AS11296 -- Hijacked?

Evidence strongly suggests that AS11296 together with all of the IPv4 space it is currently announcing routes for, i.e.: 63.247.160.0/19 199.241.64.0/19 206.226.64.0/24 206.226.65.0/24 206.226.66.0/24 206.226.67.0/24 206.226.68.0/24 206.226.69.0/24 206.226.70.0/24 206.226.71.0/24 206.226.72.0/24

Re: AS11296 -- Hijacked?

Heath Jones hj1...@gmail.com wrote: Out of curiosity, what led you to this conclusion? A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into

AS10392 -- Hijacked?

Evidence strongly suggests that AS10392 together with all of the IPv4 space it is currently announcing routes for, i.e.: 192.171.64.0/19 204.137.224.0/19 205.164.0.0/20 205.164.16.0/20 205.164.32.0/20 205.164.48.0/20 have all been hijacked. I will be reporting this formally to ARIN today, via

AS11296 -- Hijacked?

I confess that I find it somewhat tedious to try to answer all criticisms, individually, on a mailing list when people start ``piling on'', so I hope you'll all forgive me if I just try to to do this in one go. First, as regards to the lack of detail and/or specific in my reports, I was

Re: What must one do to avoid Gmail's retarded non-spam filtering?

In message aanlktikaibkwc3r2ijkhpyhb=i+acyn_ht7jgthth...@mail.gmail.com, Ryan Hayes ryguill...@gmail.com wrote: Can you please not use the word retarded in a pejorative sense? Obviously not a Colbert fan. http://www.huffingtonpost.com/2010/02/09/colbert-sarah-palin-is-a_n_454744.html

Re: AS11296 -- Hijacked?

I received a nice email from a very polite graduate student just now, who shall remain nameless, and I decided that I wanted to give him the reply below, but also to post this all to NANOG too, so here it is. I hope this may ally some of the concern that has been expressed about me not being

ARIN Fraud Reporting Form ... Don't waste your time

So ARIN put up on their web site this fancy schmancy web form that allows a person to report fraud relating to ARIN number resources. Here's what the introduction to that page says, exactly as it appears on ARIN's web site: This reporting process is to be used to notify ARIN of suspected

Re: ARIN Fraud Reporting Form ... Don't waste your time

In message b3543192-fb22-4cdc-84d0-2944ea237...@delong.com, Owen DeLong o...@delong.com wrote: It's not so much a matter of whether ARIN cares or whether ARIN wants to do something about your issue. It's more a matter of whether ARIN is empowered to do anything at all about your issue. That is

Re: ARIN Fraud Reporting Form ... Don't waste your time

In message 20101001123356.ga10...@vacation.karoshi.com., bmann...@vacation.karoshi.com wrote: On Fri, Oct 01, 2010 at 04:10:12AM -0700, Ronald F. Guilmette wrote: No, it's kind of like asking the DMV whether the car belongs to the thief or to someone else. They keep the records

Re: ARIN Fraud Reporting Form ... Don't waste your time

In message 608b18db-6e75-4b5e-ba42-d1f69ece4...@arin.net, John Curran wrote: You note the following: They could say, to everyone involved, and to the community as a whole, ``This ain't right. *We* maintain the official allocation records. In most cases, *we* made the allocations, and that

Re: ARIN Fraud Reporting Form ... Don't waste your time

In message 67ef8ee2-8b1e-45f9-892e-9e6b88adb...@arin.net, John Curran jcur...@arin.net wrote: Resources being used by actual defunct organizations we will reclaim if reported. Well, fortunately, Joytel and some of their fellow travelers have just recently gone 'round and identified a whole

Re: ARIN Fraud Reporting Form ... Don't waste your time

In message 5a6d953473350c4b9995546afe9939ee0a52b...@rwc-ex1.corp.seven.com, George Bonser gbon...@seven.com wrote: So ARIN is in the process of verifying their contacts database. Organizations with an unreachable contact might be a good place to plant a dig here sign. Fyi -- They (ARIN)

Re: ARIN Fraud Reporting Form ... (Resource listings yes, resource routing no)

John, Let me thank you yet again for devoting your personal time (on a Friday night no less) to responding to me concerns. I may not always agree with you, but I appreciate the effort, and the consideration. In message 4db05053-fcd4-4459-b226-991435e90...@arin.net, John Curran

AS14202 - 'jacked routes... Whoa! This is just getting silly now!

