Prefix hijacking by Michael Lindsay via Internap
Hello All, I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again. When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database. It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help...
What's the prefix you claim is hijacked? /as On 20 Aug 2011, at 22:05, Denis Spirin wrote:
Hello All,
I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again.
When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database.
It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help...
Right now there are: 46.96.0.0/16 83.223.224.0/19 94.250.128.0/19 94.250.160.0/19 188.164.0.0/24 As I can see in the spam block lists like Spamhaus, all our networks was affected: 83.223.224.0/20 86.59.128.0/17 79.174.128.0/18 94.250.128.0/17 188.164.0.0/16 46.96.0.0/16 2011/8/21 Arturo Servin <arturo.servin@gmail.com>
What's the prefix you claim is hijacked?
/as
On 20 Aug 2011, at 22:05, Denis Spirin wrote:
Hello All,
I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again.
When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database.
It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help...
These prefix are originated by AS31733 which seems to be assigned to the same organisation than the ASN, which in turn seems to be you. I can see AS12182 in the path but not originating the route. So I do not understand what are your claiming. .as On 20 Aug 2011, at 23:05, Denis Spirin wrote:
Right now there are: 46.96.0.0/16 83.223.224.0/19 94.250.128.0/19 94.250.160.0/19 188.164.0.0/24
Yes, they are using our ASN 31733 to originate networks. All the visible paths are through AS12182. Internap was contacted about a week ago, but did nothing. No, I'm not a venture capitalist, but IT specialist. I am too sleepy, so replied to Adrian directly while wanted to post in the list. 2011/8/21 Arturo Servin <aservin@lacnic.net>
These prefix are originated by AS31733 which seems to be assigned to the same organisation than the ASN, which in turn seems to be you.
I can see AS12182 in the path but not originating the route. So I do not understand what are your claiming.
.as
On 20 Aug 2011, at 23:05, Denis Spirin wrote:
Right now there are: 46.96.0.0/16 83.223.224.0/19 94.250.128.0/19 94.250.160.0/19 188.164.0.0/24
On 21 Aug 2011, at 00:28, Denis Spirin wrote:
Yes, they are using our ASN 31733 to originate networks. All the visible paths are through AS12182. Internap was contacted about a week ago, but did nothing.
Which seems to be the right decision because the whois data backed it on.
No, I'm not a venture capitalist, but IT specialist.
I am too sleepy, so replied to Adrian directly while wanted to post in the list.
If you are claiming right over these prefixes I suggest you to contact RIPE NCC. /as
2011/8/21 Arturo Servin <aservin@lacnic.net>
These prefix are originated by AS31733 which seems to be assigned to the same organisation than the ASN, which in turn seems to be you.
I can see AS12182 in the path but not originating the route. So I do not understand what are your claiming.
.as
On 20 Aug 2011, at 23:05, Denis Spirin wrote:
Right now there are: 46.96.0.0/16 83.223.224.0/19 94.250.128.0/19 94.250.160.0/19 188.164.0.0/24
On Aug 20, 2011, at 6:01 PM, Arturo Servin wrote:
If you are claiming right over these prefixes I suggest you to contact RIPE NCC.
And that will do what exactly? Back when I worked at an RIR, a prefix was "misplaced". When I contacted the (country monopoly PTT) ISP and told them the prefix had been removed from APNIC's database and should not be routed. Their response was "We have a contract with the customer for connectivity. We do not have a contract with you." and I was encouraged to get the customer to voluntarily withdraw the prefix. If BGPSEC+RPKI were deployed, there might be something active the RIRs could do. However, this has its own implications regarding centralized control of the routing system (as discussed, ironically enough, in the RIPE region). And this is going to get much more 'interesting' as the IPv4 free pool exhausts and the market moves from black to grey or white. Fun times ahead. Regards, -drc
I completely agree... the real issue here is the system is flawed and RIPE/ARIN/APNIC etc have zero actual authority over actual routing. Yet another reason they aren't worth the money we flush down the toilet for them to do absolutely nothing. --Tammy ----- Original Message -----
From: "David Conrad" <drc@virtualized.org> To: "Arturo Servin" <arturo.servin@gmail.com> Cc: nanog@nanog.org Sent: Saturday, August 20, 2011 11:25:51 PM Subject: Re: Prefix hijacking by Michael Lindsay via Internap
On Aug 20, 2011, at 6:01 PM, Arturo Servin wrote:
If you are claiming right over these prefixes I suggest you to contact RIPE NCC.
