Looking to buy IPv4 addresses from class C swamp
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems. If you have arpas for sale get in touch. Bill Study Business at USQ's Australian Graduate School of Business. http://www.usq.edu.au/faculty/business/usqagsb/
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
Have you tried APNIC?
If you have arpas for sale get in touch.
Bill
Study Business at USQ's Australian Graduate School of Business. http://www.usq.edu.au/faculty/business/usqagsb/
Thus spake <bmanning@karoshi.com>
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
Have you tried APNIC?
Out of the frying pan, into the fire. A significant number of endpoints block all APNIC /8's due to spam. Perhaps RIPE? S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Mon, 28 Apr 2003, Stephen Sprunk wrote:
Out of the frying pan, into the fire. A significant number of endpoints block all APNIC /8's due to spam. Perhaps RIPE?
RIPE won't let you transfer IP-space without filling in a new IP request, so I don't think that is the way out. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Monday, Apr 28, 2003, at 12:10 Canada/Eastern, Stephen Sprunk wrote:
Thus spake <bmanning@karoshi.com>
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
Have you tried APNIC?
Out of the frying pan, into the fire. A significant number of endpoints block all APNIC /8's due to spam. Perhaps RIPE?
I've heard of a few US government network operators who have attempted to block "chinanet" by refusing all traffic from 202/7, but I certainly haven't noticed widespread problems sending mail from addresses within 202/8 and 203/8 (although I have done no systematic testing). What is a "significant number"? Is this really a widespread problem, or is it just an enduring myth? Joe
On 4/28/2003 at 9:32 AM, billmojo@australia.edu wrote:
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
<sarcasm on> Why settle for a few /24's, when you can have the whole enchilada for pennys on the dollar! http://spamhaus.org/sbl/listings.lasso?isp=arin Like many of our convicted felons^W^Wfriends in the criminal trespassing^Wemail business, the new strategy to help yourself to a few /16's without stupid questions being asked is now: - scan the routing tables for /16-size holes in space that has been assigned in the timeframe 1989 through 1995. - determine if said "hole" is registered with any relevant address space registry (ARIN,RIPE,APNIC, but LACNIC need not apply), and the space is not routed. - determine if all registered POCs for the space are dead by way of the domains having expired - spend less than $10 to re-register the "missing" domains, using the original contact details (and persons) still listed in the IP space registration. - eventually change the POCs for the address space to your liking - voila. substantially more IP space than you wanted in the first place. - slice & dice, and sell the space in /20 chunks to those highest-bidding Florida state-prison buddies of yours, many of which have found new ways of making a living without tipping the hands of their parole officers (in way too obvious ways). Gee, don't you love Florida: all you can expect there for, say: a cocaine trafficking charge is parole after 14 months served out of your 3-year-sentence. And carrying drivers licenses is optional, the same seems to be true for gun permits. - find yourself some nice, conspiring providers like AS 6453, 14551, 6939 or 10910 who will find nothing (or hardly anything, given the lack of abuse complaints implicating the space) wrong by you (for example) announcing IP space belonging to a german steel mill from some god- forgotten swamp in Panama. Like: that steel mill must have moved, yeah. </sarcasm> Makes you wonder how some providers' (paging AS 10910!) business due diligence process works: they do a credit check, pull the D&B report, they confirm the service address (occasionally with a visit by a sales person), but then fail to notice that the prefix filter installed for the customer has a few /16's and more /19's from a few other /16's in it, where the address space registration bears no resemblance with reality, following the pattern in the point list above, and has little if any legitimacy that you and I could possibly see. I am sure you can figure out the likely operational impact resulting from appearance of hijacked/stolen IP space just about now. AS 16506 is routing VPN tunnel endpoints for Al-Qaeda, you said? you surely must be joking, or it's a really bad rumor not reflecting reality, Sir... bye,Kai
While its certainly wrongb to steal IPs like this, some of the blame must go to the RIRs. They should be repo-ing this space. I realize they engage in much handwrining over their "lack of authority", but authority to route address space is, for all intents and purposes, given by those who actually do the routing. Furthermore, ARIN has a large warchest for defending against legal challenges. ARIN needs to repo any space that has been advertised for a reasonable length of time, and reissue it. - Dan On Mon, 28 Apr 2003, Kai Schlichting wrote:
On 4/28/2003 at 9:32 AM, billmojo@australia.edu wrote:
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
<sarcasm on>
Why settle for a few /24's, when you can have the whole enchilada for pennys on the dollar!