Somebody else on another mailing list I'm on actually found the following new 'jacking incident. Count 'em... one hundred and eighty three (183) separate jacked blocks. I can't take any credit. I wanted to include, in this posting, the name of the guy who actually found this stuff, and give

NEVERMIND! (was: ARIN Fraud Reporting Form ... )

In message 17104.1285997...@tristatelogic.com, I wrote: If you can put an annotation into a whois records for a POC, saying explicity that you can't get ahold of this person, then it would seem to me to be a rather trivial matter of programming to transplant a very similar sort of annotation

Re: NEVERMIND! (was: ARIN Fraud Reporting Form ... )

In message 3070d3c0-513d-4cb9-8ec2-eb22ca52a...@arin.net, John Curran jcur...@arin.net wrote: On Oct 3, 2010, at 3:51 AM, Ronald F. Guilmette wrote: Comment:The information for this network has been reported to Comment:be invalid. ARIN has attempted to obtain updated data

Re: NEVERMIND! (was: ARIN Fraud Reporting Form ... )

In message c62f9bea-a1c0-449f-8a3f-585f51caa...@arin.net, John Curran jcur...@arin.net wrote: On Oct 3, 2010, at 5:15 AM, Ronald F. Guilmette wrote: Is that a Yes, ARIN will begin immeditely putting these annotations into all of the AS and IP records associated with POCs we already know

Re: NEVERMIND! (was: ARIN Fraud Reporting Form ... )

In message 2fb9deb1-95b5-4a26-8723-35f157f98...@arin.net, John Curran jcur...@arin.net wrote: There is no problem with also marking resource records which have no valid POC's (even if not specifically stated by policy). It is an operational qu estion not a resource policy question, and we

New hijacking - Done via via good old-fashioned Identity Theft

[[ Note: There are three more apparently hijacked blocks that are related to the 75 specific blocks I am reporting on herein. I'll be reporting on those other three blocks later on, but right now I just want to keep it simple and report on just the ones relating to directnet.net. ]]

Re: New hijacking - Done via via good old-fashioned Identity Theft

In message aanlkti=rh=kxm6ksk1gkyfu=nh4oazw=c+66meo5h...@mail.gmail.com, Heath Jones hj1...@gmail.com wrote: Certainly, fine folks at Reliance Globalcom Services, Inc. could tell us who is paying them to connect these hijacked blocks to their network, but I rather doubt that they are

AS6517 - Reliance Globalcom -- routing three more hijacked blocks

Has anybody ever succeeded at sending any e-mail to the ab...@relianceglobalcom.com address? It doesn't seem to work for me. I just get undeliverable bounces. I'd like to, you know, at least inform them about all of these hijacked routes that _they_ are announcing, but I guess I need to do that

AS22558 - Routing apparently hijacked space

I can't take credit for finding this one. Somebody else on another mailing list I'm on actually found it. AS22558 itself _does not_ appear to be hijacked. Rather this is a relatively new (2009) AS, but the AS itself is very odd indeed. It's contact phone number isn't working, it apparently

HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

I just stumbled onto this one the other day. Apparently, Spamhaus has known about this one for THREE MONTHS already: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL98308 It's being routed by AS11730, aka Circle Internet LTD, a known spammer- friendly provider that I have come across many

Notice: Fradulent RIPE ASNs

After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a

Re: Notice: Fradulent RIPE ASNs

In message calgc3c7n0hy80qlbcq8tzrvguavsvrceneyaykomuuy58p3...@mail.gmail.com, Eugeniu Patrascu eu...@imacandi.net wrote: Jump.ro is a very active LIR and domain registry on the Romanian market and is selling ASNs to whomever is interested... I do see that JUMP.RO is ``very active''. I do not