And that will do what exactly?
Back when I worked at an RIR, a prefix was "misplaced". When I contacted the (country monopoly PTT) ISP and told them the prefix had been removed from APNIC's database and should not be routed. Their response was "We have a contract with the customer for connectivity. We do not have a contract with you." and I was encouraged to get the customer to voluntarily withdraw the prefix.
If BGPSEC+RPKI were deployed, there might be something active the RIRs could do. However, this has its own implications regarding centralized control of the routing system (as discussed, ironically enough, in the RIPE region). And this is going to get much more 'interesting' as the IPv4 free pool exhausts and the market moves from black to grey or white. Fun times ahead.
Regards, -drc
On Aug 20, 2011, at 10:29 PM, Tammy A. Wisdom wrote:
I completely agree... the real issue here is the system is flawed and RIPE/ARIN/APNIC etc have zero actual authority over actual routing. Yet another reason they aren't worth the money we flush down the toilet for them to do absolutely nothing. --Tammy
That's not a flaw.
On Aug 20, 2011, at 10:29 PM, Tammy A. Wisdom wrote:
I completely agree... the real issue here is the system is flawed and RIPE/ARIN/APNIC etc have zero actual authority over actual routing. Yet another reason they aren't worth the money we flush down the toilet for them to do absolutely nothing. --Tammy
The system is this way BY DESIGN, and any other method would concentrate power which would be detrimental to the internet and counter to its open/consensus driven nature. Whenever power or authority has been concentrated or centralized on the internet, the altruistic objective has almost always been distorted or corrupted to serve for-profit/commercial interests instead of community interests. The domain name system and ICANN is the perfect, iconical example, of why we should never have a single entity with ACTUAL authority over routing. The RIRs' job is to provide unique registrations, nothing else. And registry fees are for recovering costs necessary to provide the service and to maintain addressing policy. Just like the IETF's job is to provide RFCs. But the IETF has no authority to go around to mailservers running certain software, and force them to be turned off for non-compliance with the RFC. _Enforcement_ of RIR allocations is by network operators refusing to originate or propagate announcements by organizations unauthorized by the registered resource holder. So IANA/ARIN/RIPE/APNIC/etc _do_ have an effect on routing policy, it's just an indirect effect that depends on the operator community recognizing them as the IP address registry. -- -JH
Jimmy, On Aug 21, 2011, at 8:15 AM, Jimmy Hess wrote:
The system is this way BY DESIGN, and any other method would concentrate power which would be detrimental to the internet and counter to its open/consensus driven nature.
See recent discussions in RIPEland regarding BGPSEC+RPKI regarding policy 2008-08.
The RIRs' job is to provide unique registrations, nothing else. And registry fees are for recovering costs necessary to provide the service and to maintain addressing policy.
Googling "<RIR> budget 2011" gives (all in US$, using today's Euro and Aus$ conversion rates): AfriNIC: 2011 Expenses: $2,832,614 (http://www.afrinic.org/corporate/Budget2011.pdf) APNIC: 2011 Expenses: $14,815,906 (http://meetings.apnic.net/__data/assets/pdf_file/0005/31478/treasurers_repor...) ARIN: 2011 Expenses: $16,412,160 (https://www.arin.net/about_us/corp_docs/budget.html) RIPE: 2011 Expenses: $26,313,894 (http://www.ripe.net/ripe/docs/ripe-507, using today's exchange rate) Can't seem to find a 2011 (or anything more recent than 2005) budget for LACNIC. BTW, since you made passing reference to them and just FYA: ICANN: Expenses: $61,164,000 (http://www.icann.org/en/financials/adopted-opplan-budget-fy12-09aug11-en.pdf) So if LACNIC's budget is more than $790K, the RIRs combined budget for "providing unique registrations, nothing else" for IP addresses will be more than ICANN's budget for coordinating all unique Internet identifiers including addresses, IETF protocol parameters, and domains (and "promoting competition" in the latter) and dealing with a much larger community (at least as measured by meeting attendance).
