Re: AS11296 -- Hijacked?
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Fri Oct 1 16:33:09 2010 From: John Curran jcur...@arin.net To: George Bonser gbon...@seven.com Date: Fri, 1 Oct 2010 17:32:47 -0400 Subject: Re: AS11296 -- Hijacked? Cc: nanog@nanog.org nanog@nanog.org George - Full agreement; the next step is defining a deterministic process for id= entifying these specific resources which are hijacked, That _seems_ fairly simple -- can you trace a 'continuity of ownership from the party that they were -originally- allocatd to to the party presently using them. If yes, legiitmate, if no, hijacked. With most States corporation records on-line, tracing corporate continuity is fairly straight foruard. As long as you recognize that a corpoation 'abadoned', 'dissolved' (or similar) in one state is *NOT* the 'parent' of a same-/similarly-named corporation established in another state. And that documents surfacing 'long after' a resource-holder has 'disappeared', puporting to show a transfer of those resources 'at the time of disappearance', are highly suspect, and really require confirmation from someone who can be -independantly- verified as part of the 'old' organization at the time of the transfer. This isn't rocket science, it's straightforward corporate forensics, and the establishment of provenence, or the equivalent of an 'abstract of title' for real-estate. Somebody, either IANA, or the RIRs _should_ have been keeping track of what prefixes are announced, and _by_whom_, as a minimal check on utilization when an existing AS submits a request for additional space. A netblock (meaing an entire allocation, not just some sub-set thereof) that's been 'missing' for an extended period, and then shows up in an geographically distant locale is 'suspicious' to start with. All the more so it it was multi-homed, and now has only a single upstream.
Re: AS11296 -- Hijacked?
On Oct 2, 2010, at 4:03 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote: That _seems_ fairly simple -- can you trace a 'continuity of ownership from the party that they were -originally- allocatd to to the party presently using them. If yes, legiitmate, if no, hijacked. With most States corporation records on-line, tracing corporate continuity is fairly straight foruard. As long as you recognize that a corpoation 'abadoned', 'dissolved' (or similar) in one state is *NOT* the 'parent' of a same-/similarly-named corporation established in another state. And that documents surfacing 'long after' a resource-holder has 'disappeared', puporting to show a transfer of those resources 'at the time of disappearance', are highly suspect, and really require confirmation from someone who can be -independantly- verified as part of the 'old' organization at the time of the transfer. Robert - You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no corporate surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack. /John John Curran President and CEO ARIN
Re: AS11296 -- Hijacked?
On Sat, Oct 2, 2010 at 4:03 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote: That _seems_ fairly simple [...] it's straightforward corporate forensics, and the establishment of provenence, or the equivalent of an 'abstract of title' for real-estate. Hi Robert, It may seem simple but it only seems that way. The legacy registrants (pre-arin registrants) in particular were not necessarily legal entities. Like trademarks with a TM instead of a Circle-R, they were nothing more than unverified names asserted by the individuals requesting IP addresses. In some cases they were obviously corporations but in many others there are only ambiguous forensics to examine. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: AS11296 -- Hijacked?
On Oct 1, 2010, at 7:00 51PM, Owen DeLong wrote: On Oct 1, 2010, at 2:31 PM, George Bonser wrote: -Original Message- From: wher...@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Death by IP address? -Bill Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash http://aircrewbuzz.com/2008/10/officials-release-preliminary-report-on.html A more recent Interim report: http://www.fomento.es/NR/rdonlyres/AADDBF93-690C-4186-983C-8D897F09EAA5/75736/2008_032_A_INTERINO_01_ENG.pdf The crew apparently skipped the step where they were supposed to deploy the slats/flaps prior to takeoff. Additionally, the warning system on the aircraft which should have alerted the crew to the failure to extend the flaps/slats also failed to sound. A computer virus may have had a small contribution to the failure to detect the warning system failure in the maintenance process, but, it did not cause the accident. The accident is clearly the result of pilot error, specifically the failure to properly configure the aircraft for takeoff and failure to take remedial action upon activation of the stall warning system during the initial climb. There's more to the story than that. There was a problem with a sensor -- the heater for it was running when the plane was on the ground, which it shouldn't do. The mechanic couldn't reproduce the problem; since there was no icing likely and the heater was only needed if there was icing, the pilot flipped the breaker to disable it. (The virus-infected computer was the one that should have been used to log two previous reports of that same heater problem, but no one even tried entering the reports until after the crash, so the virus wasn't at all the problem.) Because of the distractions -- the return to the gate, the co-pilot making a call to cancel dinner planes, a third person in the cockpit, the pilots indeed forgot to set the flaps -- and just breezed through the checklist item (which they did recite) rather than actually paying attention to it. However... the accident investigators learned that in almost all previous instances, worldwide, of that heater problem, the cause was a failed relay in the I'm on the ground circuit. That same relay was used to activate the Takeoff Configuration Warning System -- which didn't alert the pilots to the flaps problem because the relay failed again after the plane left the gate for the second time. In other words, a crucial safety system had a single point of failure -- and that failure also contributed to the distraction that led to the pre-takeoff pilot error. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: AS11296 -- Hijacked?