http://spamhaus.org/sbl/listings.lasso?isp=arin
Like many of our convicted felons^W^Wfriends in the criminal trespassing^Wemail business, the new strategy to help yourself to a few /16's without stupid questions being asked is now:
- scan the routing tables for /16-size holes in space that has been assigned in the timeframe 1989 through 1995. - determine if said "hole" is registered with any relevant address space registry (ARIN,RIPE,APNIC, but LACNIC need not apply), and the space is not routed. - determine if all registered POCs for the space are dead by way of the domains having expired - spend less than $10 to re-register the "missing" domains, using the original contact details (and persons) still listed in the IP space registration. - eventually change the POCs for the address space to your liking - voila. substantially more IP space than you wanted in the first place. - slice & dice, and sell the space in /20 chunks to those highest-bidding Florida state-prison buddies of yours, many of which have found new ways of making a living without tipping the hands of their parole officers (in way too obvious ways). Gee, don't you love Florida: all you can expect there for, say: a cocaine trafficking charge is parole after 14 months served out of your 3-year-sentence. And carrying drivers licenses is optional, the same seems to be true for gun permits. - find yourself some nice, conspiring providers like AS 6453, 14551, 6939 or 10910 who will find nothing (or hardly anything, given the lack of abuse complaints implicating the space) wrong by you (for example) announcing IP space belonging to a german steel mill from some god- forgotten swamp in Panama. Like: that steel mill must have moved, yeah.
</sarcasm>
Makes you wonder how some providers' (paging AS 10910!) business due diligence process works: they do a credit check, pull the D&B report, they confirm the service address (occasionally with a visit by a sales person), but then fail to notice that the prefix filter installed for the customer has a few /16's and more /19's from a few other /16's in it, where the address space registration bears no resemblance with reality, following the pattern in the point list above, and has little if any legitimacy that you and I could possibly see.
I am sure you can figure out the likely operational impact resulting from appearance of hijacked/stolen IP space just about now. AS 16506 is routing VPN tunnel endpoints for Al-Qaeda, you said? you surely must be joking, or it's a really bad rumor not reflecting reality, Sir...
bye,Kai
On Mon, 28 Apr 2003, Daniel Golding wrote:
While its certainly wrongb to steal IPs like this, some of the blame must go to the RIRs. They should be repo-ing this space. I realize they engage in much handwrining over their "lack of authority", but authority to route address space is, for all intents and purposes, given by those who actually do the routing. Furthermore, ARIN has a large warchest for defending against legal challenges.
ARIN needs to repo any space that has been advertised for a reasonable length of time, and reissue it.
Should any of the ISP community hold any responsibility to help the RIR's pull this space back when they are hijacked? I would think ARIN/RIPE/APNIC would like to see ISP's email them blocks that are hijacked so they can reclaim them, or put them into a holding pen while they attempt to contact the owners... (then reclaim if no contacts can be made) -Chris
On 28 Apr 2003 21:55 (UT), "Christopher L. Morrow" <chris@UU.NET> wrote: | Should any of the ISP community hold any responsibility to help the | RIR's pull this space back when they are hijacked? To me, the most important thing is that the ISP/carrier community should ensure that inappropriate route announcements are filtered. "Inappropriate" here means blocks that are either unallocated, or are being used without permission from the user to whom they were originally allocated. The issue of whether the blocks should be allocated (or not) doesn't come into this part if the analysis. In the case I reported here a few weeks back, I'm glad to be able to announce that all those six blocks are now fully de-announced and the torrent of spam that was flowing from most of them has now stopped. That result couldn't have been achieved without the considerable help and advice I had from participants here, and the Security departments of the carriers that were innocent victims of the deception. So I'd like to thank them all for that help. (There's obviously a lot of administrative work to do on putting the allocations involved back in order, and handing some of the IP space back, and that's the job in hand right now!) What has become clear is that this was the tip of the iceberg ... the number of "lost" blocks that are being misused seems to be far greater than anyone expected. Since dealing with the first six, which became eight as a result of their association with two other blocks, two more hijacked Class B's have come to