Prefix hijacking by Michael Lindsay via Internap
Hello All, I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again. When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database. It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help...
Re: Prefix hijacking by Michael Lindsay via Internap
Right now there are: 46.96.0.0/16 83.223.224.0/19 94.250.128.0/19 94.250.160.0/19 188.164.0.0/24 As I can see in the spam block lists like Spamhaus, all our networks was affected: 83.223.224.0/20 86.59.128.0/17 79.174.128.0/18 94.250.128.0/17 188.164.0.0/16 46.96.0.0/16 2011/8/21 Arturo Servin > >What's the prefix you claim is hijacked? > > /as > > On 20 Aug 2011, at 22:05, Denis Spirin wrote: > > > Hello All, > > > > I was hired by the Russian ISP company to get it back to the business. > Due > > to impact of the financial crisis, the company was almost bankrupt, but > then > > found the investor and have a big wish to life again. > > > > When I tried to announce it's networks, upstreams rejected to accept it > > because of Spamhaus listings. But our employer sworn there is not and was > > not any spamming from the company. The Spamhaus lists all our networks as > > spamming Zombies. And it IS announced and used now!!! The announce is > from > > American based company Internap (AS12182). I wrote the abuse report them, > > but instead of stop unauthorized announces of our networks, I was > contacted > > by a person named 'Michael Lindsay' - he tell me he buy our networks from > > some other people and demand we get back our abuse reports. Of course, we > > don't. After a short googling, I found this is well-known cyber crime > > person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and > he > > did IP hijacking with the fake letter of authorization before: > > http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our > company > > is not a first victim of him. Yes, our company "help" him with the > mistake > > of loosing old domain link-telecom.biz he was also squatted. This domain > was > > listed as contact at RIPE Database. > > > > It is a good topic why these easy-to-forge LOAs is still in use, as > > RADB/RIPE DB/other routing database with the password access is a common > > thing. But this is not the main thing. The main thing is why Internap > helps > > to commit a crime to the well-known felony person, and completely ignores > > our requests? Is there any way to push them to stop doing that > immediately? > > If anybody can - please help... > >
Re: Prefix hijacking by Michael Lindsay via Internap
RIPE NCC staff is already doing its investigation. And RIPE NCC can't stop the routing at all. 2011/8/21 Suresh Ramasubramanian > Just as interesting is that those prefixes are certainly on spamhaus. > > This should turn out very interesting indeed - maybe RIPE NCC should > just reclaim those prefixes till their ownership is resolved. If > ever. > > On Sun, Aug 21, 2011 at 7:43 AM, Adrian wrote: > > > > H, interesting.. > > > > > > -- > Suresh Ramasubramanian (ops.li...@gmail.com) > >
Re: Prefix hijacking by Michael Lindsay via Internap
Yes, they are using our ASN 31733 to originate networks. All the visible paths are through AS12182. Internap was contacted about a week ago, but did nothing. No, I'm not a venture capitalist, but IT specialist. I am too sleepy, so replied to Adrian directly while wanted to post in the list. 2011/8/21 Arturo Servin > > These prefix are originated by AS31733 which seems to be assigned to the > same organisation than the ASN, which in turn seems to be you. > > I can see AS12182 in the path but not originating the route. So I do not > understand what are your claiming. > > .as > > > On 20 Aug 2011, at 23:05, Denis Spirin wrote: > > Right now there are: > 46.96.0.0/16 > 83.223.224.0/19 > 94.250.128.0/19 > 94.250.160.0/19 > 188.164.0.0/24 > > >
Re: Prefix hijacking by Michael Lindsay via Internap
RIPE NCC can't withdraw any prefixes. They can do de-registration. In this case it will not lead to withdraw, as it is announced without any honor to RIPE Database, like Routing Registry. So it will be changed from hijacked company prefix to hijacked unused prefix, with the same result - mass spamming from it. 2011/8/21 Suresh Ramasubramanian > You could ask that they withdraw the prefixes and see if that works? > > On Sun, Aug 21, 2011 at 8:45 AM, Denis Spirin > wrote: > > RIPE NCC staff is already doing its investigation. > > > > And RIPE NCC can't stop the routing at all. > > > > -- > Suresh Ramasubramanian (ops.li...@gmail.com) >
Re: Prefix hijacking by Michael Lindsay via Internap
Hi Erik, The RIPE DB shows clear Internap have NO permission to route our networks as the direct uplink. Am I wrong? 2011/8/21 Erik Bais > Hi Denis, > > If Portnap doesn't / won't assist in this matter, you can send an abuse > message to both Tinet and NTT and have them reject the prefixes on their > ingress port. > > They will probably only do that in case you have your AS record and route > objects correctly documented and can actually provide the proof they > require > to do so. > > Regards, > Erik > > >
Fwd: Prefix hijacking by Michael Lindsay via Internap