Re: Notice: Fradulent RIPE ASNs

In message calklf0-g2ni7tz5touzi9ss_vwxobl7baedubmro1tpcsjd...@mail.gmail.com Alex Brooks askoorb+na...@gmail.com you wrote: I notice that you have been cross posting this message (though not responding on list to replies), for example to the RIPE NCC Anti-Abuse Working Group

Re: Notice: Fradulent RIPE ASNs

In message a5dad1a3-9cc9-4560-93bd-85f9e9128...@steffann.nl, Sander Steffann san...@steffann.nl wrote: Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken... I think that you mistake formalized centralized action for action

Re: Notice: Fradulent RIPE ASNs

In message cap-gugvs-kcyosknns+v8r1gdkbpmkuufm1engqvhqh0pr0...@mail.gmail.com William Herrin b...@herrin.us wrote: What is your goal here? Primarily to inform. Forewarned is forearmed. Wouldn't you agree? Is there some action that any particular NANOG participant should take based on your

Spam Book Author Implicated in Second IP Block Controversy

ARIN, NASA, and the United States Air Force would probably prefer it if people didn't read this: http://www.47-usc-230c2.org/chapter3.html

HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

As I already mentioned, 159.223.0.0/16, which is actually registered to the Hoechst Celanese Corporation, has quite obviously been hijacked and is being used abused by snowshoe spammers as we speak. And Spamhaus, at least, has known about this for more than three months already. What Spamhaus

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

In message be8c4985-f955-4868-8145-146e57bbf...@pch.net, Bill Woodcock wo...@pch.net wrote: On Mar 30, 2011, at 1:58 PM, Ronald F. Guilmette wrote: As I already mentioned, 159.223.0.0/16, which is actually registered = to the Hoechst Celanese Corporation, has quite obviously been hijacked

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

In message 002201cbef24$c1b61d70$45225850$@com, you wrote: I don't believe any one monitors this system and I would imagine if no one complains about this company advertising hijacked routes to level 3 then it would be quite easy to advertise a network that has been abandon(sic). At this point,

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

In message aanlktikempr3qvvdorvugrnzn0cnkoa4vtbta5q3m...@mail.gmail.com, you wrote: This is an old enough technique dating back to a few years - re-registering an expired domain that belonged to the ARIN contact, and filling out the ISP paperwork. FYI - That does not seem to have been what

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

In message Pine.OSX.4.64.1103310053260.312@cevin-2.local, Brandon Ross br...@pobox.com wrote: On Wed, 30 Mar 2011, Ross Harvey wrote: Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather:

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

In message b2506b41-ad1f-4fb0-9d8e-c0a54e44b...@delong.com, Owen DeLong o...@delong.com wrote: Cleaning up the routing {is not what ARIN does or thinks it should do}, true. However, this sounds like there are two issues... 1. Routing -- Would be nice if the advertising provider(s) stopped

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

In message AANLkTikMqBx=cu5autr7addyn7u7wbeoww2qa9wdz...@mail.gmail.com, rr rook...@gmail.com wrote: For the record, Integra Telecom did have LOA for said netblock. Needless to say LOA was forged on company letterhead with appropriate signatures. Once brought to our attention we attempted to

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

In message aanlktinvlqefvykc91d8p-n9zvdgr5prxreyptuim...@mail.gmail.com, rr rook...@gmail.com wrote: Hmm, thought it was a NANOG prerequisite to be able to do a google search. Should be pretty easy to find this info with that tool in your handbag. Which info is that, exactly? Your title at

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

In message AF24AE2D4A4D334FB9B667985E2AE763997FE7@mail1-sea.office.spectrumnet .us, John van Oppen jvanop...@spectrumnet.us wrote: Why does it matter what his position is? Well, if he was, you know, just the janitor or something, then I think that we could all safely assume that his opinions

New hijacks, and lots of them

One particular large and well-distributed snowshoe spamming operation became the subject of my special scrutiny recently. After seeing all of the the various apparently hijacked IP blocks that this particular snowshoe spamming operation seemed to be relying upon for much of its IP space, it

Re: New hijacks, and lots of them

In message 5824.1302780...@tristatelogic.com, I wrote: http://www.47-usc-230c2.org/20110414-snowshoe-1.txt http://www.47-usc-230c2.org/20110414-snowshoe-2.txt My apologies to anyone and everyone who tried to get at these files. It seems that my provider may perhaps have recently developed

Ongoing ASN and IP Space Hijacks: Update (TimeWarner/Level3/Tiscali)

Eleven days ago, I reported here the following highly probable hijacks: AS8143 AS29987 AS11756 AS47024 AS27906 198.23.32.0/20 - NET-198-23-32-0-1 198.57.64.0/20 - NET-198-57-64-0-1 199.88.32.0/20 - NET-199-88-32-0-1 199.192.16.0/20 - NET-199-192-16-0-1 199.196.192.0/19 - NET-199-196-192-0-1

Re: Ongoing ASN and IP Space Hijacks: Update (TimeWarner/Level3/Tiscali)

In message aea8602c-29bd-4585-a723-8a62e71dc...@virtualized.org, David Conrad d...@virtualized.org wrote: Simple question: Does anybody give a damn? I suspect a lot of folks do, however giving a damn and having the ability to do anything about it may not coincide. Do you or your company

HIJACKED: AS18466, courtesy of Global Crossing (AS3549)

Abundant evidence indicates that AS18466, allocated by LACNIC, has been hijacked. All of the routes currently announced by this AS, i.e.: 170.25.0.0/19 170.25.32.0/19 170.25.160.0/19 170.25.192.0/19 are currently routing IP blocks, also allocated by LACNIC, which have also

Hijacking machine: ASAS201640 / AS200002

I don't routinely follow this list, so I'm not sure how much of this is common knowledge already, but... http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/ Current route announcements for AS201640: 36.0.56.0/21 probable hijack - China 41.92.206.0/23probable

Re: Hijacking machine: ASAS201640 / AS200002

In message 54542174.30...@ghostnet.de, Armin Kneip a...@ghostnet.de wrote: http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=22 or http://www.cidr-report.org/cgi-bin/as-report?as=AS201640view=2.0

Hijack factory: AS201640 -- MEGA - SPRED LTD / Michael A. Persaud

I already posted about this rogue AS days ago, but nothing has really changed much, since then, with respect to its hijacking of IP space. Well, at least Brian Krebs was kind anough to write about it: http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/ (Please note that

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

In message cappyguwcb-r3ozythm+ywtapgdtyon+j3l6t+n0a7eaf6_c...@mail.gmail.com Cryptographrix cryptograph...@gmail.com wrote: If you watch her testimony in front of Congress,... I did, actually. And it pissed me off so much that I started the petition (to get her fired). I encourage everybody

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

In message CAOxD=zU=i2umedlixoonqyw-3cf9rdff4en+kjg_sdcwdip...@mail.gmail.com Tyler Mills tylermi...@gmail.com wrote: This is the government... you have to put on your bizarro-economics and bizarro-ethics glasses for the State to make sense. It does not operate like a market. Failure results

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

Harry Hoffman hhoffman at ip-solutions.net wrote: I think it would be great if you were to include some source links in your petition/email so that folks unaware of the specifics can educate themselves in a non-partisan and factual manner. Well, as regards to the petition itself, I can't

OPM Data Breach - Whitehouse Petition - Help Wanted

My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list

Malware/ransomware current live distribution points

The various domains and IP address listed in the following file are, as we speak, acting as distribution/infection points for some sort of Javascript malware which is almost certainly a flavor of ransomware. ** FAIR WARNING *** Please use exceptional caution when browsing to any of the domains

AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

My analysis: Serious and apparently long-lived bogosity, with a clear history of substantial spamming aactivity. But you be the judge. Looks to me like an unregistered RIPE AS announcing a route to a /20 worth of unregistered RIPE IPv4 space. And this didn't exactly crop up just yesterday.

Re: AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

In message <20161006163137.uvcnzodrve6to...@cisco.com>, Joseph Karpenko wrote: >> >> P.S. This crap appears to be be brought to us courtesy of AS29632, >> NetAssist, LLC: >> >> http://new.netassist.ua/ >> > >assuming accuracy of records, etc... ;-) Right. An that

Re: Spitballing IoT Security

In message <89795.1477520...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu wrote: >> Given that, and given that "OpenWRT and kin" often provide the end-user >> with readily accessible dials and knobs via which the user can force the >> device to *exceed* legal/FCC limits on power output, I

Re: Spitballing IoT Security

In message <58112f9f.6060...@vaxination.ca>, Jean-Francois Mezei wrote: >A camera showing the baby in 4K resolution along witgh sounds of him >crying on dolby surround to the mother who is at work would likely >saturate upload just as much as the virus sending DNS

Re: Spitballing IoT Security

In message Ken Matlock wrote: >- End users need to have ways to easily see what's going on over their >local networks, to see botnet-like activity and DDoS participation (among >other things) in a more

Re: Spitballing IoT Security

In message <20161026205800.7188d57b2...@rock.dv.isc.org>, Mark Andrews wrote: >Actually things have changed a lot in a positive direction. >... >* Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. At the risk of repeating a

Re: Spitballing IoT Security

In message <58111bd4.80...@vaxination.ca>, Jean-Francois Mezei wrote: >My smart TV not only hasn't gotten updates in years, but Sharp has >stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). A little more than 2 years ago, I bought a

Re: Spitballing IoT Security

In message <20161027112601.ga17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Problems I think consumer safety legislation can solve: > >* SSH and Telnet were enabled, but there was no notification in the UI > that they were enabled and no way to turn them off.

Re: Spitballing IoT Security

In message <20161027112940.gb17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Actually, they encourage you to trade {your old iPhone} in... >... >If your device is too old for that program, they will still take >it for free and recycle it in an enviornmentally friendly

Re: Spitballing IoT Security

In message <1477558411.730528...@apps.rackspace.com>, "t...@pelican.org" wrote: >...I back up to the cloud... Yes, I confess that this reasonable use case had not occured to me, and yes, it utterly negates what I was saying. (I myself am the paranoid type, so I -do not-

Re: Spitballing IoT Security

In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, Mark Andrews wrote: >Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. Bingo! Less than a year and a half after they stopped selling it, they effectively stopped supporting it.

Re: Spitballing IoT Security

In message <20161027204258.cd18057d5...@rock.dv.isc.org>, Mark Andrews wrote: >> The problem is, as I have said, this device is now the Apple equivalent >> of Windows XP. There could be a horrendous collection of a dozen or >> more known critical security bugs in the thing by

Re: Spitballing IoT Security

In message Ken Matlock wrote: >Fixing the current wave of 'IoT' devices and phones and Tv's etc is only >putting a bandaid on a broken arm. It gives the illusion of progress... >Until we accept that it's

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <5814696f.3060...@foobar.org>, Nick Hilliard <n...@foobar.org> wrote: >Ronald F. Guilmette wrote: >> I always start with whatver whois.iana.org has to >> say. And it says that that 103.0.0.0/8 belongs to APNIC, so of course, >> I only looked at what

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <58146e84.3030...@foobar.org>, Nick Hilliard wrote: >> P.S. I may be wrong about this, but it has come to my attention that >> many, most, or all of the WHOIS records reflecting allocations made by >> the AFRINIC RIR are utterly devoid of either (a) information

Death of WHOIS, Film at 11

In message <58150673.5090...@foobar.org>, Nick Hilliard wrote: >David Conrad already pointed out that this problem has been solved using >RDAP which supports referrals. Try installing the nicinfo command from: > >https://github.com/arineng/nicinfo > >At a guess, I'd say

Re: Spitballing IoT Security

In message <20161029180730.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >You don't build or hire a botnet on Mirai's scale with pocket change. Proof please? Sorry, but I am compelled to call B.S. on the above statement. This is a really important point that I, Krebs, and

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <5815013f.2080...@foobar.org>, Nick Hilliard wrote: >> But my overall point remains. If there were ever to be an election where >> we were all asked who we wanted to see become the once and future Routing >> Police, the RIRs would not be my own personal first

Re: Spitballing IoT Security

In message <20161030044342.ga18...@thyrsus.com>, "Eric S. Raymond" <e...@thyrsus.com> wrote: >Ronald F. Guilmette <r...@tristatelogic.com>: >> Two kids with a modest amount of knowledge >> and a lot of time on their hands can do

Re: Here we go again.