light - one was resolved earlier today. | I would think ARIN/RIPE/APNIC would like to see ISP's email them | blocks that are hijacked so they can reclaim them, or put them into | a holding pen while they attempt to contact the owners... (then | reclaim if no contacts can be made) I doubt if ISPs will necessarily be able to do that, as the hijacked blocks were all in use with plausible credentials - mostly obtained by a combination of social engineering, and creating similar domains (or reviving old ones) to "grab" the necessary handles. Only by the very careful comparison of information about the original registrant will the real situation become evident. In response to the requests I've had, I'm now creating a mailing list for anyone to report IP space that they believe has been hijacked, and the security teams from the major backbones will be welcome to join and take whatever action they see as appropriate when clear evidence is produced - the relevant registry will also be notified and they can, if they wish, review any potentially-problematic cases. Ultimately it's the registries' decision as to whether the current user is the same entity as the user to whom the space was originally assigned (or has the necessary authority to use it, according to each registry's stated policies); the mailing list will simply facilitate sharing the necessary information. The list will be hijacked at numbering~com and the normal majordomo signup process will be available *shortly* but until then anyone who wants to be added should send mail decodable by carbon lifeforms, to listowner at numbering~com -- Richard Cox
On Mon, Apr 28, 2003 at 09:54:59PM +0000, Christopher L. Morrow wrote:
On Mon, 28 Apr 2003, Daniel Golding wrote:
While its certainly wrongb to steal IPs like this, some of the blame must go to the RIRs. They should be repo-ing this space. I realize [snip]
Should any of the ISP community hold any responsibility to help the RIR's pull this space back when they are hijacked? I would think
You presume that no-one is doing that (hint: many of us are), and that any action is taken (if so, none is visible). Kai's post is not fiction. Guess what? A lot (not all) squatters get caught quite nicely in those "evil" prefix length filters. If you HAVE an allocation and for some reason just announce deaggregates, to a third party you look *just* like the black hats. How does this help your reachability while you're grazing on the commons? Think about that for a second before the knee jerks up. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
On Mon, 28 Apr 2003, Joe Provo wrote:
On Mon, Apr 28, 2003 at 09:54:59PM +0000, Christopher L. Morrow wrote:
On Mon, 28 Apr 2003, Daniel Golding wrote:
While its certainly wrongb to steal IPs like this, some of the blame must go to the RIRs. They should be repo-ing this space. I realize [snip]
Should any of the ISP community hold any responsibility to help the RIR's pull this space back when they are hijacked? I would think
You presume that no-one is doing that (hint: many of us are), and that any action is taken (if so, none is visible).
I'm sorry, but to clarify my question I wasn't presuming any such thing. I was just asking if the RIRs expected ISP's to inform them when a clearly hijacked address block was found and quashed. Hmm, that WOULD presume the RIR had a method to handle that notification I suppose. -Chris
On Mon, Apr 28, 2003 at 11:23:42PM +0000, Christopher L. Morrow wrote:
I'm sorry, but to clarify my question I wasn't presuming any such thing. I was just asking if the RIRs expected ISP's to inform them when a clearly hijacked address block was found and quashed.
Hmm, that WOULD presume the RIR had a method to handle that notification I suppose.
Email would work, but the more pressing issue is how the RIR is to respond to that notification. RIRs don't have the resources to revoke allocations/assignments for cause other than non-payment (which necessarily excludes pre-RIR allocs). Additionally, RIRs have no mechanism to enforce revocations. There has been reasonable discussion on possible policy changes to address these concerns; however, no consensus has been achieved to effect change (yet). I would encourage folks to join the ppml@arin.net public policy list for ARIN (and/or similar activities for other RIRs) should you have some specific suggestions to this end. Presently, the ONLY mechanism that the RIRs have to revoke/filter/ influence the global routing table is the routing policies employed by the RIRs constituents. The folks on this list (NANOG) are able to block abuse/squatters/rogue users. Can the RIRs help with additional information in database objects? Such as additional status information, accuracy of contact data, etc? Your specific input is more than welcomed (but please redirect to ppml). -ron /ARIN AC
Thus spake "Daniel Golding" <dgold@FDFNet.Net>
ARIN needs to repo any space that has [not] been advertised for a reasonable length of time, and reissue it.