_Enforcement_ of RIR allocations is by network operators refusing to originate or propagate announcements by organizations unauthorized by the registered resource holder.
Very true. Of course, defining "registered resource holder" and finding that information will likely get a bit more complicated in the future... Regards, -drc
RIPE/ARIN/APNIC etc have zero actual authority over actual routing.
That is not a flaw in the system, it is a fundamental precept of it. Their function (In Curran's words: "as the community has defined it") is as a registry of allocation data, not as some kind of authoritative regional route super-reflector.
Yet another reason they aren't worth the money we flush down the toilet for them to do absolutely nothing.
It seems obvious to me that an internet without -some- kind of addressing registry will not function. So you're being hyperbolic. Hyperbole weakens any argument - it reveals that the proponent is not rationally considering the issue. I suspect you are completely aware that the RIRs perform real functions, and that your real objection is that they don't operate at some arbitrary level of efficiency, or perform some additional role that you've predefined (but not shared in your argument). Without a shared definition, it is impossible to have a constructive conversation (and I am assuming that you are on NANOG to be constructive, rather than to troll operators). John Curran appears to be completely open to constructive suggestions, so if you have real and substantive input, why not contribute your intellect to the problem and talk to him? Every organization has things they could be doing better, but as in physics, it often requires some new outside force to make it happen. Nathan Eisenberg
John Curran appears to be completely open to constructive suggestions, so if you have real and substantive input, why not contribute your intellect to
On Sun, Aug 21, 2011 at 05:26:46PM +0000, Nathan Eisenberg said: the problem and talk to him? Every organization has things they could be doing better, but as in physics, it often requires some new outside force to make it happen. Well written. That said, what is the de jure responce when a prefix is hijacked? Does anyone have a 'best practices' guide? I am sure some of the most effective vs legal practices are not in fact concomittant. /kc -- Ken Chase - ken@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto Canada Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Sun, 21 Aug 2011, Ken Chase wrote:
That said, what is the de jure responce when a prefix is hijacked? Does anyone have a 'best practices' guide? I am sure some of the most effective vs legal practices are not in fact concomittant.
It doesn't hurt to complain/announce about it here and various other NOGs. Spamhaus, SORBS, and possibly other DNSBLs might, if they buy the case, decide to list the space until the dispute is resolved, especially if its being used for spamming operations. But resolution is going to have to come from communications between the "owner", the relevant RIR, and the transit provider(s) (or possibly their transit providers) providing service to the hijacker. The RIRs can't stop anyone from announcing routes...but I suspect any legitimate NSP when approached by ARIN, RIPE, APNIC, etc. and told that routes they're propagating for a customer are hijacked, will accede to the opionion of the RIR. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
What I understand is that he is clamming that the registration of this prefix was hijacked from him. But honestly I do not what the problem is. Any how, it won't be solved here. Regards, /as On 21 Aug 2011, at 02:25, David Conrad wrote:
On Aug 20, 2011, at 6:01 PM, Arturo Servin wrote:
If you are claiming right over these prefixes I suggest you to contact RIPE NCC.
And that will do what exactly?
Back when I worked at an RIR, a prefix was "misplaced". When I contacted the (country monopoly PTT) ISP and told them the prefix had been removed from APNIC's database and should not be routed. Their response was "We have a contract with the customer for connectivity. We do not have a contract with you." and I was encouraged to get the customer to voluntarily withdraw the prefix.
If BGPSEC+RPKI were deployed, there might be something active the RIRs could do. However, this has its own implications regarding centralized control of the routing system (as discussed, ironically enough, in the RIPE region). And this is going to get much more 'interesting' as the IPv4 free pool exhausts and the market moves from black to grey or white. Fun times ahead.
Regards, -drc
Hi Denis, If Portnap doesn't / won't assist in this matter, you can send an abuse message to both Tinet and NTT and have them reject the prefixes on their ingress port. They will probably only do that in case you have your AS record and route objects correctly documented and can actually provide the proof they require to do so. Regards, Erik
Hi Erik, The RIPE DB shows clear Internap have NO permission to route our networks as the direct uplink. Am I wrong? 2011/8/21 Erik Bais <ebais@a2b-internet.com>
Hi Denis,
If Portnap doesn't / won't assist in this matter, you can send an abuse message to both Tinet and NTT and have them reject the prefixes on their ingress port.
