0800, Owen DeLong wrote:
No, they do not view themseleves as leasing address space. They view themseleves as registering it. They are quite clear about this. The term leasing is commonly misapplied by people outside the RIR, but, I have never seen any RIR claim that they are leasing the address space. Certainly not in the financial sense.
That is not what RIPE and ARIN state. They specifically use the word "lease". <http://www.ripe.net/ripencc/mem-services/registration/ipv6/global-ipv6-assign-2001-12-22.html> and <http://www.arin.net/policy/global-ipv6-assign-2001-12-22.txt> "The global IPv6 policies in this document are based upon the understanding that address space is lease-licensed for use rather than owned. All Internet Registries are expected to manage address space operations correctly in accordance with this principle." Also: <http://www.ripe.net/ripencc/about/presentations/ir-allocation-procedures/tsld009.html> Also: http://www.arin.net/library/minutes/ARIN_IX/ppm_doc.html "In regard to the criteria that "organizations who are granted initial allocations, but after two years no longer satisfy the requirements above, are subject to having their allocations revoked", the following model was proposed for allocations: - Addresses are "leased", assignments are not permanent" Many more examples. -Hank
"lease-licensed" is different from "leased". They are leasing you a license to use the address space and claim it as unique to your organization. If you look at the contract that you sign with the RIR, you will notice that it does not convey ownership or any sort of lease in the commercial lease sense of the word, but, the use of the term in policies is more along the lines of the DHCP lease sense of the word. Also, notice that all of the policies you quote are WRT IPv6 space and not current IPv4 policies. IPv6 is still regarded as experimental in nature by the RIRs and as such, they have probably not spent a lot of time refining the legalese in the language for their allocation policies. Owen --On Tuesday, November 4, 2003 10:44 AM +0200 Hank Nussbacher <hank@att.net.il> wrote:
At 12:33 AM 04-11-03 -0800, Owen DeLong wrote:
No, they do not view themseleves as leasing address space. They view themseleves as registering it. They are quite clear about this. The term leasing is commonly misapplied by people outside the RIR, but, I have never seen any RIR claim that they are leasing the address space. Certainly not in the financial sense.
That is not what RIPE and ARIN state. They specifically use the word "lease".
<http://www.ripe.net/ripencc/mem-services/registration/ipv6/global-ipv6-a ssign-2001-12-22.html> and <http://www.arin.net/policy/global-ipv6-assign-2001-12-22.txt>
"The global IPv6 policies in this document are based upon the understanding that address space is lease-licensed for use rather than owned. All Internet Registries are expected to manage address space operations correctly in accordance with this principle."
Also: <http://www.ripe.net/ripencc/about/presentations/ir-allocation-procedures /tsld009.html>
Also: http://www.arin.net/library/minutes/ARIN_IX/ppm_doc.html
"In regard to the criteria that "organizations who are granted initial allocations, but after two years no longer satisfy the requirements above, are subject to having their allocations revoked", the following model was proposed for allocations:
- Addresses are "leased", assignments are not permanent"
Many more examples.
-Hank
-- If it wasn't signed, it probably didn't come from me.
Also while we're on ip hijacking subject as I mentioned there is a new way it has been done where instead of reregistering domains, the actual email account is reused by somebody else and where whois at arin is for themost part left unchanged (making it difficult for arin to do anything). Because these cases are difficult to track the original owners and to proof hijacking or to notice that it happend, it would be nice to stop such activity in the first place. So I'd would really be good if somebody from earthlink contacts me and I can then tell them privately what names they need to "lock" as far as what their customers can request for additional emails. Same applies for other ISPs - if you who work for company that has in the past bought other large ISPs AND where you still allow new or existing customers to get new email accounts at the domains of those old companies (i.e. like earthlink is presumably doing with netcom.com), then let me know domains and I can tell you what not to allow your customers for emails. -- William Leibzon Elan Networks william@elan.net
1. RIRs don't sell address space or make any claim of the merchantability, routability, or functionality of the address space they hand out. 2. RIRs assets do not include the unregistered addresses. They are not transferrable and have no book value. As such, it would be difficult for an RIR customer to successfully sue. Most likely if they explained the problems to the RIR, they could trade for a less impacted block, but, suing the RIR is unlikely to accomplish much. The RIR afterall, only provided a registration service to show in a public database that as far as the particular RIR was concerned, those integers were unique to the network operator in question. They make no claims about the actions of others WRT those addresses, they just promise not to issue them to someone else. Owen --On Tuesday, November 4, 2003 7:10 AM +0200 Hank Nussbacher <hank@att.net.il> wrote:
On Mon, 3 Nov 2003, Ray Wong wrote:
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space.