So you're claiming that ARIN should revoke any allocations, including those made before it came into existence, simply because the addresses aren't in the global tables? If that's the position of the community, that's a drastic change from assertions made in the IETF WGs and may affect address allocation guidelines and even some protocol work. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Current ISPs are having so much trouble trying to get a small /20 for existing customers that they should start revoking addresses from companies not using them. Lots of major companies with /8 and /16 are using a /20 worth of addresses. I think there should be somekind of guideline that is more up to date with todays reality and if revoking is the only good way to do so, let's do it. -chris On Mon, 28 Apr 2003, Stephen Sprunk wrote:
Thus spake "Daniel Golding" <dgold@FDFNet.Net>
ARIN needs to repo any space that has [not] been advertised for a reasonable length of time, and reissue it.
So you're claiming that ARIN should revoke any allocations, including those made before it came into existence, simply because the addresses aren't in the global tables?
If that's the position of the community, that's a drastic change from assertions made in the IETF WGs and may affect address allocation guidelines and even some protocol work.
S
Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Stephen, Assertions made in the IETF are not necessarily correct or proper. The past few years have led to a rash of bankruptcies in the technology sector, which has led to substantial unrouted space. In any case, a "use it or lose it" rule is completely in accord with the spirit of the issuance guidelines - you are only supposed to ask for what you can use, and you should return what you don't use. However, the assumption that folks are altruistic is basically false. There is no reward for returning IP space, therefore folks will not do it. IRRs, as the proper administrative authority should step in. I also understand that there is some kind of mental "red line" concerning the IP space that was issued before ARIN came into existance, for some folks. There needs to be a consensus amongst ICANN/IANA/ISI/IETF that the IRRs should have full authority for both current and legacy space. - Dan On Mon, 28 Apr 2003, Stephen Sprunk wrote:
Thus spake "Daniel Golding" <dgold@FDFNet.Net>
ARIN needs to repo any space that has [not] been advertised for a reasonable length of time, and reissue it.
So you're claiming that ARIN should revoke any allocations, including those made before it came into existence, simply because the addresses aren't in the global tables?
If that's the position of the community, that's a drastic change from assertions made in the IETF WGs and may affect address allocation guidelines and even some protocol work.
S
Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
[Note: I am not suggesting that anyone should do anything that is described here] Kai Schlichting wrote:
On 4/28/2003 at 9:32 AM, billmojo@australia.edu wrote:
Our client wants to purchase a number of IPv4 addresses. Yes we know ARIN allocates them but many people have had problems routing the new addresses and we don't have the time for those sort of problems.
<sarcasm on>
Why settle for a few /24's, when you can have the whole enchilada for pennys on the dollar!
Don't beleive the listing of hijacked netblocks @ Spamhaus, its maintained by someone who doesn't seem to know the difference between spammer-hijacked netblocks & netblocks assigned by ISPs to thier users.
Like many of our convicted felons^W^Wfriends in the criminal trespassing^Wemail business, the new strategy to help yourself to a few /16's without stupid questions being asked is now:
- scan the routing tables for /16-size holes in space that has been assigned in the timeframe 1989 through 1995.
For APNIC, only look in 203/10 and look for /24-ish ones registered in 1993-early 1997.
- determine if said "hole" is registered with any relevant address space registry (ARIN,RIPE,APNIC, but LACNIC need not apply), and the space is not routed. - determine if all registered POCs for the space are dead by way of the domains having expired - spend less than $10 to re-register the "missing" domains, using the original contact details (and persons) still listed in the IP space registration.
Or, if it has no email address you can just register a domain for the original owner with the same contact information thats in the current IP whois and mail ARIN from that in the original owners name.
- find yourself some nice, conspiring providers like AS 6453, 14551, 6939 or 10910
Or Qwest (AS209).
</sarcasm>
I am sure you can figure out the likely operational impact resulting from appearance of hijacked/stolen IP space just about now. AS 16506 is routing VPN tunnel endpoints for Al-Qaeda, you said? you surely must be joking, or it's a really bad rumor not reflecting reality, Sir...
AS16506 has its only feeds from Teleglobe & UUNET.
Roland Verlander on NANOG wrote:
Don't beleive the listing of hijacked netblocks @ Spamhaus, its maintained by someone who doesn't seem to know the difference between spammer-hijacked netblocks & netblocks assigned by ISPs to thier users.