On Sat, Oct 2, 2010 at 3:41 PM, John Curran jcur...@arin.net wrote: On Oct 2, 2010, at 4:03 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote: Robert - You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no corporate surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack. /John Hm.. just a thought... if an org doesn't have and are unable to obtain any good written documentation at all, from even the public record, then aren't they (as far as the operator community should be concerned) not the same registrant, or authorized? Where would a person be if they were trying to claim the right to a certain piece of land, and someone else (an opportunist/scammer) also claimed ownership using papers they had created, but the 'rightful' owner had neither a deed, nor a transfer agreement, proof of their use of that land, nor other certified document, and the local authority did not have any record of a transfer from the now defunct original owner? --- So, I wonder why only ARIN itself is singled out.. Have other RIRs found something much better to do with fraud reports? This matters, because scammers can concentrate on whichever IP blocks are easiest to hijack. If ARIN somehow creates a hostile environment for scammers, they can concentrate on APNIC/RIPE/AfriNic/LACNIC-administered IP ranges instead. Assume scanners don't care or need to be undetected for long at all, they just need to stay off 'hijacked IP lists' for a very brief time, perhaps a week, until they are blacklisted by major RBLs for spamming, stop using the range, find a new one, under a new manufactured identity, lather, rinse, Even with excellent RIR detection and reclaiming of defunct ranges, the most capable anti-scammer mechanisms may still be independent Bogon lists and RBLs. Watch the global visibility of prefixes, and detect when part of a completely unannounced RIR assigned prefix starts being announced or when an entire RIR prefix stops being announced for more than a couple days or so. And it doesn't fall into the category of 'newly registered prefix' . Those should be additional triggers for defunct contact detection / additional verification, and anti-fraud detection by RIRs and others. Because address ranges can become defunct at any time Something really should be watching for a previously defunct range re-appearing from a different AS or from a completely different place net-wise. -- -J
Re: AS11296 -- Hijacked? (ARIN region hijacking)
On Oct 2, 2010, at 7:59 PM, James Hess wrote: So, I wonder why only ARIN itself is singled out.. Have other RIRs found something much better to do with fraud reports? This matters, because scammers can concentrate on whichever IP blocks are easiest to hijack. The reason: approximately 15000 legacy address blocks which ARIN become the successor registry for at its formation, many of which hadn't been updated since they were allocated. In the other regions, there are significantly fewer early allocations where the holders haven't also involved ongoing in the combined registry/operator forum in the region. Two particular quicks of this region is that the registry is not combined with the operator forum, and many of the assignments from the earliest days of the Internet are in this region, made with minimal documentation, and were often forgotten or never put into publicly routed use... Ergo, when a party appears and says that they'd like to update the contacts on their WHOIS record, and we see an organization which exists back to the original allocation, it is fairly straightforward to make it happen and know that we're not facilitating a hijacking. For this reason, legacy holders are allowed to change anything except the organization name without requiring documentation. It gets more challenging when you instead have a different organization name XYX, which states it is the rightful holder of NET-ABC123 because it acquired JKL company which in theory had earlier bought the right piece of company ABC which is now defunct but never updated any of IP records post business deal, and no one from ABC or JKL can be found and the public records may indeed show that JKL bought some part of ABC but most assuredly don't say anything about networks or as#'s... Circumstances such as the aformentioned are regretfully the rule, not the exception. (As an aside, I'll note that we do also look at the historical routing of the address block, since that provides some insight which often can corroborate an otherwise weak documentary record.) Now, we really want folks to come in and update their records but when it comes to updating the actual organization name for an address block, we either need to hold the line on legal/commercial documents (which reduces hijacking but almost sends some legitimate but underdocumented legacy folks away) or we can simply have folks attest to their view of reality and update the records accordingly (which will get us much more current Whois records but with current not necessarily implying any more accurate records...) This is *your* (the collective your) WHOIS database, and ARIN will administer it per any policy which adopted by the community. /John John Curran President and CEO ARIN P.S. I will note that we fully have the potential to recreate this problem in IPv6 if we're not careful, and establishing some very clear record keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to be very important if we ever hope to determine the party using a given IPv6 block in just a few short years...
RE: AS11296 -- Hijacked? (ARIN region hijacking)
This is *your* (the collective your) WHOIS database, and ARIN will administer it per any policy which adopted by the community. /John John Curran President and CEO ARIN P.S. I will note that we fully have the potential to recreate this problem in IPv6 if we're not careful, and establishing some very clear record keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to be very important if we ever hope to determine the party using a given IPv6 block in just a few short years... So then the question is, what can we as a community (note that is not ARIN specific) do that makes it more difficult for someone to fraudulently announce number resources they aren't really entitled to? On the reactive side, we could have more people actively searching for such abuse. What can be done on the proactive side to make it more difficult to do it in the first place?
RE: AS11296 -- Hijacked?
-Original Message- From: Ronald F. Guilmette [mailto:r...@tristatelogic.com] Sent: Thursday, September 30, 2010 10:48 PM To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? 63.247.172.3 ns1.tooplacedomain10tht.info 63.247.172.4 ns2.tooplacedomain10tht.info 63.247.181.3 ns1.steadyvolumebandw57.info 63.247.181.4 ns2.steadyvolumebandw57.info 63.247.185.19 ns1.magnumfourcompkriel.info 63.247.185.20 ns2.magnumfourcompkriel.info ... I would take more of an Occam's razor approach. If you have an AS that is supposedly an ISP in North Carolina or Ohio or wherever and first of all have only one way into their network (are they an ISP or are they simply reselling someone else's service?) and none of that connectivity traces back to their region of operation, and particularly where their name has been bought by or merged with someone else and that someone else is not announcing their AS and address blocks, then that is certainly cause for suspicion.Hijacking of defunct resources is probably a widespread activity. Finding the hijacked resources of companies that liquidated in fairly public fashion is probably easier than finding resources for a company that has been laundered through several mergers over several years where the current company doesn't even realize that they own the resources of a company bought by a company they bought because of personnel turnover involved with layoffs and such. To the general population of this list: Have you worked for a company that has liquidated? Are those Internet resource registrations still in whois? Maybe you should inform ARIN so those resources can be reclaimed. I did that when I noticed that a company I once worked for that evaporated still had resources in the database. That is just ASKING for someone to announce those resources and nobody is probably going to blink an eye because the upstreams rarely check to see if the entity they are talking to are actually authorized to announce that space. You tell them the ASN and net blocks, the two jibe, upstream says OK. How much address space is being wasted in this way? G
Re: AS11296 -- Hijacked?
On 1 October 2010 06:47, Ronald F. Guilmette r...@tristatelogic.com wrote: I hope this may ally some of the concern that has been expressed about me not being more forthcomeing about the details of this case. Cheers Ron for coming forth with your reasoning, it is appreciated. Your bit of trust in me/us has gone a long way, and its good to understand your motivation and how you came to your conclusions. I'm actually quite surprised that you have found so much spam coming out of the US! I would have thought less developed countries where its easy to obtain unregulated connections, with little legal repercussion would be more popular. Then again, I personally have not done a lot of research in the field. Good luck with your endeavour. Heath
Re: AS11296 -- Hijacked?
On Thu, Sep 30, 2010 at 11:34:16PM -0700, George Bonser wrote: Hijacking of defunct resources is probably a widespread activity. It is. A number of individuals and entities have been involved in tracking these over the years, and I've seen enough to figure out that it's common because it's relatively easy, it's likely to be undetected, it's likely to be ignored if detected, there are no significant penalties, and even if it all goes south: it's easy to start over and do it again. How much address space is being wasted in this way? A lot. Moreover, large chunks of address space are being wasted in this way: 1. Spammer sets up dummy front web-hosting/ISP company. 1a. (optional) Spammer sets up second-level dummy front. 2. Spammer gets ARIN et.al. to allocate a /20 or a /17 or whatever. 3. Spammer uses spammer-friendly registrar to purchase throwaway domains in bulk. (Sometimes the registrar IS the spammer. Cost-effective.) 4. Spammer populates the allocation with throwaway domains and commences snowshoe spamming. 4a. (optional) Spamming facilitates drive-by downloads, malware injection, browser exploits, phishing, and other attacks. 5. Anti-spam resources notice this and blacklist the allocation. So do large numbers of individual network/system/mail admins. 6. Return to step 1. It's instructive to consider who profits from each of these steps. A quick check of my (local, incomplete, barely scratch-the-surface) list of such things includes (and I've left out smaller and larger blocks, thus this is a pretty much a snapshot of the middle of the curve): /16's: 25 /17's: 20 /18's: 47 /19's: 73 /20's: 99 /21's: 88 /22's: 105 /23's: 198 /24's: 3245 for a total of about 6.6 million IP addresses. My guess is that this is likely a few percent, at best, of the real total: it just happens to be the set that brought itself to my attention by being sufficiently annoying to local resources. So I wouldn't be at all surprised to find that real total is in the 100M ballpark. So I've concluded that there really isn't an IPv4 address space shortage. Spammers have absolutely no problem getting allocation after allocation after allocation, turning each one into scorched earth and moving on. ARIN et.al. certainly have no interest in stopping them, and ICANN only cares about registrar profits, so there's no help coming from either of those. ---rsk
Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 1:47 AM, Ronald F. Guilmette r...@tristatelogic.com wrote: Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records. So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack. Ron, Let's try that without the diatribe: I saw spam domains pop up associated with 199.241.95.253. 199.241.64.0/19 appears to be a defunct registration reannounced to the Internet two weeks ago by an AS11296 -- an unregistered AS number. A large quantity of spam domains popped up with the other addresses recently announced by AS11296 as well. Accordingly, I suspect that as we've seen many times before and all clearly understand, AS11296 and the addresses it advertises have been hijacked by a spammer. There. Now, would that have been so hard? Your friend was right. We don't want a lengthy elaboration. Just a simple, concise explanation of why you believe your claim to be true. As for your secretive and ingenious detection, get over yourself. We've seen this before. More than once. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 8:00 AM, Rich Kulawiec r...@gsp.org wrote: A quick check of my (local, incomplete, barely scratch-the-surface) list of such things includes (and I've left out smaller and larger blocks, thus this is a pretty much a snapshot of the middle of the curve): /16's: 25 /17's: 20 /18's: 47 /19's: 73 /20's: 99 /21's: 88 /22's: 105 /23's: 198 /24's: 3245 for a total of about 6.6 million IP addresses. My guess is that this is likely a few percent, at best, of the real total: it just happens this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
Re: AS11296 -- Hijacked?
On Oct 1, 2010, at 8:00 AM, Rich Kulawiec wrote: Spammers have absolutely no problem getting allocation after allocation after allocation, turning each one into scorched earth and moving on. Materially correct, despite the fact that we look into the company registrations, principal parties involved, and mailing addresses at the time of a new request. It is simply too easy to create a complete illusion of a valid organization. ARIN et.al. certainly have no interest in stopping them, Hmm... An interesting assumption, and one that is quite incorrect. Rich - How do suggest dealing with this problem? If you can suggest a straightforward way of vetting a new organization which the community will support, I'll happily have it implemented asap. /John John Curran President and CEO ARIN
RE: AS11296 -- Hijacked?
-Original Message- From: Christopher Morrow Sent: Friday, October 01, 2010 7:46 AM To: Rich Kulawiec Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's... Which is sort of like saying: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* While true, it is orthogonal to the point being made which is if you collect those resources and issue them to legitimate operators, those are some 6.6 million unique hosts addresses than cannot be used for various nefarious activities.
Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 5:12 PM, George Bonser gbon...@seven.com wrote: this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's... Which is sort of like saying: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* Death by IP address? -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
RE: AS11296 -- Hijacked?
-Original Message- From: wher...@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Death by IP address? -Bill Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
Re: AS11296 -- Hijacked?
George - Full agreement; the next step is defining a deterministic process for identifying these specific resources which are hijacked, and then making a policy for ARIN to act. We have a duty of stewardship, so addressing this problem is a priority if the community directs us to do so via policy. /John On Oct 1, 2010, at 5:12 PM, George Bonser gbon...@seven.com wrote: -Original Message- From: Christopher Morrow Sent: Friday, October 01, 2010 7:46 AM To: Rich Kulawiec Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's... Which is sort of like saying: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* While true, it is orthogonal to the point being made which is if you collect those resources and issue them to legitimate operators, those are some 6.6 million unique hosts addresses than cannot be used for various nefarious activities.
RE: AS11296 -- Hijacked?
Try this link instead http://tinyurl.com/2cngbx6 -Original Message- From: George Bonser [mailto:gbon...@seven.com] Sent: Friday, October 01, 2010 2:32 PM To: William Herrin Cc: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? -Original Message- From: wher...@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Death by IP address? -Bill Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/ C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 5:31 PM, George Bonser gbon...@seven.com wrote: Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash Hi George, That's been debunked. http://www.zdnet.com/blog/bott/fact-check-malware-did-not-bring-down-a-passenger-jet/2354?tag=nl.e550 A computer at the airline’s maintenance headquarters [...] was infected with some sort of malware. [...] That same computer is used to record incident reports submitted by mechanics and is programmed to raise an alarm if the same problem occurs three times on the same aircraft. On the day of the crash, the plane returned to the gate after the crew noticed a problem. The mechanics at the airport identified the issue and cleared the plane for takeoff. They apparently didn’t know that this was the third report of a similar problem in a two-day period. But even if the headquarters office had maintained its PC perfectly, the plane would still have taken off. The mechanics were still entering their report at the time of the crash. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: AS11296 -- Hijacked?
On 10/1/2010 17:12, George Bonser wrote: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
RE: AS11296 -- Hijacked?
-Original Message- From: wher...@gmail.com On Behalf Of William Herrin Sent: Friday, October 01, 2010 2:50 PM To: George Bonser Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? On Fri, Oct 1, 2010 at 5:31 PM, George Bonser wrote: Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/ C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash Hi George, That's been debunked. Good. Ok, now shall we move on to Stuxnet which now seems to be infiltrating China. We don't know yet if that will cause any problems or not. The idea that there are fairly significant amounts of address space that could be used for practically anything at any time is probably a bigger issue in 2010 than it was in 1995 simply because we have more infrastructure that is either directly or indirectly exposed to it. Malware distributed on the internet can find its way onto a laptop and from there a thumb drive and from there to a computer used for medical purposes or at a chemical plant is more plausible of a scenario these days. Why make it EASY to distribute such things? Why do you seem to be defending the idea that it is somehow good to have lots of unaccounted for address space out there? Do you use it for something? G
RE: AS11296 -- Hijacked?
Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to. Why are we diverting the topic from 'draft a proposal to empower ARIN to deal with these sorts of problems' to 'arguing with meaningless analogies that do nothing except make the author feel good'? This is an operations list, not a debate team. Nathan
Re: AS11296 -- Hijacked?
Bryan Fields wrote: On 10/1/2010 17:12, George Bonser wrote: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to. Here's an incident where the local authorities didn't know what to do about a possibly very worrisome incident at SJC (San Jose International Airport): http://forums.mercurynews.com/topic/two-men-armed-with-assault-weapons-barely-cause-a-stir-at-mineta-san-jose-international-airpor The problem is that people don't *think* - they just follow orders, follow their training. No one had thought about or trained for this type of incident. Fortunately, in this case, the people were not terrorists. Meanwhile, TSA confiscates bottles of shampoo and water. jc
Re: AS11296 -- Hijacked?
On Oct 1, 2010, at 2:31 PM, George Bonser wrote: -Original Message- From: wher...@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Death by IP address? -Bill Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash http://aircrewbuzz.com/2008/10/officials-release-preliminary-report-on.html A more recent Interim report: http://www.fomento.es/NR/rdonlyres/AADDBF93-690C-4186-983C-8D897F09EAA5/75736/2008_032_A_INTERINO_01_ENG.pdf The crew apparently skipped the step where they were supposed to deploy the slats/flaps prior to takeoff. Additionally, the warning system on the aircraft which should have alerted the crew to the failure to extend the flaps/slats also failed to sound. A computer virus may have had a small contribution to the failure to detect the warning system failure in the maintenance process, but, it did not cause the accident. The accident is clearly the result of pilot error, specifically the failure to properly configure the aircraft for takeoff and failure to take remedial action upon activation of the stall warning system during the initial climb. Owen (who is also a pilot with a commercial rating)
Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 5:12 PM, George Bonser gbon...@seven.com wrote: -Original Message- From: Christopher Morrow this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's... Which is sort of like saying: no, the point is/was that the number of addresses isn't likely the really important point you don't care about reclaiming addresses because of the size of the allocations. you care to reclaim because of improper use/abuse and/or theft of the resource. Nathan is correct though, propose some policy text that the community can get behind? probably also do that on ppml -Chris -chris
Re: AS11296 -- Hijacked?
On Oct 1, 2010, at 3:48 PM, JC Dill wrote: Bryan Fields wrote: On 10/1/2010 17:12, George Bonser wrote: Citizen: Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner Police: That is less than the Army goes through in 3 months ... *click* You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to. Here's an incident where the local authorities didn't know what to do about a possibly very worrisome incident at SJC (San Jose International Airport): http://forums.mercurynews.com/topic/two-men-armed-with-assault-weapons-barely-cause-a-stir-at-mineta-san-jose-international-airpor The problem is that people don't *think* - they just follow orders, follow their training. No one had thought about or trained for this type of incident. Fortunately, in this case, the people were not terrorists. Meanwhile, TSA confiscates bottles of shampoo and water. jc Having now read that article, it really strikes me as much ado about nothing. The men were not concealing the lawfully carried weapons. They were carrying the weapons in a lawful manner. I suspect that all of their permits were in order. They did not shoot anyone. No animals were harmed in the making of this farce. Turns out they were legitimate armed guards from US DoE on legitimate business. Frankly, I'd be much more worried about the safety of whatever was in that man's luggage being on the flight than about the guards carrying assault rifles in the non-secure area of the airport. Heck, we let SJPD carry guns in that area, why shouldn't the general public? Owen
RE: AS11296 -- Hijacked?
Try this one on for size: http://tinyurl.com/2aoqpmk Sent from my somethingorother. -Original Message- From: On Behalf Of William Herrin Sent: Friday, October 01, 2010 2:50 PM To: George Bonser Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Stuff about ip bullets or something ...
Re: AS11296 -- Hijacked?
I received a nice email from a very polite graduate student just now, who shall remain nameless, and I decided that I wanted to give him the reply below, but also to post this all to NANOG too, so here it is. I hope this may ally some of the concern that has been expressed about me not being more forthcomeing about the details of this case. (And if anybody gives me a hard time about being ``off topic'' then I'm going to give him or her a knucke sandwich, because I was specifically asked... indeed badgered... to provide more explanation of, and more justification for my earlier posting, as the record in the archives of this list will clearly show.) The friendly graduate student wote: I've been quietly following NANOG's little flamewar over this. I'm interested in what techniques you used to arrive at your conclusion regarding AS11296. Unfortunately for me, I'm not a network op. Instead, I am a PhD student interested in all matters inter-domain. I hope you feel this is enough to make me a worthy recipient. No, actually, it isn't. If I google you can I be _sure_ that you're not playing for the other team? Probably not. But the good news is that I have decided to be a bit less cagey generally, and specifically in my public comments about these things anyway, and to give out more confirming data bits anyway. And I'll be sending this letter on to the NANOG list soon, with your name redacted, of course. What follows below is information that could be gleened (if you know how) from whois.internic.net. It's all public info. I just rearrange it and print it out in a nice pretty way. (Of course knowing where to look within the vast IPv4 address space is also quite helpful, but I'm not going to get in to that.) The bottom line here is that if you get the whois records for the domains associated with the name servers in the list attached at the end, you'll see that they are all going to be ``fishy'' in some way, e.g. ``cloaked'' (aka ``privacy protected''), or else registered to some mystery fly-by night company that may or may not actually exist, or at any rate, the domains will all be registered to something sort-of stealthy... something which is intended to make the spammer behind all this a bit harder to find. Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records. So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack. See, there actually isn't any big mystery about any of this, except the part about how I came to focus on this particular set of IP blocks and/or the particular AS that was announcing routes to them. And about that part, I have nothing to say, except to tell these spammers (who are probably listening) what I always say... that spamming is THE most public of all crimes. If you really think that you an hide and be totally invisible, even while you blast MILLIONS of total strangers with your advertising, then you need to up your lithium, because the dosage you're on now clearly isn't doing the job. Oh, and one other small thing... Even though the spammers try to hide themselves, often times, they really don't try THAT hard, probably because most folks don't care enough to
Re: AS11296 -- Hijacked?
Heath Jones hj1...@gmail.com wrote: Out of curiosity, what led you to this conclusion? A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively. So I'm sorry to be giving you a non-answer, but actually, I think that's best for now. In any case, further discussion of this particular case now appears to be moot. As of now, it appears that AS11296 is no longer announcing any routes at all, so I'm assuming that Nishant Ramachandran (Xeex/AS27524) and/or whoever else may have been involved in this has now been adequately spanked. (And my personal thanks go out to whoever did that.) Regards, rfg P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.) I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies.
Re: AS11296 -- Hijacked?
WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own. -jim On Wed, Sep 29, 2010 at 8:22 AM, Ronald F. Guilmette r...@tristatelogic.comwrote: Heath Jones hj1...@gmail.com wrote: Out of curiosity, what led you to this conclusion? A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively. So I'm sorry to be giving you a non-answer, but actually, I think that's best for now. In any case, further discussion of this particular case now appears to be moot. As of now, it appears that AS11296 is no longer announcing any routes at all, so I'm assuming that Nishant Ramachandran (Xeex/AS27524) and/or whoever else may have been involved in this has now been adequately spanked. (And my personal thanks go out to whoever did that.) Regards, rfg P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.) I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies.
Re: AS11296 -- Hijacked?
Out of curiosity, what led you to this conclusion? A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively. So I'm sorry to be giving you a non-answer, but actually, I think that's best for now. Let me reword... What is stopping someone coming on the list, making a claim like you have in an attempt to actually cause a DOS attack, by having some clumsy network engineers starting to block traffic in reaction to your post? I'm sure that you've done your investigation (dont get me wrong) and your might sure be right in your assertions, nevertheless evidence is pretty much needed for a claim like that! In any case, further discussion of this particular case now appears to be moot. Ok, but back to my point - what is the evidence and how are people to trust what your saying? P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.) Let me get this right.. You use your own mail server and have problems filtering spam. I use gmail and don't have that problem. I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies. The only time I have problems is when I try and send an email to some muppet that has blocked gmail hotmail god knows what else. Perhaps you should do yourself a favour, turn off your mail server and open up a gmail/hotmail account like the rest of the population.
Re: AS11296 -- Hijacked?
On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote: WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own. Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills. You may safely trust that if he's made the decision to post a message like the referenced one in a public forum that he's done his homework. As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications. ---rsk [1] Using one as a sink for mailing list traffic isn't an entirely bad idea; I do some of that myself. Those which provide POP/IMAP service make it relatively easy to do so -- although one should accept that they're, in general, not high-quality mail services, and that incoming mailing list traffic may variously be denied, lost, misclassified or otherwise not handled as expected.
Re: AS11296 -- Hijacked?
I have no issue with Ron's level of clue or his personal choice to block whichever domain, or blocks of IP space he wishes. That's one of the true beauties of the internet, we can all do as we see fit with out little corner of if. But it goes the same with who we choose to help or which mail systems we choose to use. Ron choose to set the tone, in his last email, I'll choose not offer assistance in the future unless it relates to my bits of the internet. No real issue here. -jim Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Rich Kulawiec r...@gsp.org Date: Wed, 29 Sep 2010 08:25:20 To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote: WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own. Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills. You may safely trust that if he's made the decision to post a message like the referenced one in a public forum that he's done his homework. As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications. ---rsk [1] Using one as a sink for mailing list traffic isn't an entirely bad idea; I do some of that myself. Those which provide POP/IMAP service make it relatively easy to do so -- although one should accept that they're, in general, not high-quality mail services, and that incoming mailing list traffic may variously be denied, lost, misclassified or otherwise not handled as expected.
Re: AS11296 -- Hijacked?
As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications. They are also prolific and habitual sources of people who might want to use email.. By your measure (and everyone that blocks these services), when is it appropriate to have a gmail/hotmail account? Are you saying that the general population are all doing it wrong and that we should all change? Or am I missing your point entirely?
Re: AS11296 -- Hijacked?
Rich Kulawiec wrote (on Wed, Sep 29, 2010 at 08:25:20AM -0400): On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote: As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. And, even if it *is* unreasonable, well, his network, his rules, right? I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet. might not be a good idea for a high volume mail server with clients, but if it's your network, go for it. -- _ Nachman Yaakov Ziskind, FSPA, LLM aw...@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Re: AS11296 -- Hijacked?
On 9/29/2010 12:26 PM, N. Yaakov Ziskind wrote: I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet. might not be a good idea for a high volume mail server with clients, but if it's your network, go for it. Sadly this method would on average block 97% spam, 3% ham, and statistically be highly effective.
RE: AS11296 -- Hijacked?
-Original Message- From: Heath Jones Sent: Wednesday, September 29, 2010 5:16 AM To: Ronald F. Guilmette Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? Let me reword... What is stopping someone coming on the list, making a claim like you have in an attempt to actually cause a DOS attack, by having some clumsy network engineers starting to block traffic in reaction to your post? There would be several filters for this. Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. Is the AS assigned to a company that is known to be defunct? That would be another flag. Why would a company that no longer exists have its ASN active and its IPs sending traffic? This would be particularly interesting if the carrier handling the traffic is not a carrier known to have a relationship with that AS in the past. So a pattern of ... AS works for many years, disappears for some period of time, company goes defunct, and some period of time later the AS appears on a completely different carrier without any reassignment from the registrar. Bottom line, there is more to it than someone just popping up on a list saying something. g
Re: AS11296 -- Hijacked?
Bottom line, there is more to it than someone just popping up on a list saying something. If you have the time to go and investigate all of that yourself, its good to know you've thought about the metrics you would use. Sometimes, people do this thing called 'referencing'. Its basically where you list your sources of information and associated evidence that led you to your conclusion :) My question is a pretty simple one Out of curiosity, what led you to this conclusion?, because there were no references.. Apparantly he has super-duper top secret methods that he doesn't want to share. That's fine - I won't waste my time with it anymore.
RE: AS11296 -- Hijacked?