Of course, we have less customers than we have a year ago. Not a zero in any case. Some parts of network was rented to other ISPs and will be returned. Some was NATed after upstream shut down the BGP. How much IP we need now we will discuss with RIPE NCC, if they will. First, we should have to shut down the hijackers, isn't it? 2011/8/21 Erik Bais > Hi Denis, > > Convenient as it may be to use a LIR and their historic provided prefixes, > have you thought about starting with a clean slate ? > > If the company was close to bankrupt and one can only assume that it didn't > require a couple /16's and a couple /19's ... > Didn't you get ANY questions from RIPE in that regard when you discussed > the > topic with them ? The reason why those prefixes where provided isn't valid > anymore and if you are restarting the business even a /21 should be enough > ... > > Even in Russia a will take some time to get the customers back, especially > if they have been offline for some time. (If they where not offline, the > prefixes wouldn't have been hijacked correct ? ... ) > > Next to this all, none of the prefixes that I currently see under the > stated > AS have a route-object in the RIPE db and the AS object AS31733 isn't > updated since 2008, as none of the listed AS's there are current / active > upstreams / peers. > > From where I stand it doesn't surprise me that your upstreams don't want to > advertize it and if they would, don't be surprised if some networks filter > your prefixes regardless if you are listed on a shady list on Spamhaus. > > Regards, > Erik Bais > > > > >
Fwd: Prefix hijacking by Michael Lindsay via Internap
Where do you see the permission of Internap to transit our AS31733? aut-num: AS31733 as-name: LINKTEL-AS descr: Link Telecom PJSC org: ORG-LTP1-RIPE import: from AS8342 accept ANY import: from AS12695 accept ANY import: from AS44109 accept ANY export: to AS8342 announce AS31733 export: to AS12695 announce AS31733 export: to AS44109 announce AS31733 admin-c: LN1688-RIPE tech-c: LN1688-RIPE mnt-by: RIPE-NCC-END-MNT mnt-by: MNT-LINKTEL mnt-routes: MNT-LINKTEL changed: n...@link-telecom.biz 20080917 changed: hostmas...@ripe.net 20110414 source: RIPE AS8342, AS12695, AS44109 can. AS12182 - can't. We already in touch with RIPE NCC and Internap. But networks are continue to be hijacked. That is the reason I wrote to this list. 2011/8/21 Arturo Servin > > On 21 Aug 2011, at 00:28, Denis Spirin wrote: > > > Yes, they are using our ASN 31733 to originate networks. All the visible > > paths are through AS12182. Internap was contacted about a week ago, but > did > > nothing. > > Which seems to be the right decision because the whois data backed > it on. > > > > No, I'm not a venture capitalist, but IT specialist. > > > > I am too sleepy, so replied to Adrian directly while wanted to post in > the > > list. > > If you are claiming right over these prefixes I suggest you to > contact RIPE NCC. > > /as > > > > > 2011/8/21 Arturo Servin > > > >> > >> These prefix are originated by AS31733 which seems to be assigned to the > >> same organisation than the ASN, which in turn seems to be you. > >> > >> I can see AS12182 in the path but not originating the route. So I do not > >> understand what are your claiming. > >> > >> .as > >> > >> > >> On 20 Aug 2011, at 23:05, Denis Spirin wrote: > >> > >> Right now there are: > >> 46.96.0.0/16 > >> 83.223.224.0/19 > >> 94.250.128.0/19 > >> 94.250.160.0/19 > >> 188.164.0.0/24 > >> > >> > >> > >
Re: Prefix hijacking by Michael Lindsay via Internap
Hello Adrian, I tried to reply to list from office without the TOR you don't like, and got this: : host mailman.nanog.org[204.93.212.138] said: 550-rejected because 86.59.128.2 is in a black list at zen.spamhaus.org 550 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL116130 (in reply to RCPT TO command) So I have to continue to use TOR when write to NANOG. P.S. Abuse department of Telia rejected my list with the same reason, which has surprised me a lot. 2011/8/21 Adrian > On Saturday 20 August 2011 18:05, Denis Spirin wrote: > > Hello All, > > > > I was hired by the Russian ISP company to get it back to the business. > Due > > to impact of the financial crisis, the company was almost bankrupt, but > > then found the investor and have a big wish to life again. > ... > > Received: from mail-qy0-f177.google.com ([209.85.216.177]) > by mailman.nanog.org with esmtp (Exim 4.76 (FreeBSD)) > (envelope-from ) id 1QuwTJ-000AP1-FT > for nanog@nanog.org; Sat, 20 Aug 2011 20:05:05 -0500 > Received: by qyk2 with SMTP id 2so1654839qyk.15 > for ; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) > MIME-Version: 1.0 > Received: by 10.229.247.15 with SMTP id ma15mr447953qcb.1.1313888704629; > Sat, > 20 Aug 2011 18:05:04 -0700 (PDT) > Received: by 10.229.95.15 with HTTP; Sat, 20 Aug 2011 18:05:04 -0700 (PDT) > X-Originating-IP: [192.251.226.206] > > > Non-authoritative answer: > 206.226.251.192.in-addr.arpacanonical name = rev-206.blutmagie.de. > rev-206.blutmagie.dename = anonymizer2.blutmagie.de. > > Non-authoritative answer: > Name: anonymizer2.blutmagie.de > Address: 192.251.226.206 > > Resolving anonymizer2.blutmagie.de... 192.251.226.206, > 2a02:3010:100:1::1:6de8 > Connecting to anonymizer2.blutmagie.de|192.251.226.206|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 4939 (4.8K) [text/html] > Saving to: `index.html' > > index.html: > > This is a Tor Exit Router > > Most likely you are accessing this website because you had some issue with > the > traffic coming from this IP. This router is part of the Tor Anonymity > Network, which is dedicated to providing privacy to people who need it > most: > average computer users. This router IP should be generating no other > traffic, > unless it has been compromised. > ... > > > > H, interesting.. > > > > Adrian > > >
