Chris Grundemann cgrundemann at gmail.com
Thu May 1 15:26:21 EDT 2008

On Thu, May 1, 2008 at 12:15 PM, tabris <tabris at tabris.net> wrote:
> Chris Grundemann wrote:
>  > What is the most efficient manner of tracking this type of squatting /
>  > hijacking?
>  > Is there a method efficient enough to make it realistically plausible
>  > to keep a running list?
>  > Is there an organization equipped to maintain such a list?
>  >
>  I believe there is one that already tries to, albeit they don't seem to
>  list this particular prefix (maybe b/c it's not technically invalid).
>  http://www.cymru.com/BGP/incon_asn_list.html
I think (anyone please feel free to correct me) that the Team Cymru
BGP Inconsistent Origin ASN List is based on a given prefix being
announced from multiple AS' at the same time.  Not based on who
/should/ be announcing it.  So it is a good tool for identifying some
hijacking but only in cases where the "real" holder is still
advertising that space.  In a situation like the one that allegedly
exists with 134.17/16; the proper holder is not advertising the space
and thus that method does not reveal anything (because there is only
one origin AS advertised for that block).

Bogon lists block space that should not be advertised at all.  Lists
like the one from Team Cymru help identify potential hijackings of
advertised space.  The gap is in blocks that are assigned (not bogon)
but not advertised (by the proper holder / assignee).  That is the
area where my questions are focused.
> > If there are good answers to these questions then we could leverage
>  > such a routing blacklist against those who would operate on any
>  > current or future IP black market.  I think this would be very
>  > beneficial to the community as a whole because as you note, most of
>  > the people who would use IP space inappropriately are using it for
>  > something inappropriate.
>  >
>  > ~Chris

Chris Grundemann

More information about the ARIN-PPML mailing list