Home page logo
/

nanog logo nanog mailing list archives

Re: Prefix hijacking by Michael Lindsay via Internap
From: Denis Spirin <noc () link-telecom net>
Date: Wed, 31 Aug 2011 12:56:07 +0200

Hello All,

let me tell you the final of the story with the hijacking of our networks.

So, in the end of July, we found some of our networks are announced
somewhere without our permission. That was the illegal announce from
Internap. We sent the letter to Internap on August, 11th. Internap replied
with the forward of the fake LOA someone sent from the domain
link-telecom.biz on June, 9th. Then Internap refused to reply any mail from
us until now. Further investigation found link-telecom.biz was the old our
domain we lost in February, and it was the contact e-mail listed at the RIPE
database. In February our company was on the way to close, nobody believed
we will survive so nobody cared about it. Then when things went good, all
people just forget about old lost domain, as well as to update the RIPE
database with a new contacts. I understand well why Internap announced our
networks after the first letter from actual RIPE DB contact email. But I
don't understand why they didn't stop the announcement after the second
(our) letter from updated actual contact with our explanation of that
situation.

Worst of that, the reverse DNS was delegated to old lost domain, so crime
got the rDNS too.

After the mail we sent to Internap, someone named Michael Lindsay contacted
us and said it is his network! A bit of google found he is a well-known
hijacker and spammer, so we have forwarded it to Internap of course. Without
any reaction at all.

In this list (thank you a lot!!!) I got the advice to mail to uplinks of
Internap, so I did it on August, 25th. First reply was from NTT, they
started the investigation, on 29th, they filtered announces. On 29th Cogent
replied too, and filtered out the illegal announce. These was all the
replies I got.

Parallel, I started to announce not only our networks, but more specific
prefixes to our uplink in Moscow. Together with rDNS redelegation, this
makes the Internap impossible to use our networks (i.e. to do spamming), so
they have stopped the illegal activity yesterday. This is almost done,
except a long work to write a lot of mail reputation and blacklists
operators to get our networks delisted from.

So, noone is protected from IP network stealing. And noone cares. If
Internap or it's uplinks was more clever and more insistent - we really had
a chance to lost our networks forever. I definitely sure we need to found
and implement some practice for prevent IP hijacking. I dug a lot of things
about secure routing, PKI signing and so on - there are no working solutions
now, as well as will not be in near future. But it is possible to negotiate
and arrange the formal (administrative) best practice for resolving and
preventing such issues. Is there any ideas?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault