This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
- Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
- Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Mon Jan 27 08:17:12 CET 2020
On Sun, Jan 26, 2020 at 10:59:00PM -0800, Ronald F. Guilmette wrote: > In message <20200127055550.GK36653 at vurt.meerval.net>, > Job Snijders <job at ntt.net> wrote: > > I'll tell you what Job, I'll make you a deal. You tell me what ARIN > did to properly review and vet this request (i.e. for a change to who > controls this legacy block) and then, if I am persuaded that they did > that *and* that what they did was both reasonable and sufficient, then > I'll grovel and beg forgivness from all, including ARIN. Hold on a second, are you sure there ever *was* a request to change who controls this legacy block? I am not so sure. I suspect what happened is that the 'thriftdrug.org' domain name registration expired, and the alleged thief registered thriftdrug.org, created a *@thriftdrug.org mailbox. Then proceeded to recover the username [1], then performed a password reset [2], logged into the portal, and *only* changed the OriginAS attribute. The above procedure doesn't constitute a 'change of who controls it', but may be enough for AS12679 to get past some LOA/IRR barriers. [1]: https://account.arin.net/public/recoverusername [2]: https://account.arin.net/public/resetpassword > But from where I am sitting it does appear that there was exactly and > only -zero- review of this take-over request. There was no take-over request, I'd call this impersonation or a compromised account. > I mean that it appears that absolutely *nothing* was done in the way > of vetting in this case. The age of the new contact domain... which > would have been a BIG red flag... quite apparentkly wasn't checked. Have you considered asking ARIN to take the 'domain name creation' date into consideration when usernames are retrieved or passwords are reset? Perhaps there are some simple heuristics that can be applied to improve the password reset process. ARIN has a fine working process to publicly log enhancement requests called the 'ACSP' https://www.arin.net/participate/community/acsp/ ARIN would not be unique in having trouble preventing account compromises when the control over the domain name falls in the wrong hands. Kind regards, Job
- Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
- Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]