[Nlnog] Cyberangels?

Niels Bakker niels.bakker at ams-ix.net
Fri Apr 25 00:28:28 UTC 2003


On donderdag, apr 24, 2003, at 16:08 Europe/Amsterdam, nomad wrote:

> Ik hoorde iets over AS hijacking en valsheid in geschrifte enzo. Ook de
> contact gegevens in de verschillende whois dingen waren niet juist  
> destijds.
> Met de scans erbij wat ik personelijk opvat als 'onfatsoenelijk' heb ik
> besloten ze her en der te filteren.

Er was laatst wat op NANOG over... andermans netblocks announcen is  
natuurlijk een enorme no-go.  Ik geloof dat de types achter Telia  
inderdaad Bevelander waren (natuurlijk simpel te controleren via RIPE's  
RIS Project), en ook dat Telia na de posting adequaat gereageerd heeft.

Dit is niet de eerste club die zich "cyberangels" noemt - ergens in  
1995 ofzo was er een clubje religieuze idioten die achter beheerders  
van IRC-netwerken en dergelijke aangingen.

Als deze mensen zich MAPS noemen is dat op z'n minst verwarrend met  
(voorheen) maps.vix.com / MAPS, LLC; ze zouden beter moeten weten.

Regards,
--  
Niels Bakker                                        Tel: +31 205 141 717
Amsterdam Internet Exchange                      Mobile: +31 651 902 772
http://www.ams-ix.net/                   E-mail: Niels.Bakker at ams-ix.net

----- Forwarded message
From: Richard Cox <Richard at mandarin.com>
Date: don apr 10, 2003  03:06:35 Europe/Amsterdam
To: nanog at merit.edu
Subject: Hijacking of address blocks assigned to Trafalgar House Group,  
London UK
Reply-To: richard at mandarin.com


Hello!

I've been asked to draw the attention of Network administrators to the
recent hijacking of various large blocks of ARIN IP-space: particularly
six /16 blocks allocated to the London-based Trafalgar House Group.

Trafalgar House Group (THG):
Trafalgar House Group TRAF  (NET-144-176-0-0-1) 144.176.0.0/16
Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16
Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16
Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16
Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16
Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16

I'm sure I don't need to remind people here why this is bad - a zombie
block that can be announced and de-announced at an abuser's whim makes
it far more difficult to trace the source of spam or the destination of
responses: particularly where fraud and password-phishing has occurred.

The company originally known as Trafalgar House is now part of Aker
Kvaerner, headquartered in Norway, who have already set in train the
processes to recover the ARIN and other handles associated with their
Internet assets.  Information about the original change of ownership
is available, if anyone wants further confirmation or background, at
http://www.brookes.ac.uk/other/conmark/IJCM/issue_02/010201.html and
http://www.kvaerner.com/group/investor_relations/reports/1996/3q/ 
Default.asp?

I could give a lot more details but do not want to bore those of you
who have, inevitably, "heard it all before".  I'm not claiming this
is new - or any sort of special case.  I'm posting this solely as a
heads-up to help any admins who may have been asked to accept forged
credentials authorising the announcement of the above blocks, and at
the same time to ask for help from anyone who may have already been
approached in similar terms.  But if anyone does want more background
they're welcome to mail me via the security account @ my domain.

At the time of writing THIN5 is being announced via Level3 in Boston,
and THIN2, plus two other hijacked blocks not owned by Aker Kvaerner
(137.171.0.0/16 and 170.67.0.0/16) are being announced via Telia in
Amsterdam.  Sadly we have had difficulty reaching the right people at
Telia, so if anyone from Telia is here, we'd be real pleased to hear
from you.

ARIN is now aware that handles ST58-ARIN and AMS87-ARIN are completely
bogus, as is also the statement on the WHOIS for ST58-ARIN, that:

     "This company Is currently contracted by trafalgar House to
      provide network management services.  Further information
      will be made avaiblible to request" (sic);

If, therefore, any of you are asked to let through BGP announcements
of any of the above blocks, or if you have been asked anything like
this in the recent past - we ask you not to pass those announcements,
but to get in touch with us urgently, taking care to preserve any
documents that may have been sent to you to support that request: as
these may be needed for prosecution and possible civil litigation
against the perpetrators.

Any valid authority for the use of these blocks would come directly
from either Aker Kvaerner in Norway, or Equant (on their behalf).
It certainly would NOT claim to be from Trafalgar House Group at any
address because that Group is no longer trading under that identity.
However I'm told that there are no plans to deploy those blocks in
the immediate future, or until this incident has been cleared up.

Thanks!

-- 
Richard Cox
Mandarin Technology Ltd, Penarth, UK




More information about the NLNOG mailing list