They will probably only do that in case you have your AS record and route objects correctly documented and can actually provide the proof they require to do so.
Regards, Erik
Your claim Denis Spirin really-stinks! ./randy --- On Sat, 8/20/11, Arturo Servin <arturo.servin@gmail.com> wrote:
From: Arturo Servin <arturo.servin@gmail.com> Subject: Re: Prefix hijacking by Michael Lindsay via Internap To: "Denis Spirin" <noc@link-telecom.net> Cc: nanog@nanog.org Date: Saturday, August 20, 2011, 6:39 PM
What's the prefix you claim is hijacked?
/as
On 20 Aug 2011, at 22:05, Denis Spirin wrote:
Hello All,
I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again.
When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database.
It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help...
On Saturday 20 August 2011 18:05, Denis Spirin wrote:
Hello All,
I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again. ...
Received: from mail-qy0-f177.google.com ([209.85.216.177]) by mailman.nanog.org with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <noc@link-telecom.net>) id 1QuwTJ-000AP1-FT for nanog@nanog.org; Sat, 20 Aug 2011 20:05:05 -0500 Received: by qyk2 with SMTP id 2so1654839qyk.15 for <nanog@nanog.org>; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.247.15 with SMTP id ma15mr447953qcb.1.1313888704629; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) Received: by 10.229.95.15 with HTTP; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) X-Originating-IP: [192.251.226.206] Non-authoritative answer: 206.226.251.192.in-addr.arpa canonical name = rev-206.blutmagie.de. rev-206.blutmagie.de name = anonymizer2.blutmagie.de. Non-authoritative answer: Name: anonymizer2.blutmagie.de Address: 192.251.226.206 Resolving anonymizer2.blutmagie.de... 192.251.226.206, 2a02:3010:100:1::1:6de8 Connecting to anonymizer2.blutmagie.de|192.251.226.206|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4939 (4.8K) [text/html] Saving to: `index.html' index.html: ================ This is a Tor Exit Router Most likely you are accessing this website because you had some issue with the traffic coming from this IP. This router is part of the Tor Anonymity Network, which is dedicated to providing privacy to people who need it most: average computer users. This router IP should be generating no other traffic, unless it has been compromised. ... ================ Hmmmm, interesting...... Adrian
Just as interesting is that those prefixes are certainly on spamhaus. This should turn out very interesting indeed - maybe RIPE NCC should just reclaim those prefixes till their ownership is resolved. If ever. On Sun, Aug 21, 2011 at 7:43 AM, Adrian <choprboy@dakotacom.net> wrote:
Hmmmm, interesting......
-- Suresh Ramasubramanian (ops.lists@gmail.com)
RIPE NCC staff is already doing its investigation. And RIPE NCC can't stop the routing at all. 2011/8/21 Suresh Ramasubramanian <ops.lists@gmail.com>
Just as interesting is that those prefixes are certainly on spamhaus.
This should turn out very interesting indeed - maybe RIPE NCC should just reclaim those prefixes till their ownership is resolved. If ever.
On Sun, Aug 21, 2011 at 7:43 AM, Adrian <choprboy@dakotacom.net> wrote:
Hmmmm, interesting......
-- Suresh Ramasubramanian (ops.lists@gmail.com)
You could ask that they withdraw the prefixes and see if that works? On Sun, Aug 21, 2011 at 8:45 AM, Denis Spirin <noc@link-telecom.net> wrote:
RIPE NCC staff is already doing its investigation.
And RIPE NCC can't stop the routing at all.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
RIPE NCC can't withdraw any prefixes. They can do de-registration. In this case it will not lead to withdraw, as it is announced without any honor to RIPE Database, like Routing Registry. So it will be changed from hijacked company prefix to hijacked unused prefix, with the same result - mass spamming from it. 2011/8/21 Suresh Ramasubramanian <ops.lists@gmail.com>
You could ask that they withdraw the prefixes and see if that works?
On Sun, Aug 21, 2011 at 8:45 AM, Denis Spirin <noc@link-telecom.net> wrote:
RIPE NCC staff is already doing its investigation.
