[anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)

Shane commented:

#What a great method for finding networks that are poorly monitored and
#maintained! Simply check ARIN's Whois database until you find networks
#with POC that are marked as invalid!
#
#I hope that RIPE does not adopt this address-hijacking-friendly
#technique. :(

If I were a person inclined toward hijacking netblocks, I think I'd 
likely use data from Routeviews (or a similar routing table analysis
project) to identify IP address ranges that consistently are absent
from the global routing table. You could certainly use whois database 
queries in an effort to verify or validate potential target IP address 
ranges, but I don't really see stale data flags in whois as materially 
worsening the existing problem of abusers scavening apparently unused 
(or underused) network resources. After all, if a bad guy or bad gal 
sees a "juicy" likely-"abandoned" /16 or whatever, it really isn't that 
hard for them to try emailing the points of contact, or to try calling 
the listed phone POCs, etc.

If the goal is to seriously deter address hijacking, I think we need to 
talk about things like RPKI (folks who may be interested may want to 
see Bush and Austein's NANOG RPKI Tutorial from June 2011,
http://www.nanog.org/meetings/nanog52/abstracts.php?pt=MTc3MyZuYW5vZzUy&nm=nanog52 
or for those who find URL shorteners more convenient, try
http://tinyurl.com/rpki-tutorial for that same page).

Or, if you're skeptical of RPKI, encourage your friends to carefully
monitor their space and how it's being announced. But I digress :-;

Regards,

Joe