In message <1624203180.33527.1478724998723.javamail.zim...@baylink.com>, "Jay R. Ashworth" wrote: >The list is not the proper forum for a debate on this topic, and I'm not >trying to start one. > >But ask yourself *now* what happens if you get these kinds of orders, so >that

Re: Spitballing IoT Security

In message <20161108035148.2904b5970...@rock.dv.isc.org>, Mark Andrews wrote: >* Deploying regulation in one country means that it is less likely > to be a source of bad traffic. Manufactures are lazy. With > sensible regulation in single country everyone else benefits as >

Seeking Google reverse DNS delegation contact

Does anyone here happen to know who at Google I should be talking to if I want to ask a question about their reverse DNS services? I'd just like to ask someone there why anyone at Google thought that it would be a Good Idea for Google to provide reverse DNS services for the 204.8.136.0/21 IP

AS30186 - Squatted or not? You be the judge.

I kinda messed up the last time I posted something here about possible IP address block squatting, so I'm not going to make any definitive assertions regarding conclusion this time. I'm just going to lay out the facts and let all of you good folks decide for yourselves. AS30186 is registered to

NEVERMIND! (was: Seeking Google reverse DNS delegation contact)

My profuse apologies to everyone. It seems that Google is not in fact involved in any way with providing reverse DNS for the 204.8.136.0/21 IP address block. I was deceived into believing it was by some unusual trickey on the part of the spammer-controlled name servers ns1.saversagreeable.com

AS37135, AS6560, AS32714, AS14029 - Squatted or not? You be the judge.

At least one person has now asserted to me in private email that my suggestion that AS30186 was being squatted on was in fact accurate. Thus, I now feel confident enough to provide here the rest of the story which goes along with that. In a nutshell, AS30186 and also two other ASNs, together

Re: Death of the Internet, Film at 11

In message <26b01962-9b09-11cb-0ac8-89cf3e0a5...@nuclearfallout.net>, John Weekes wrote: >... I've recorded >about 2.4 million IP addresses involved in the last two months (a number >that is higher than the number of actual devices, since most seem to >have dynamic

Re: Death of the Internet, Film at 11

In message <874m43qsk2@mid.deneb.enyo.de>, Florian Weimer wrote: >Not that the underlying threat will go away until we find a way to >clean up almost all of the compromised devices (and without breaking >the Internet along the way, forever). The Internet *is* already

Re: Death of the Internet, Film at 11

In message

Re: Death of the Internet, Film at 11

In message <580bf49c.5090...@vaxination.ca>, Jean-Francois Mezei wrote: >10s of millons of IP addresses. Is it realistic to have 10s of millions >of infected devices ? Or is that the dense smoke that points to IP >spoofing ? I haven't read the latest

Re: FW: Death of the Internet, Film at 11

In message <580bf91d.9060...@vaxination.ca>, Jean-Francois Mezei wrote: >Problem is that many of these gadgets want to be internet connected so >mother at work can check on her kids at home... Ah, technology! Just think what certain people could have accomplished

Route It Or Lose It

What a friendly, helpful place the modern Internet is! Like the forrest floor, its an ecosystem where things don't go to waste. If you happen to inadvertantly leave your shiny /18 IPv4 block lying around, don't worry. It won't be long before some helpful Bulgarian, Romania, Ukranian or Russian

Re: Dyn DDoS this AM?

In message

Re: Death of the Internet, Film at 11

In message <4FBAFC2ECF5D6244BA4A26C1C94A1E270D579C1CD9@exchange>, Emille Blanc wrote: >I can recall at least a half-dozen scenarios where the customer actually >takes up the problem with the manufacturer. In each of those cases, and >they're effectively told to

Re: Spitballing IoT Security

In message , Jared Mauch wrote: >Top posting to provide some clarity: That's funny. Personally, I have always felt that top posting -destroys- clarity. But as Chaplin Tapman said in Catch-22 "I'm not here to judge

