Home page logo
/

nanog logo nanog mailing list archives

Re: Ongoing ASN and IP Space Hijacks: Update (TimeWarner/Level3/Tiscali)
From: "Ronald F. Guilmette" <rfg () tristatelogic com>
Date: Mon, 25 Apr 2011 16:43:34 -0700


In message <AEA8602C-29BD-4585-A723-8A62E71DC0A8 () virtualized org>, 
David Conrad <drc () virtualized org> wrote:

Simple question:  Does anybody give a damn?

I suspect a lot of folks do, however giving a damn and having the
ability to do anything about it may not coincide.

Do you or your company connect to Level3, TimeWarner, or Tiscali?

For those that do, maybe this is an opportunity to make your opinions
regarding the apparently ongoing support of these companies to hijacked
ASNs and IP blocks known.

Where can people go to gain more understanding of the methodologies you
use to establish probable hijacks?

Find?  Or establish?

As regards to finding them in the first place, my methodology involves
specialized tools I've invented and constructed, and these employ methods
that are currently maintained as trade secrets for obvious reasons.

Verifying the status of a given block or ASN as being a probable hijack
involves simply looking at the publically available evidence, and checking
for a number of factors.  Among these are (in no particular order):

    *)  Was the block or ASN first allocated prior to the 1997 formation of
        ARIN?  (If so, then it is a "legacy" resource, and these are the
        ones most frequently hijacked by far.)

    *)  Does the company or other legal entity to which the block or ASN was
        allocated still even exist?  (Google is your friend.)

    *)  Has the relevant WHOIS record been altered recently, in particular
        the contact information (name, phone, e-mail) ?  If so, that alone
        is somewhat suspicious, but especially so if the current e-mail
        contact address for the relevant number resource is in a domain
        which itself was only registered (or re-registered) recently.

    *)  Is it possible to still make contact with the legal entity to which
        the number resource was allocated via the phone number given in the 
        relevant WHOIS record?  (Only meaningful if the relevant WHOIS record
        has NOT been recently altered.)

    *)  Is it possible to still make contact with the legal entity to which
        the number resource was allocated via the e-mail address given in the 
        relevant WHOIS record?  (Only meaningful if the relevant WHOIS record
        has NOT been recently altered.)

    *)  Does the block (or the blocks routed by the ASN in question) contain
        a lot of self-evident snowshoe spamming domains, e.g. domains with
        nonsense names, or with no web sites, or with no mail servers, or
        all created relatively recently, perhaps all via the same single
        registrar?  (In the cases I look at, sometimes all of these factors
        are present.)

    *)  In the case of an IP block, does the company that's routing the block
        have a prior track record of being involved in hijacking incidents?

    *)  In the case of an ASN that is providing routing to one or more
        suspicious blocks, does the ASN in question have only a single
        upstream, as per www.robtex.com?

    *)  In the case of an ASN that is providing routing to one or more
        suspicious blocks, does the ASN in question have only a single
        upstream, as per www.robtex.com, AND does that single upstream
        have a prior track record of being involved in hijacking incidents?


Regards,
rfg


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]