And RIPE NCC can't stop the routing at all.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Get that changed first eh? It just might prove that you own those prefixes. On Sun, Aug 21, 2011 at 9:02 AM, Denis Spirin <noc@link-telecom.net> wrote:
RIPE NCC can't withdraw any prefixes. They can do de-registration. In this case it will not lead to withdraw, as it is announced without any honor to RIPE Database, like Routing Registry. So it will be changed from hijacked company prefix to hijacked unused prefix, with the same result - mass spamming from it.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sat, Aug 20, 2011 at 11:18 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
You could ask that they withdraw the prefixes and see if that works?
whois 46.96.0.0 inetnum: 46.96.0.0 - 46.96.39.255 netname: LINKTEL-MAN-ETHERNET-EXTENSION Updated: 2011-03-15 ************* e-mail: noc@link-telecom.net whois link-telecom.net Domain Name: LINK-TELECOM.NET Creation Date: 16-aug-2011 ************* Would YOU filter announcements from YOUR customer based solely on an email request from noc@link-telecom.net? The Spamhaus reports appear credible, as does the RIPE registration issue with those prefixes. If I was InterNAP, I think I'd challenge my customer about them. Start of business Monday morning. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
I did ask him to try it and see if it works .. when it doesn't work, that'd be the next act in this little dog and pony show. On Sun, Aug 21, 2011 at 9:11 AM, William Herrin <bill@herrin.us> wrote:
The Spamhaus reports appear credible, as does the RIPE registration issue with those prefixes. If I was InterNAP, I think I'd challenge my customer about them. Start of business Monday morning.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Saturday 20 August 2011 19:49, Suresh Ramasubramanian wrote:
Just as interesting is that those prefixes are certainly on spamhaus.
This should turn out very interesting indeed - maybe RIPE NCC should just reclaim those prefixes till their ownership is resolved. If ever.
On Sun, Aug 21, 2011 at 7:43 AM, Adrian <choprboy@dakotacom.net> wrote:
Hmmmm, interesting......
He contacted me privately and stated he always uses Tor. I explained how that lends even less credibility than a questionable/forged transfer authority in business discussions... He claims he will be posting from his office Monday morning. The good credibility: There does appear to be a Denis Spirin in ?the Ukraine? who is a IT consultant. There is also a Denis Spirin who appears to be a director at a Russian venture capitalist... unknown if they have any connection. The bad credibility: Posting thru Tor via GMail. The "link-telecom.net" domain appears to have no services or presence other than a MX record to GMail. The same "noc@link-telecom.net" address he controls is also the registered contact on all the IP blocks in Spamhaus and allegedly hijacked... why not just contact Internap directly? Adrian
Hello Adrian, I tried to reply to list from office without the TOR you don't like, and got this: <nanog@nanog.org>: host mailman.nanog.org[204.93.212.138] said: 550-rejected because 86.59.128.2 is in a black list at zen.spamhaus.org 550 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL116130 (in reply to RCPT TO command) So I have to continue to use TOR when write to NANOG. P.S. Abuse department of Telia rejected my list with the same reason, which has surprised me a lot. 2011/8/21 Adrian <choprboy@dakotacom.net>
On Saturday 20 August 2011 18:05, Denis Spirin wrote:
Hello All,
I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again. ...
Received: from mail-qy0-f177.google.com ([209.85.216.177]) by mailman.nanog.org with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <noc@link-telecom.net>) id 1QuwTJ-000AP1-FT for nanog@nanog.org; Sat, 20 Aug 2011 20:05:05 -0500 Received: by qyk2 with SMTP id 2so1654839qyk.15 for <nanog@nanog.org>; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.247.15 with SMTP id ma15mr447953qcb.1.1313888704629; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) Received: by 10.229.95.15 with HTTP; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) X-Originating-IP: [192.251.226.206]
Non-authoritative answer: 206.226.251.192.in-addr.arpa canonical name = rev-206.blutmagie.de. rev-206.blutmagie.de name = anonymizer2.blutmagie.de.