There would be several filters for this. Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. Is the AS assigned to a company that is known to be defunct? That would be another flag. Why would a company that no longer exists have its ASN active and its IPs sending traffic? This would be particularly interesting if the carrier handling the traffic is not a carrier known to have a relationship with that AS in the past. So a pattern of ... AS works for many years, disappears for some period of time, company goes defunct, and some period of time later the AS appears on a completely different carrier without any reassignment from the registrar. Agree, and those are all good filters (except for the perilously fallacious appeal to authority). But none of these claims were made, and that's the source of this extended discussion. If those claims had been made, then this entire discussion could have been circumvented - and those that care could independently validate the claims. There is a LOT of danger to blindly blackholing networks simply because a trusted email address posts on a netops list. In my experience, netops people (NANOG'ers being an especially good example) tend to be largely logical, rational, skeptical beings. So in a nutshell: if the post had included what you're suggesting, we could at least go out and go: oh, yes, he's right - that AS belongs to a dead company, and is coming from a very different carrier than it did when it was operating AND his email address has a history of posting reliable information of a similar nature AND his message is validly PGP signed so that we can trust that the owner of the email address sent the message AND his email is written in a way that recognizes that clued, skeptical individuals are going to carefully analyze it THEN I would expect a very different set of responses from the list. But an email that says I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways is going to consistently be roundfiled. Nathan
Re: AS11296 -- Hijacked?
On Wed, Sep 29, 2010 at 8:25 AM, Rich Kulawiec r...@gsp.org wrote: On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote: WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills. Yet he has so much trouble programming his mail filter to differentiate between legitimate and spam email coming out of Google that he feels the need to block all email from Google. Are we to question his skill? Or just his judgment? If Ron's as smart as you say then he's smart enough to take some famous advice: A decent respect to the opinions of mankind requires that they should declare the causes. If it's good enough for creating a country, it's good enough for a lesser call to action -- like filtering an AS and its netblocks. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
RE: AS11296 -- Hijacked?
-Original Message- From: Nathan Eisenberg Sent: Wednesday, September 29, 2010 11:32 AM To: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? from the list. But an email that says I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways is going to consistently be roundfiled. Nathan Maybe you didn't recognize the original poster, but I did, and I would take what he had to say at least seriously enough to have a look. His followup mail, while not giving people the information they wanted (as if it really matters) did mention that the upstream appears to have cut them off. That is a pretty good indication that *something* was going on there. I don't believe it is anyone's job here to conform to the expectations of anyone else aside from general list etiquette and some level of sanity. He put the information out, it is up to the reader in how they weight it. I don't understand your continued banging on the issue. All he did was put information out there. He doesn't need to meet your criteria, you are free to apply that as you will in the privacy of your own cubicle. G
RE: AS11296 -- Hijacked?
-Original Message- From: George Bonser [mailto:gbon...@seven.com] Sent: Wednesday, September 29, 2010 10:44 AM To: Heath Jones; Ronald F. Guilmette Cc: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. Going to his websitelooks like Joe Blow...Googling his name/email/domain, still nothing that would lead me to believe he is network Savvy. So coming from Joe Blow network Dudehe too is just Joe Blow. Just a little perspective for you from the bottom of the pile. ~J
RE: AS11296 -- Hijacked?
Maybe you didn't recognize the original poster, but I did, and I would take what he had to say at least seriously enough to have a look. His followup mail, while not giving people the information they wanted (as if it really matters) did mention that the upstream appears to have cut them off. That is a pretty good indication that *something* was going on there. I don't believe it is anyone's job here to conform to the expectations of anyone else aside from general list etiquette and some level of sanity. He put the information out, it is up to the reader in how they weight it. I don't understand your continued banging on the issue. All he did was put information out there. He doesn't need to meet your criteria, you are free to apply that as you will in the privacy of your own cubicle. George, Again - appealing to personal authority is a fallacy. It carries no logical weight who the poster is, and has no place in a decision making process of such magnitude. No one has to conform to any standard, and I don't think I suggested otherwise. What I did suggest is what would be required in such an email to convince me personally to take any action. The very point of posting a hijacking notification is to convince people to take action, so it's only reasonable to make such a notification as thorough and supported as possible. And it is in the best interests of the process to review communications issues afterwards - if the OP is genuinely interested in helping the internet by letting us know when an AS has been hijacked, then he should certainly appreciate any feedback on how to make those notifications more effective. I'm also not sure what you mean by 'continued banging on the issue'. This is my first email in this thread... Nathan
Re: AS11296 -- Hijacked?
On Wed, Sep 29, 2010 at 9:26 AM, N. Yaakov Ziskind aw...@ziskind.us wrote: And, even if it *is* unreasonable, well, his network, his rules, right? I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet. might not be a good idea for a high volume mail server with clients, but if it's your network, go for it. Except that this thread started with a recommendation to block an entire AS, containing a reasonable number of networks. Recommendations such as that are only as credible as the source they are coming from, and knowing that the person making the request also believes that blocking all mail from gmail.com is a valid anti-spam technique probably results in a different credibility level than one might otherwise have. Scott.
RE: AS11296 -- Hijacked?
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Wed Sep 29 13:59:15 2010 From: Justin Horstman justin.horst...@gorillanation.com To: 'George Bonser' gbon...@seven.com, Heath Jones hj1...@gmail.com, Ronald F. Guilmette r...@tristatelogic.com Date: Wed, 29 Sep 2010 11:53:27 -0700 Subject: RE: AS11296 -- Hijacked? Cc: nanog@nanog.org nanog@nanog.org -Original Message- From: George Bonser [mailto:gbon...@seven.com] Sent: Wednesday, September 29, 2010 10:44 AM To: Heath Jones; Ronald F. Guilmette Cc: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. =20 Going to his websitelooks like Joe Blow...Googling his name/email/domai= n, still nothing that would lead me to believe he is network Savvy. So comi= ng from Joe Blow network Dudehe too is just Joe Blow. Just a little per= spective for you from the bottom of the pile. At least some of us -- who have been on the net for multiple decades -- know who the OP is. He's kept a low profile for a number of years, but he was very active in the early days of the anti-spam wars. Anyone actively involved in anti-spam activities in the days when promiscuous mail relays were common, (and Sun was still shipping 'sendmail 8.6.4') will likely recogize the name. They may have to think for a while, due to the time involved, but he was very well known in those days. 'Notorious' would be considered by some to be an accurate description. Absolutely top-notch technical skills, but a bit of a loose cannon in implementing things _he_ decided were 'for the good of the community'. 'Active' techniques, not just passive ones. *IF* he was accurate in his assessment, and it is my personal opinioin that it is *highly*likely* that there _was_ some sort of 'funny business' involved, whether or not his idenfitication was 100% accurate (and, based on personal experience again, I regard it a probable that he was =entirely= correct in his assessment), *THEN* the odds are quite good that one or more of the parties ivolved is a subscriber to this list. Considered in _that_ light, it would be simply 'stupid' -- which Ron is _not_ -- to tip them off as to where they screwed up, and what gave them away.
