This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Job Snijders job at ntt.net
Mon Jan 27 08:17:12 CET 2020

On Sun, Jan 26, 2020 at 10:59:00PM -0800, Ronald F. Guilmette wrote:
> In message <20200127055550.GK36653 at vurt.meerval.net>, 
> Job Snijders <job at ntt.net> wrote:
> 
> I'll tell you what Job, I'll make you a deal.  You tell me what ARIN
> did to properly review and vet this request (i.e. for a change to who
> controls this legacy block) and then, if I am persuaded that they did
> that *and* that what they did was both reasonable and sufficient, then
> I'll grovel and beg forgivness from all, including ARIN.

Hold on a second, are you sure there ever *was* a request to change who
controls this legacy block? I am not so sure.

I suspect what happened is that the 'thriftdrug.org' domain name
registration expired, and the alleged thief registered thriftdrug.org,
created a *@thriftdrug.org mailbox. Then proceeded to recover the
username [1], then performed a password reset [2], logged into the
portal, and *only* changed the OriginAS attribute.

The above procedure doesn't constitute a 'change of who controls it',
but may be enough for AS12679 to get past some LOA/IRR barriers.

[1]: https://account.arin.net/public/recoverusername
[2]: https://account.arin.net/public/resetpassword

> But from where I am sitting it does appear that there was exactly and
> only -zero- review of this take-over request.

There was no take-over request, I'd call this impersonation or a
compromised account.

> I mean that it appears that absolutely *nothing* was done in the way
> of vetting in this case.  The age of the new contact domain... which
> would have been a BIG red flag...  quite apparentkly wasn't checked.  

Have you considered asking ARIN to take the 'domain name creation' date
into consideration when usernames are retrieved or passwords are reset?
Perhaps there are some simple heuristics that can be applied to improve
the password reset process.

ARIN has a fine working process to publicly log enhancement requests
called the 'ACSP' https://www.arin.net/participate/community/acsp/

ARIN would not be unique in having trouble preventing account
compromises when the control over the domain name falls in the wrong
hands.

Kind regards,

Job

Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]