(Yes, this is a long one.)
Something that popped up from time to time in my travels in the ISP world was the concept of "rorting" transit. This was sometimes done deliberately, sometimes done by accident, and sometimes caused by your upstream.
Here's something which popped up as a feature of the internet routing: hop-by-hop routing decisions.
For those who don't know; here's how IP routing works.
Two hosts A and B are directly connected (say, by ethernet.) These hosts are on the same network and thus "know" by virtue of their IP and netmask configuration that they can speak directly.
Now consider hosts A and C. A and C are not on the same network - so how do they talk to each other? The simplest way is a default route: the route which is taken when a host tries talking to another host it isn't connected to. Call this R.
So A connects to R and has it as a default route. C connects to R (on a different network to A) and has it as a default route. A and C can now talk to either other - through R.
But here's the interesting bit: when A wishes to talk to C, it doesn't decide on the whole path to get to C! It checks its routing table, finds R is the intermediate step, and hands the packet to R hoping R knows how to get to C.
This is hop-by-hop routing as implemented by IP (for the most part; there are other ways but they're almost always used for testing or hacking): each device has a routing table which lists the next hop for the "internet". Each step in the way makes a decision where to hand the packet to: hoping that its making a "good" choice and getting it closer to its destination.
(Now; for those who think "Adrian doesn't know shit! etc etc"; I know about the old and new technologies to get around some of the hop-by-hop limitations: mostly including using a smarter L2 network so one doesn't need to run everything through large core routers. I know how QoS is implemented on networks; I know about traffic engineering. I'm talking 1997 here - when ATM and Frame Relay ruled the roost; Cisco were bringing out their SONET cards to allow people to bypass the massive costs incurred of running ATM everywhere; etc. So if you complain: bite me.)
Australia had a rather unique setup: AUNIC (ie, Geoff Huston) allocated IP space out of 18.104.22.168/10 to Australian networks. Initially they were to Australian internet customers - since "Australian Internet" was "hooked up to Telecom". This didn't last forever; the space was allocated "portable" and so if you decided to leave Telstra for a competitor (Connect.Com; Access One) you could happily take your IP space with you. Eventually the "best practice" CIDR stuff popped up and AUNIC stopped allocating chunks of IP space from this network range, now known as a "swamp" range. Why is this bad? Because routers at the time had limited CPU and memory to store the "global" routing table; if every part of the IPv4 space were announced as /24 (256 IP) blocks the routing table would be huge! So IP space started being allocated out in chunks of /19 (and later /20) to ISPs; but plenty of people still had validly allocated 22.214.171.124/10 address space.
So ISPs had this validly-allocated 126.96.36.199/10 address space; sometimes in chunks as small as /24. They could announce it via BGP to the rest of the internet: and, as I said before, every device on the internet sent packets destined to their IP space by giving it to the "next-hop" hoping in good faith it would pass it closer to the destination.
Here comes the first bit: what happened if ISPs refused to listen to such small announcements? Some ISPs, spurred on by such reaggregation-luminaries as Randy Bush, had BGP prefix filters effectively filtering out the smaller announcements. (Randy eventually updated his filters to allow /24 announcements in the "swamp" areas like 188.8.131.52/10 - but not every network admin updated their filters often!) Where would the packets go!
So the next bit about IP transit: almost no-one runs their networks without a "default". That is; if you didn't know where the packet was meant to go you'd have a 'last resort', generally the guy you were buying transit off. You'd pass the packet to 'im, hoping he'd get it closer to the destination (and hopefully bypass any filtered announcements.)
And the next bit: Telstra "owned" 184.108.40.206/10 - remember how they initially allocated space to their "clients" but allowed it to be portable? So Telstra announced 220.127.116.11/10. This meant that if some backbone internet network in the US had filtered out the swamp announcements - or hadn't heard them for some reason - they'd still "hear" 18.104.22.168/10 and thus pass the packets closer to Telstra. Who, luckily for us, peered in the US. This had a nice side-effect: it meant that traffic destined for Australian IPs was pushed towards the couple of peering points the Australian internet providers peered at - IIRC this included PAIX and .. grr, something else on the West Coast of the US. Hopefully the packets would get "closer" to these peering points and then hit a network which actually listened to the smaller "swamp" announcements: and the packets flowed correctly to their destination.
"Aha!" the astute reader says. "What if the packets made it to Telstra, what happened?" And now, ladies and gentlemen, the problem begins. Yes, telstra would receive the packet. Telstra listened to the swamp announcements; but what then?
The short answer: people used this to "nick" transit from Telstra.
(As I said; it wasn't stealing; it was just a side-effect of the 22.214.171.124/10 supernet advertisement and effects on peering.)
By using transit from another provider (connect.com, Access One) who had a Telstra link. I have no idea whether said links were peering or transit link; but its not important (except for traffic costs!) You could twiddle your BGP announcements in such a way that the traffic could come into Australia via Telstra; then hop over this link to your ISP; then be delivered to you. You'd get Telstra-quality traffic - but at the cheaper price from the ISP.
(No, I never did this; I only came across it after the smart guys in charge of those network closed the holes.)
A side-effect of this? Australian routes sometimes didn't work if you tried using them outside of Australia. Remember that people filtering the "swamp" announcements may result in the traffic being pushed towards Telstra. If you weren't in Australia - or weren't peering everywhere in the US - then sometimes you'd come across "black holes" on the internet - traceroutes from them to your Australian-space-not-being-used-in-Australia would disappear into the Aether. Yes, I experienced this in Europe; it made for some very interesting late-night calls to other NOCs.
How was the "theft" done? IIRC one would "break" their routing by tagging their BGP announcements to their ISP with a community that said "deliver to peers; not to transit." The ISP would then announce it to Telstra - but not to their peers/transit in the US. Telstra would receive the traffic via the supernet advertisement and then deliver it over this peering link in AU.