Actually, Spamhaus is very good at detecting zombies. The link provided is not strictly hijacked networks, though. In all cases, Spamhaus tends to side on a "questionable" zombie, as sometimes it's difficult to tell if a network was truly hijacked. As known spamhausen do hijack more networks and demonstrate a track record, it does lead to more easily detecting when a network or AS has been hijacked. In all cases, the list is about spam, not netblock hijacks. -Jack
Jack Bates wrote:
Actually, Spamhaus is very good at detecting zombies.
Wrong.
The link provided is not strictly hijacked networks, though.
I know that. Here is one example of how good they are in detecting zombies: http://spamhaus.org/SBL/sbl.lasso?query=SBL7583 <quote> zombies hosting24-7.org / hostingonus.com / iohosting.us / tiethepen.com (zombie?) 193.231.248.0/24 is listed on the Register Of Known Spam Operations (ROKSO) database as being assigned to, under the control of, or providing service to a known spam operation run by zombies. Please see the ROKSO spam records for zombies </quote> And look at the whois it shows its a assignment SWIP'd to a spammer by an ISP. Yeah, I'm sure that thats a zombie. inetnum: 193.231.248.0 - 193.231.248.255 netname: SC-PRO-SYS-SRL descr: SC PRO SYS SRL descr: Pache Protopopescu 108 descr: sector 2 Bucharest country: ro admin-c: SSC100-RIPE tech-c: SSC100-RIPE status: ASSIGNED PA mnt-by: AS3233-MNT mnt-lower: AS3233-MNT mnt-routes: WEBONLINE notify: hostmaster@rnc.ro changed: hostmaster@rnc.ro 20030410 source: RIPE inetnum: 193.231.0.0 - 193.231.255.255 netname: RO-RNC-970804 descr: Local Registry for Europanet customers descr: RO general country: RO admin-c: ES16 tech-c: ES16 status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: AS3233-MNT mnt-routes: AS3233-MNT changed: GeertJan.deGroot@ripe.net 19941230 changed: hostmaster@ripe.net 19960207 changed: hostmaster@ripe.net 19970804 changed: hostmaster@ripe.net 19990504 changed: hostmaster@ripe.net 19990506 changed: hostmaster@ripe.net 20000303 changed: hostmaster@ripe.net 20000313 changed: hostmaster@ripe.net 20001130 changed: lir-help@ripe.net 20020109 source: RIPE
On 30 Apr 2003 02:23 UTC, "Roland Verlander" <rolyv@bigpond.com> wrote: | And look at the whois it shows its a assignment SWIP'd to a spammer | by an ISP. Yeah, I'm sure that thats a zombie. I'm reasonably sure it is (or was). Two main reasons: (1) It should have been routing to Romania (AS2614 or AS3233)- it was actually routing to or via Denmark (announced by AS16186). (2) when the situation was pointed out, the route was quickly killed. Same with 152.143.0.0: belongs to German company Kloeckner Stahl Bremen but (parts of) it were being announced by Ayayai in Panama. Teleglobe have stopped that routing - hence a large number of blocks were suddenly de-announced and 152.143.0.0/16 now seems to be clean. -- Richard Cox
Roland Verlander wrote:
http://spamhaus.org/SBL/sbl.lasso?query=SBL7583 <quote> zombies hosting24-7.org / hostingonus.com / iohosting.us / tiethepen.com (zombie?)
193.231.248.0/24 is listed on the Register Of Known Spam Operations (ROKSO) database as being assigned to, under the control of, or providing service to a known spam operation run by zombies. Please see the ROKSO spam records for zombies </quote>
Note the question mark for the zombie. Also note that it states clearly that the spammer is known to run zombies, thus all networks are suspect. Personally, I'm more apt to believe that ssc nabbed the domain under false pretenses from rnc. Not that it matters. -Jack
participants (14)
-
Bill Mojo
-
bmanning@karoshi.com
-
Christian Malo
-
Christopher L. Morrow
-
Daniel Golding
-
Jack Bates
-
Joe Abley
-
Joe Provo
-
Kai Schlichting
-
Mikael Abrahamsson
-
Richard Cox
-
Roland Verlander
-
Ron da Silva
-
Stephen Sprunk