Re: AS11296 -- Hijacked?
Date: Wed, 29 Sep 2010 13:06:31 -0700 Subject: Re: AS11296 -- Hijacked? From: Scott Howard sc...@doc.net.au On Wed, Sep 29, 2010 at 9:26 AM, N. Yaakov Ziskind aw...@ziskind.us wrote: Recommendations such as that are only as credible as the source they are coming from, and knowing that the person making the request also believes that blocking all mail from gmail.com is a valid anti-spam technique probably results in a different credibility level than one might otherwise have. I have to ask one question -- who are _you_ to judge what is 'valid' for *HIS* situation? He's not running a 'provider' network, with any responsibility to others, it's his personal environment. On _my_ personal servers, I block *LARGE* swaths of the world -- because I _do_ get significant amounts of spam from those locales, and have *zero* expectation of any 'legitimate' mail therefrom. The service denial messages _do_ provide info on how to get past the blocks. I can state with authority that in close to a million messages so rejected, -not-a-single-one- has been from someone with a serious interest in communicationg with me. The web-page with the explanatory data has not had so much as a single hit in over 8 years. Now, on systems I manage for others, I do things very differently, according to -their- needs. The rationale for such decisions is straightforward, and easy to understand. It's called the 'cost-benefit' ratio. _How_much_ work does it take to let that 'rare' piece of 'useful' mail through from a source that generates almost exclusively spam, and _is_ getting that occasional piece of mail 'worth the effort'. Ron has decided 'not', with regard to gmail. To argue that decision, _you_ would have to know how much 'valid' traffic he can reasonably expect to get from gmail, and the amount of effort it would take in his existing environment to accomplish that end.
Re: AS11296 -- Hijacked?
Robert, I dont think you quite get it. Don't worry, you don't seem to be alone. The point here is simple. If someone posts making a recommendation for every AS to filter some prefixes, not provide any references by default, its not helpful. When questioned about the rationale, if said person then declines to provide evidence, the picture starts to form. It is relatively easy to detect spam, it is easy to have enough honeypots filters matching corresponding bgp lookups to find out path information. Immediately you have a technique which - regardless of the lists a spammer reads - will catch spammer. By working as a community, the accuracy and speed of detection increases. By sharing information, things improve. The problem is certainly not detection!! (in contrast to the clamed need to hide detection methods) Posting to a list like this telling everyone to block traffic might be in some people's eyes as ok, but there are a few problems: 1) No peer review. The data has not been checked, the prefixes might be incorrect. The methods might be completely wrong - who knows! This is certainly the #1 issue. 2) Length of time to implement. Most serious ASs would do sanity checking and even possibly a change window or atleast a signoff. 2) Post advertisment removal. What process to ASs have in place to check and remove these rules? More sanity checking and another change. 3) The comment about ARIN, as if to imply that they are supposed to somehow 'police' the internet. This shows a complete lack of understanding of the architecture of the internet. 4) A person who blocks gmail for their own - non customer affecting - mail server cannot be in a position to advise of real - customer affecting - changes, and shows a recklessness towards adhoc blocking of anything. As a hypothetical situation, say a new customer pops up on a network with a prefix and origin that haven't been seen before. This customer badly configured their mail server, its an open relay. Spammers being smart, watch new BGP advertisments knowing that this might be the case. Some kind sir sees the spam coming from the open relay and posts on here, telling everyone to block it, thus completely killling the new customer network before its even got off the ground properly. By the time it has come around, half the ISPs are blocking it and they are completely screwed all because of 1 mistake and someone not having their information peer reviewed and no action to notify or help out the isp. Posting ASs prefixes for people to block without any questioning is just plain stupid and not the way to handle it. If the goal is to get rid of spam, then why not put brains together and come up with a much better system. IETF? Independant working group? I can think of a number of ideas as I am typing this that could be beneficial. I am happy of course to share with anyone interested. Sure, people can post pretty much what they want and people can choose to use or ignore, but we are a bit past that argument now. There has been (to use your method) *zero* technical reasons supporting the argument of blocking these prefixes. If you know of one, please voice it. ps. I have also received posts offline about the support for blocking gmail / hotmail / whatever. I can appreciate that it is your own personal infrastructure, you have your reasons, and if it works for you then good. I certainly wouldn't do it for my customers, otherwise they would constantly call. Phone spam :)
Re: AS11296 -- Hijacked?
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ List bad ASNs after proper investigation? It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... - Original Message - From: Heath Jones hj1...@gmail.com To: Robert Bonomi bon...@mail.r-bonomi.com Cc: nanog@nanog.org Sent: Wednesday, 29 September, 2010 4:38:12 PM Subject: Re: AS11296 -- Hijacked? Robert, I dont think you quite get it. Don't worry, you don't seem to be alone. The point here is simple. If someone posts making a recommendation for every AS to filter some prefixes, not provide any references by default, its not helpful. When questioned about the rationale, if said person then declines to provide evidence, the picture starts to form. It is relatively easy to detect spam, it is easy to have enough honeypots filters matching corresponding bgp lookups to find out path information. Immediately you have a technique which - regardless of the lists a spammer reads - will catch spammer. By working as a community, the accuracy and speed of detection increases. By sharing information, things improve. The problem is certainly not detection!! (in contrast to the clamed need to hide detection methods) Posting to a list like this telling everyone to block traffic might be in some people's eyes as ok, but there are a few problems: 1) No peer review. The data has not been checked, the prefixes might be incorrect. The methods might be completely wrong - who knows! This is certainly the #1 issue. 2) Length of time to implement. Most serious ASs would do sanity checking and even possibly a change window or atleast a signoff. 2) Post advertisment removal. What process to ASs have in place to check and remove these rules? More sanity checking and another change. 3) The comment about ARIN, as if to imply that they are supposed to somehow 'police' the internet. This shows a complete lack of understanding of the architecture of the internet. 4) A person who blocks gmail for their own - non customer affecting - mail server cannot be in a position to advise of real - customer affecting - changes, and shows a recklessness towards adhoc blocking of anything. As a hypothetical situation, say a new customer pops up on a network with a prefix and origin that haven't been seen before. This customer badly configured their mail server, its an open relay. Spammers being smart, watch new BGP advertisments knowing that this might be the case. Some kind sir sees the spam coming from the open relay and posts on here, telling everyone to block it, thus completely killling the new customer network before its even got off the ground properly. By the time it has come around, half the ISPs are blocking it and they are completely screwed all because of 1 mistake and someone not having their information peer reviewed and no action to notify or help out the isp. Posting ASs prefixes for people to block without any questioning is just plain stupid and not the way to handle it. If the goal is to get rid of spam, then why not put brains together and come up with a much better system. IETF? Independant working group? I can think of a number of ideas as I am typing this that could be beneficial. I am happy of course to share with anyone interested. Sure, people can post pretty much what they want and people can choose to use or ignore, but we are a bit past that argument now. There has been (to use your method) *zero* technical reasons supporting the argument of blocking these prefixes. If you know of one, please voice it. ps. I have also received posts offline about the support for blocking gmail / hotmail / whatever. I can appreciate that it is your own personal infrastructure, you have your reasons, and if it works for you then good. I certainly wouldn't do it for my customers, otherwise they would constantly call. Phone spam :)
Reputation Services [WAS: Re: AS11296 -- Hijacked?]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 29, 2010 at 5:04 PM, Franck Martin fra...@genius.com wrote: This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ List bad ASNs after proper investigation? It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... Of course all policy should be local -- each organization can make their own determination whose DNSBL, reputation service, or filter list to employ. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMo9WDq1pz9mNUZTMRAjUQAKCJc/hHDTUX9L3WHq+QaIDLpru8YgCg7O3h DTLrkDZZV4+obb97YODC57A= =kW01 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: AS11296 -- Hijacked?