So a RIR giving out that /24 would in fact be selling "damaged goods" and the customer who got it would be able to sue. I think RIRs have to make a larger effort to protect their assets.
Ray Wong rayw@rayw.net
-Hank
-- If it wasn't signed, it probably didn't come from me.
Correct. Unfortunately, that's my old block and I wasn't quite ready to hand it back since I'd sort of wanted to announce it again. I've been trying to chase down C&W as the upstream of AS 30080, the jokers who've been pulling this stuff for quite some time with other blocks. C&W received quite a number of reports about abuse from AS30080, I'm very surprised they have not reacted yet (in previous cases of hijacked block, C&W acted on part with other large networks). The two ip blocks 199.245.138.0/24 and 204.89.224.0/24 are actually hijacked in rather unique way by getting old @netcom.com email account forwarded to hijackers (who is presumably a customer of earthlink). Nanog has just seen confirmation from one of these people whose ip block has been hijacked this way, for the other block you can see the data file at http://www.completewhois.com/hijacked/files/199.245.138.0.txt
The 3rd ip block used by as30080 is 192.107.49.0/24 and there ARIN already deleted this block from whois (but AS30080 still announces it). I'm certain C&W knows about all the issues with those blocks (I actually only emailed them once, but I know others did it quite a bit more then once and c&w person is present at hijacked mail list too). It would really be good if C&W finally take a stand on this and stopped this clearly bad activity from their customer (not to mention that there are uncountable number of unsolicited emails all originating in those blocks, I've received more then two dozen in last months just on couple accounts). If C&W does not take a stand and at least explain why is as30080 is still their customer (public if possible or private to those individuals and organizations looking into this matter), then more active measures may have to be taken that that may very well cost C&W a lot more money in legal fees.
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh* That's what I get for trying to find low-cost ISPs willing to announce portable space. You should not be asking somebody to announce this space while whois is not fixed and current and while its still announced by somebody else. Afterwards, I'm sure you will be able to find somebody to announce the space (as long as original company the ip block has been assigned to is still around and you still represent it). 204.89.224.0/24 has not been on blacklists too long yet (no more then 10 days) and its not too "contaminated" yet and should be reusable fairly easily once you post on couple appropriate mail lists that real ip block owner is now announcing it.
-- William Leibzon Elan Networks william@elan.net
Ray Wong wrote:
On Mon, Nov 03, 2003 at 04:47:44PM -0500, Chris Lewis wrote:
The .224/24, on the other hand, it a real sewer.
I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh* That's what I get for trying to find low-cost ISPs willing to announce portable space.
As strange as this may seem, I still think there's hope since it's thoroughly covered by existing DNSBLs. A few POCs, and you should be able to get it delisted. Yes, there's local listings such as ours, but the number of local BLs that identify specific blocks in _advance_ of, say, SBL, should be relatively small. And we're quick to delist once we find out. But _first_, you have to get it disconnected from whose hijacking it now. There's no way you can get it delisted given it's _current_ metrics, not a chance.
----- Original Message ----- From: "Chris Lewis" <clewis@nortelnetworks.com> Cc: <nanog@merit.edu> Sent: Monday, November 03, 2003 4:47 PM Subject: Re: Hijacked IP space.
We haven't seen anything from that block in our spamtrap either for at least a week.
The .224/24, on the other hand, it a real sewer.
I can confirm the same thing here. A nice lot of spam to spamtraps from that .224 block, but nothing interesting from the rest. I also took the liberty of checking the various mail gateways I manage for a few ISPs and nothing from 204.89.0.0/21. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
participants (10)
-
Andrew - Supernews
-
Brian Bruns
-
Chris Lewis
-
E.B. Dreger
-
Hank Nussbacher
-
James Cowie
-
Owen DeLong
-
Ray Wong
-
Ron da Silva
-
william@elan.net