Re: Spitballing IoT Security

In message <580f19bf.2070...@vaxination.ca>, Jean-Francois Mezei wrote: >One way around this is for the pet feeder to initiate outbound >connection to a central server, and have the pet onwer connect to that >server to ask the server to send command to his pet

Death of the Internet, Film at 11

VICTOR LASZLO: If we stop fighing our enemies, the world will die. RICK BLAINE: Well, what of it? It will be out of its misery. -- From the movie "Casablanca" (1942) Sorry, but some days I just can't help thinking to myself "Oh well, as much fun as

Re: Death of the Internet, Film at 11

Laszlo Hanyecz wrote: >What does BCP38 have to do with this? Your're right. That's not specifically related to *this* attack. Nobody needs to spoof anything when you've got a zillion fire hoses just lying around where any 13 year old can command them from the TRS 80 in his mom's basement.

Spitballing IoT Security

In message <e364fcea-7105-b3b9-63a9-7d22ab835...@nuclearfallout.net>, John Weekes <j...@nuclearfallout.net> wrote: >On 10/23/2016 4:19 PM, Ronald F. Guilmette wrote: jw>>> ... The ISPs behind those IP addresses have jw>>> received notifications via email.

Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

In message <7077df16-64ae-822d-8ce0-ba44129e2...@gmx.com>, Large Hadron Collider wrote: >> And that includes the bogus info you put into your WHOIS records too! >> Seriously, I give you credit for at least picking out a valid random >> street address, somewhere

Paging Olav van Doorn, Jan Willem Meijer, and Rutger Bevaart

If anybody can give me an email for any of these principals of Xconnect42, Inc. (Neatherlands) aka AS260, I'd appreciate it. I tried to reach somebody (anybody) at their company via the address I found online for the company but never got any response. That was a week

Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

In message <20161114004152.ga27...@panix.com>, Brett Frankenberger wrote: >On Sun, Nov 13, 2016 at 03:57:19PM -0800, Christopher Morrow wrote: >> So... actually someone did tell arin to aim these at >> ns1/2google.com... >> I'll go ask arin to 'fix the glitch'. > >For

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message Doug Clements wrote: >How does one get ARIN to register resources to come up with this result? > >https://whois.arin.net/rest/nets;q=103.11.67.105 > >The /16 is APNIC but there are 2 subnets

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <5813dacd.3000...@foobar.org>, Nick Hilliard <n...@foobar.org> wrote: >Ronald F. Guilmette wrote: >> Will never happen. The RiRs have been crystal clear, and also utterly >> consistant... "Not our job man! We am not the Internetz Police." &g

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <20161028220510.gf14...@sizone.org>, Ken Chase <m...@sizone.org> wrote: >On Fri, Oct 28, 2016 at 02:40:23PM -0700, Ronald F. Guilmette said: > >I'm going to call these turkeys right now and just ask them, point > >blank, what the bleep they think they're

Re: Spitballing IoT Security

In message <20161026123043.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >There is, however, a chokepoint we have more hope of getting decent software >deployed to. I refer to home and small-business routers. OpenWRT and kin >are already minor but significant players here.

Re: Spitballing IoT Security

In message <20161026120634.ga20...@gsp.org>, Rich Kulawiec <r...@gsp.org> wrote: >On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >>2) Second, once elected I will decree that in future all new IoT devices, >> and also all updates t

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

In message <5813e03e.6060...@foobar.org>, Mark Andrews wrote: >Mark Andrews wrote: >> It's not the RIR's job. They already provide the framework for >> ISP's to do the job of policing route announcements themselves. >> ISP's just need to use that framework. > >Ron thinks

Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

I just got a spam from 103.11.67.105. The containing /24 appears to be unallocated APNIC space. RIPE tools seem to say that AS18450 has been routing this block since around May 23rd. I see this kind of stuff almost every day now, it seems. And you know, there are days when I really do start

Re: Avalanche botnet takedown

In message <20161201201124.982f2...@m0086238.ppops.net>, sur...@mauigateway.com wrote: >In message <20161201124527.9be45...@m0087798.ppops.net>, >sur...@mauigateway.com wrote: > >>What is your suggestion to keep the sky from falling? > >My full answer, if fully elaborated, would bore you and

  1   2   >