Non-authoritative answer: Name: anonymizer2.blutmagie.de Address: 192.251.226.206
Resolving anonymizer2.blutmagie.de... 192.251.226.206, 2a02:3010:100:1::1:6de8 Connecting to anonymizer2.blutmagie.de|192.251.226.206|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4939 (4.8K) [text/html] Saving to: `index.html'
index.html: ================ This is a Tor Exit Router
Most likely you are accessing this website because you had some issue with the traffic coming from this IP. This router is part of the Tor Anonymity Network, which is dedicated to providing privacy to people who need it most: average computer users. This router IP should be generating no other traffic, unless it has been compromised. ... ================
Hmmmm, interesting......
Adrian
Hi Denis, Convenient as it may be to use a LIR and their historic provided prefixes, have you thought about starting with a clean slate ? If the company was close to bankrupt and one can only assume that it didn't require a couple /16's and a couple /19's ... Didn't you get ANY questions from RIPE in that regard when you discussed the topic with them ? The reason why those prefixes where provided isn't valid anymore and if you are restarting the business even a /21 should be enough ... Even in Russia a will take some time to get the customers back, especially if they have been offline for some time. (If they where not offline, the prefixes wouldn't have been hijacked correct ? ... ) Next to this all, none of the prefixes that I currently see under the stated AS have a route-object in the RIPE db and the AS object AS31733 isn't updated since 2008, as none of the listed AS's there are current / active upstreams / peers.
From where I stand it doesn't surprise me that your upstreams don't want to advertize it and if they would, don't be surprised if some networks filter your prefixes regardless if you are listed on a shady list on Spamhaus.
Regards, Erik Bais
On Sun, Aug 21, 2011 at 3:27 AM, Erik Bais <ebais@a2b-internet.com> wrote:
Convenient as it may be to use a LIR and their historic provided prefixes, have you thought about starting with a clean slate ?
It's probably better for the network community if he _doesn't_ let an apparently known hijack to continue; maybe any address hijacker(s) involved will learn a lesson and stop. In the long run it's probably not the most convenient action, the hijack has probably 'tainted' the reputation of the addresses, as in Spamhaus listing[?] The most responsible action would be to try to put a stop to any hijack/unofficial use of the existing prefix, and after the new network requirements are determined, return any portion of the assigned addresses that is no longer immediately justified under the current network design. If info is correctly fixed in WHOIS, then send each of the AS/upstream AS contacts from the announcement a letter from the administrative / tech contact to request that they stop propagating such and such errant announcement from the prefix, as long as rogue announcements continue.... If it continues to be a problem, find the upstreams' upstreams, until you are sending letters to Tier1 operators. Regards, -- -JH
Hi All, I looked up here http://www.robtex.com/as/as31733.html#graph internap on 24th of August and found Internap announced our networks to Telia, Cogent, NTT, Glbx and Tinet. I wrote to all of them. First reply was from Tinet. They even had a time and wish to call me by the phone. They said stopped the crime route and started the investigation with Internap. Then was the short reply from NTT said they asked Internap for comments, and silence after it. Telia, Cogent (which is very brave in some cases not to route networks are in Spamhaus lists, but not in this case somehow) and GLBX had not replied at all. Now I see on the picture above there are new direct announces to Savvis, ATT and Sprint. I know well this crime only need to be reachable from AOL they do spamming. And it can be not only via Tier1. As Internap don't reply to our mails, and spread the direct announcement to avoid possible Tier1 filtering, I now believe Internap itself is involved in this crime and doing such things with open eyes and with acquiescence of Tier1's. You don't care? So look at this. Now there are a lot of networks can be considered lost and unused. And only a few of them like us will be back to business. It's easy to do hijacking without any interaction with actually working networks. Things are changing. One year later, there will be almost none of free or unused IPv4 networks. If nothing will be changed, such crime will hijack YOUR working networks. Because of it will be still possible, it will be still scot-free, and nobody still be care. It enough to hijack a part of your network like more specific prefix for only a few days to do a mass spamming, this makes your network completely dirty and probably unusable in future. So why not? I good understand there is no technical means to prevent hijacks. But it can be some administrative good practice to stop it. The penalty for that and for assistance in that may let the crime think twice before doing a hijack, or better let it be not profitably at all. The step forward can be following the routing registry databases like RIPE DB, at least for that controversial cases. But Internap ignores it, as well as their uplinks. 2011/8/21 Jimmy Hess <mysidia@gmail.com>
If it continues to be a problem, find the upstreams' upstreams, until you are sending letters to Tier1 operators.
