This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)

Previous message (by thread): [anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)
Next message (by thread): [anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Suresh Ramasubramanian ops.lists at gmail.com
Wed Dec 14 02:47:37 CET 2011

I fully agree with Joe here.   Trying to hide this in the whois is not
much more than a figleaf.

The route registries aren't very heavily used at all (not even by
providers like swisscom who prefer to filter on minimum allocation
size rather than prefixes registered in route registries, but that's
another can of worms) :)

There are plenty of other places for malicious actors to hijack old IP
space, register shell companies (yeah yeah you're not the document
police) . etc.

So - hiding stuff from the whois is just not going to cut it as much
as RIRs fixign their process, and SPs adopting best practices.

--srs

On Wed, Dec 14, 2011 at 1:56 AM, Joe St Sauver <joe at oregon.uoregon.edu> wrote:
> Shane commented:
>
> #What a great method for finding networks that are poorly monitored and
> #maintained! Simply check ARIN's Whois database until you find networks
> #with POC that are marked as invalid!
> #
> #I hope that RIPE does not adopt this address-hijacking-friendly
> #technique. :(
>
> If I were a person inclined toward hijacking netblocks, I think I'd
> likely use data from Routeviews (or a similar routing table analysis
> project) to identify IP address ranges that consistently are absent
> from the global routing table. You could certainly use whois database
> queries in an effort to verify or validate potential target IP address
> ranges, but I don't really see stale data flags in whois as materially
> worsening the existing problem of abusers scavening apparently unused
> (or underused) network resources. After all, if a bad guy or bad gal
> sees a "juicy" likely-"abandoned" /16 or whatever, it really isn't that
> hard for them to try emailing the points of contact, or to try calling
> the listed phone POCs, etc.
>
> If the goal is to seriously deter address hijacking, I think we need to
> talk about things like RPKI (folks who may be interested may want to
> see Bush and Austein's NANOG RPKI Tutorial from June 2011,
> http://www.nanog.org/meetings/nanog52/abstracts.php?pt=MTc3MyZuYW5vZzUy&nm=nanog52
> or for those who find URL shorteners more convenient, try
> http://tinyurl.com/rpki-tutorial for that same page).
>
> Or, if you're skeptical of RPKI, encourage your friends to carefully
> monitor their space and how it's being announced. But I digress :-;
>
> Regards,
>
> Joe
>



-- 
Suresh Ramasubramanian (ops.lists at gmail.com)

Previous message (by thread): [anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)
Next message (by thread): [anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]