Home page logo
/

nanog logo nanog mailing list archives

Re: Ettiquette and rules regarding Hijacked ASN's or IP space?
From: william () elan net
Date: Sun, 8 Jun 2003 21:35:54 -0700 (PDT)


Well as some of you know as of late I've been involved in investigations of 
number of hijacked ip blocks (about 40 and looking at more) and can tell 
you that for greater majority of companies (especially for companies that 
had /16s but even for companies that had /24) the records on internet do 
exist and not just in the whois - these are email messages in newsgroups, 
webpages, passing refernces, etc. In fact I'm able to trace what happened 
to original company that had ip block in 90% of the cases and based on 
that can tell if the company currently using the ip block had any relation
with original or not - that is primary criteria to determine if ip block is 
hijcked. I'll release my finding on this list in week or two and you'll 
all be able to see this all.

As far as rules being uniformerly applied - yes they should be, its not a 
matter of if the abuse exists from that ip block or not, its a matter of
somebody using ip block that they are not authorized and is basicly theft 
or resources (if that company does not exist their resources should be 
back with ARIN - but this is actually rare, usually some other company 
buys the original and very few companies I'v seen just disappeared entirely).

As for ARIN this question I expect would be raised on the next meeting and 
should be properly discussed at their ppml mailing list. I'm not sure how 
much they can or should do and don't want to give my recommendation about 
it right now. What I can tell you is that they are not proactive right 
now - for all the reports they received from me (and this is as I said 
almost 40 reports, the reports were very details about which company 
should have ip block and and case was quite well proved with materials 
from multiple sources) - ARIN has not tried to contact the companies, 
maximum they did is to restore original whois records before ip block
got hijacked. I do hope that based on what they have seen ARIN will be a 
little more carefull about changes to whois and will require more 
documentation before doing change to particular old record - I personally 
think they should proactively investigate to confirm information similar 
to how I've been doing it before proceeding with changes.

BTW: On particular case of AS8143 - it was hijacked, but it also appears 
that original company that had used this AS is not entirely dead, they are 
in process of restructuring and some of the use for that AS is valid. 
Basicly it appears hijacker took particular AS they just used for their
announcements of hijacked ip space which were independent of other 
announcements of AS8143 which were ok.

On Mon, 9 Jun 2003, Christopher L. Morrow wrote:



So, with all this lifting the curtains on hijacked ASN's and ipblocks
recently I have a few general question...

1) Should the rules be uniformly applied?
2) Should these rules be applied even when something 'bad' might happen?
3) How much involvment should ARIN have in enforcing these rules?

Now, by 'rules' I mean:

If you steal something you have to give it back, regardless of who you
are.

So, for an example, if I steal ASN 8143 (already stolen so its mute) and
I'm 'a good guy', all I want to do is run a network no spam/abuse eminates
from it, should I be subject to the 'witch hunt' that my fellow ASN
stealer who does abuse/spam deals with? The same is asked for hijacked ip
space. If I steal/hijack a large netblock, not from an active org so there
is no 'damage' done, and I don't spam/abuse from it should I be compelled
to return it also? Compelled in the same way that my brother stealer who
spams/abuses is?

I am not advocating one or the other, and to me the rules should apply to
both groups (all theives treated equally)... I'm just curious as to the
general thought on this subject.

Additionally, how should ARIN go about verifying proper 'ownership' (that
I am still me after all these years of 'inactivity'), how much is enough
research on these issues? I know that at the ISP there is a measure of
trust placed on the customer, and upstream/downstream, when it comes to
ASN's and ip announcements. ARIN is in the same position as near as I can
tell. They have to trust that the community both is trustworthy (to an
extent) and conscientious. If there are bad actors out there that go to
enough trouble they can make ASN's or ip blocks appear to be registered to
themselves. There may be breadcrumbs of evidence if you look hard enough,
perhaps there won't be. How hard should ARIN be looking at these issues
and at specific instances? Should they apply their rules without
prejudice?

Sorry for the latenight not-completely-operational question :) but it
seems as though there is some abmiguity in the current
process/procedure/rules and I'd like to atleast start some discussion on
the topic.

Thanks.

--Chris
(chris () uu net)
#######################################################
## UUNET Technologies, Inc.                          ##
## Manager                                           ##
## Customer Router Security Engineering Team         ##
## (W)703-886-3823 (C)703-338-7319                   ##
#######################################################




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]