Regards,
-- -JH
Hello All, let me tell you the final of the story with the hijacking of our networks. So, in the end of July, we found some of our networks are announced somewhere without our permission. That was the illegal announce from Internap. We sent the letter to Internap on August, 11th. Internap replied with the forward of the fake LOA someone sent from the domain link-telecom.biz on June, 9th. Then Internap refused to reply any mail from us until now. Further investigation found link-telecom.biz was the old our domain we lost in February, and it was the contact e-mail listed at the RIPE database. In February our company was on the way to close, nobody believed we will survive so nobody cared about it. Then when things went good, all people just forget about old lost domain, as well as to update the RIPE database with a new contacts. I understand well why Internap announced our networks after the first letter from actual RIPE DB contact email. But I don't understand why they didn't stop the announcement after the second (our) letter from updated actual contact with our explanation of that situation. Worst of that, the reverse DNS was delegated to old lost domain, so crime got the rDNS too. After the mail we sent to Internap, someone named Michael Lindsay contacted us and said it is his network! A bit of google found he is a well-known hijacker and spammer, so we have forwarded it to Internap of course. Without any reaction at all. In this list (thank you a lot!!!) I got the advice to mail to uplinks of Internap, so I did it on August, 25th. First reply was from NTT, they started the investigation, on 29th, they filtered announces. On 29th Cogent replied too, and filtered out the illegal announce. These was all the replies I got. Parallel, I started to announce not only our networks, but more specific prefixes to our uplink in Moscow. Together with rDNS redelegation, this makes the Internap impossible to use our networks (i.e. to do spamming), so they have stopped the illegal activity yesterday. This is almost done, except a long work to write a lot of mail reputation and blacklists operators to get our networks delisted from. So, noone is protected from IP network stealing. And noone cares. If Internap or it's uplinks was more clever and more insistent - we really had a chance to lost our networks forever. I definitely sure we need to found and implement some practice for prevent IP hijacking. I dug a lot of things about secure routing, PKI signing and so on - there are no working solutions now, as well as will not be in near future. But it is possible to negotiate and arrange the formal (administrative) best practice for resolving and preventing such issues. Is there any ideas?
On Wed, Aug 31, 2011 at 12:56 PM, Denis Spirin <noc@link-telecom.net> wrote: (snip)
So, noone is protected from IP network stealing. And noone cares. If Internap or it's uplinks was more clever and more insistent - we really had a chance to lost our networks forever.
Denis, I think you handled it pretty well from your end.
I definitely sure we need to found and implement some practice for prevent IP hijacking. I dug a lot of things about secure routing, PKI signing and so on - there are no working solutions now, as well as will not be in near future.
As has been referred in this thread a few times already, there's been a long recent discussion on BGPSEC+RPKI in RIPE's address-policy working group. Because big red "remove-it" buttons inevitably leads to things like http://www.guardian.co.uk/world/2011/aug/30/pakistan-bans-encryption-softwar... : "Recently the regulator made it impossible for Pakistanis to access the website of Rolling Stone magazine, after it published an article on the high proportion of the national budget in Pakistan that goes on its military."
But it is possible to negotiate and arrange the formal (administrative) best practice for resolving and preventing such issues. Is there any ideas?
I offer: Keep records, talk to people, keep domain names. Network with people, use GPG (perhaps even put fingerprint on business card?), and so on. With the latest incarnation of utter failure of the CA trust model/design for websites, there seems to be renewed energy into providing alternative ways to model (distributed) trust. It looks like to me that we're moving towards a multi-source based trust system more and more ( http://perspectives-project.org/ , http://convergence.io/ ). I guess something similar will happen with BGP data (it's suggested to be one of several metrics in convergence), or they may just end up being pretty much the same system. *This* is the general path forward for a robust future Internet... Best regards, Martin
participants (17)
-
Adrian
-
Arturo Servin
-
Arturo Servin
-
David Conrad
-
Denis Spirin
-
Erik Bais
-
Jimmy Hess
-
Joel Jaeggli
-
Jon Lewis
-
Ken Chase
-
Martin Millnert
-
Nathan Eisenberg
-
Randy
-
Randy Bush
-
Suresh Ramasubramanian
-
Tammy A. Wisdom
-
William Herrin