[[ Note: There are three more apparently hijacked blocks that are related to the 75 specific blocks I am reporting on herein. I'll be reporting on those other three blocks later on, but right now I just want to keep it simple and report on just the ones relating to directnet.net. ]]
So anyway, presented below, as Rod Serling would have said, "... for your approval..." you will find a collection of 75 separate IP blocks, all of which appear to have been hijacked in one big gulp. One /21, plus seventy four /24s. This case was done, quite neatly, the good old fashioned way.... apparently by trivial identity theft. (And I should say that no fault whatsoever accrues in any way to ARIN in this case. They were not even involved in the slightest, since all of the relevant WHOIS records have remained utterly unchanged throughout this entire hijacking.) The identity theft: A company that was responsible for one /21 block and 74 separate /24 blocks (all of the latter of which had been originally allocated for various U.S. elementary schools, middle schools, and high schools) apparently went out of business. In due time, the company's domain name (directnet.net) came up for sale. It was purchased for $4,000, sometime between May 31, 2010 and June 13, 2010: http://www.dnjournal.com/archive/domainsales/2010/20100623.htm Subsequently, the domain name was transferred to an anonymizing registrar in the Cayman Islands. Sometime before or after that purchase, whoever had purchased the directnet.net domain convinced the fine folks at Reliance Globalcom Services, Inc., (AS6517) to announce routes to 100% of this rather cleverly hijacked IP space. (See complete IP block list attached below.) Sometime after that, the IP blocks in question began to fill up with snowshoe name servers and snowshoe spam domains. The entire set of relevant ARIN WHOIS records for the hijacked IP blocks, along with the new WHOIS record for the newly re-registered directnet.net domain, and also a listing of the snowshoe domains and name servers that have been created in, or moved into these hijacked IP blocks are all avaliable here: http://www.47-usc-230c2.org/hijacked-schools/ Although it is impossible to be absolutely certain who engineered this clever hijacking, some of the evidence available to me at this time suggests that a particular company listed on Spamhaus' ROKSO list may possibly have either either had a hand in engineeering the hijacking, or else may possibly have benefitted from it, after the fact, i.e. obtaining IP space which they could then sub-lease to their space-hungry customers. Certainly, fine folks at Reliance Globalcom Services, Inc. could tell us who is paying them to connect these hijacked blocks to their network, but I rather doubt that they are actually going to come clean and do that. Regards, rfg Hijacked blocks: 204.194.184.0/21 205.196.1.0/24 205.196.14.0/24 205.196.28.0/24 205.196.29.0/24 205.196.30.0/24 205.196.31.0/24 205.196.32.0/24 205.196.33.0/24 205.196.34.0/24 205.196.35.0/24 205.196.36.0/24 205.196.37.0/24 205.196.38.0/24 205.196.40.0/24 205.196.41.0/24 205.196.42.0/24 205.196.43.0/24 205.196.44.0/24 205.196.45.0/24 205.196.46.0/24 205.196.47.0/24 205.196.49.0/24 205.196.51.0/24 205.196.52.0/24 205.196.53.0/24 205.196.54.0/24 205.196.55.0/24 205.196.56.0/24 205.196.57.0/24 205.196.58.0/24 205.196.59.0/24 205.196.60.0/24 205.196.61.0/24 205.196.62.0/24 205.196.67.0/24 205.196.68.0/24 205.196.69.0/24 205.196.71.0/24 205.196.72.0/24 205.196.73.0/24 205.196.75.0/24 205.196.76.0/24 205.196.96.0/24 205.196.97.0/24 205.196.99.0/24 205.196.100.0/24 205.196.101.0/24 205.196.102.0/24 205.196.103.0/24 205.196.104.0/24 205.196.105.0/24 205.196.106.0/24 205.196.107.0/24 205.196.108.0/24 205.196.109.0/24 205.196.111.0/24 205.196.112.0/24 205.196.113.0/24 205.196.114.0/24 205.196.115.0/24 205.196.116.0/24 205.196.161.0/24 205.196.162.0/24 205.196.163.0/24 205.196.164.0/24 205.196.165.0/24 205.196.192.0/24 205.196.193.0/24 205.196.194.0/24 205.196.196.0/24 205.196.197.0/24 205.196.198.0/24 205.196.199.0/24 205.196.200.0/24