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ I just had a very quick look at that site and it seems at first glance to just be providing information on unallocated prefixes/ASs.. They are prefixes/ASs that spammers can and do use, but if you have a look at cidr report or potaroo then you will see that an ISP who filters based on that will cause some issues (allocation records are not always up to date). List bad ASNs after proper investigation? Not really, just based on registry information as far as I can see. For instance, if a known and stable AS suddenly started originating spam, it doesnt look like that would appear on the site. It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... Trust will always be the issue. Peer review and communication is one way of building trust.
Re: AS11296 -- Hijacked?
Then you have: http://www.uceprotect.net/en/rblcheck.php Which has a level to identify IPs belonging to an ASN which has been reported as spewing spam... The only issue here, is that this site has listed whole countries... Yes, some countries are behind one ASN only... - Original Message - From: Heath Jones hj1...@gmail.com To: Franck Martin fra...@genius.com Cc: nanog@nanog.org Sent: Wednesday, 29 September, 2010 5:22:02 PM Subject: Re: AS11296 -- Hijacked? This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ I just had a very quick look at that site and it seems at first glance to just be providing information on unallocated prefixes/ASs.. They are prefixes/ASs that spammers can and do use, but if you have a look at cidr report or potaroo then you will see that an ISP who filters based on that will cause some issues (allocation records are not always up to date). List bad ASNs after proper investigation? Not really, just based on registry information as far as I can see. For instance, if a known and stable AS suddenly started originating spam, it doesnt look like that would appear on the site. It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... Trust will always be the issue. Peer review and communication is one way of building trust.
Re: AS11296 -- Hijacked?
Out of curiosity, what led you to this conclusion? Evidence strongly suggests that AS11296 together with all of the IPv4 space it is currently announcing routes for, i.e.: have all been hijacked. I will be reporting this formally to ARIN today, via their helpful fraud reporting web form.
Re: AS11296 -- Hijacked?
He blocked google mail? WTF? -- Forwarded message -- From: Mail Delivery Subsystem mailer-dae...@googlemail.com Date: 28 September 2010 20:49 Subject: Delivery Status Notification (Failure) To: hj1...@gmail.com Delivery to the following recipient failed permanently: r...@tristatelogic.com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.7.1 mail-qy0-f176.google.com[209.85.216.176]: Client host rejected: Domain google.com BLACKLISTED - Use http://www.tristatelogic.com/contact.html (state 14). - Original message - MIME-Version: 1.0 Received: by 10.224.62.217 with SMTP id y25mr308053qah.193.1285703359508; Tue, 28 Sep 2010 12:49:19 -0700 (PDT) Received: by 10.229.226.204 with HTTP; Tue, 28 Sep 2010 12:49:12 -0700 (PDT) In-Reply-To: 63619.1285701...@tristatelogic.com References: 63619.1285701...@tristatelogic.com Date: Tue, 28 Sep 2010 20:49:12 +0100 Message-ID: aanlkti=qx7cx4f3y_az803wdpmkmtc_hzzpsmdqs1...@mail.gmail.com Subject: Re: AS11296 -- Hijacked? From: Heath Jones hj1...@gmail.com To: Ronald F. Guilmette r...@tristatelogic.com Cc: nanog@nanog.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Out of curiosity, what led you to this conclusion? Evidence strongly suggests that AS11296 together with all of the IPv4 space it is currently announcing routes for, i.e.: have all been hijacked. I will be reporting this formally to ARIN today, via their helpful fraud reporting web form.
Re: AS11296 -- Hijacked?
Now that's some paranoia ;) -Original Message- From: Heath Jones hj1...@gmail.com Sent: Tuesday, September 28, 2010 4:05pm To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? He blocked google mail? WTF? -- Forwarded message -- From: Mail Delivery Subsystem mailer-dae...@googlemail.com Date: 28 September 2010 20:49 Subject: Delivery Status Notification (Failure) To: hj1...@gmail.com Delivery to the following recipient failed permanently: r...@tristatelogic.com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.7.1 mail-qy0-f176.google.com[209.85.216.176]: Client host rejected: Domain google.com BLACKLISTED - Use http://www.tristatelogic.com/contact.html (state 14). - Original message - MIME-Version: 1.0 Received: by 10.224.62.217 with SMTP id y25mr308053qah.193.1285703359508; Tue, 28 Sep 2010 12:49:19 -0700 (PDT) Received: by 10.229.226.204 with HTTP; Tue, 28 Sep 2010 12:49:12 -0700 (PDT) In-Reply-To: 63619.1285701...@tristatelogic.com References: 63619.1285701...@tristatelogic.com Date: Tue, 28 Sep 2010 20:49:12 +0100 Message-ID: aanlkti=qx7cx4f3y_az803wdpmkmtc_hzzpsmdqs1...@mail.gmail.com Subject: Re: AS11296 -- Hijacked? From: Heath Jones hj1...@gmail.com To: Ronald F. Guilmette r...@tristatelogic.com Cc: nanog@nanog.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Out of curiosity, what led you to this conclusion? Evidence strongly suggests that AS11296 together with all of the IPv4 space it is currently announcing routes for, i.e.: have all been hijacked. I will be reporting this formally to ARIN today, via their helpful fraud reporting web form.