Re: Prefix hijacking by Michael Lindsay via Internap
Hi All, I looked up here http://www.robtex.com/as/as31733.html#graph internap on 24th of August and found Internap announced our networks to Telia, Cogent, NTT, Glbx and Tinet. I wrote to all of them. First reply was from Tinet. They even had a time and wish to call me by the phone. They said stopped the crime route and started the investigation with Internap. Then was the short reply from NTT said they asked Internap for comments, and silence after it. Telia, Cogent (which is very brave in some cases not to route networks are in Spamhaus lists, but not in this case somehow) and GLBX had not replied at all. Now I see on the picture above there are new direct announces to Savvis, ATT and Sprint. I know well this crime only need to be reachable from AOL they do spamming. And it can be not only via Tier1. As Internap don't reply to our mails, and spread the direct announcement to avoid possible Tier1 filtering, I now believe Internap itself is involved in this crime and doing such things with open eyes and with acquiescence of Tier1's. You don't care? So look at this. Now there are a lot of networks can be considered lost and unused. And only a few of them like us will be back to business. It's easy to do hijacking without any interaction with actually working networks. Things are changing. One year later, there will be almost none of free or unused IPv4 networks. If nothing will be changed, such crime will hijack YOUR working networks. Because of it will be still possible, it will be still scot-free, and nobody still be care. It enough to hijack a part of your network like more specific prefix for only a few days to do a mass spamming, this makes your network completely dirty and probably unusable in future. So why not? I good understand there is no technical means to prevent hijacks. But it can be some administrative good practice to stop it. The penalty for that and for assistance in that may let the crime think twice before doing a hijack, or better let it be not profitably at all. The step forward can be following the routing registry databases like RIPE DB, at least for that controversial cases. But Internap ignores it, as well as their uplinks. 2011/8/21 Jimmy Hess > If it continues to be a problem, find the upstreams' upstreams, > until you are sending letters to Tier1 operators. > > > > Regards, > > -- > -JH >
Re: Prefix hijacking by Michael Lindsay via Internap
Hello All, let me tell you the final of the story with the hijacking of our networks. So, in the end of July, we found some of our networks are announced somewhere without our permission. That was the illegal announce from Internap. We sent the letter to Internap on August, 11th. Internap replied with the forward of the fake LOA someone sent from the domain link-telecom.biz on June, 9th. Then Internap refused to reply any mail from us until now. Further investigation found link-telecom.biz was the old our domain we lost in February, and it was the contact e-mail listed at the RIPE database. In February our company was on the way to close, nobody believed we will survive so nobody cared about it. Then when things went good, all people just forget about old lost domain, as well as to update the RIPE database with a new contacts. I understand well why Internap announced our networks after the first letter from actual RIPE DB contact email. But I don't understand why they didn't stop the announcement after the second (our) letter from updated actual contact with our explanation of that situation. Worst of that, the reverse DNS was delegated to old lost domain, so crime got the rDNS too. After the mail we sent to Internap, someone named Michael Lindsay contacted us and said it is his network! A bit of google found he is a well-known hijacker and spammer, so we have forwarded it to Internap of course. Without any reaction at all. In this list (thank you a lot!!!) I got the advice to mail to uplinks of Internap, so I did it on August, 25th. First reply was from NTT, they started the investigation, on 29th, they filtered announces. On 29th Cogent replied too, and filtered out the illegal announce. These was all the replies I got. Parallel, I started to announce not only our networks, but more specific prefixes to our uplink in Moscow. Together with rDNS redelegation, this makes the Internap impossible to use our networks (i.e. to do spamming), so they have stopped the illegal activity yesterday. This is almost done, except a long work to write a lot of mail reputation and blacklists operators to get our networks delisted from. So, noone is protected from IP network stealing. And noone cares. If Internap or it's uplinks was more clever and more insistent - we really had a chance to lost our networks forever. I definitely sure we need to found and implement some practice for prevent IP hijacking. I dug a lot of things about secure routing, PKI signing and so on - there are no working solutions now, as well as will not be in near future. But it is possible to negotiate and arrange the formal (administrative) best practice for resolving and preventing such issues. Is there any ideas?
