[db-wg] Getting fraudulent entries removed

Hi,

I don’t think a one-off will cut it. This is, and has to be, a continuous
process.

A “did you know this happened in RIPE IRR”-notification would be good when
non-auth objects are created.

Maybe RPKI ghostbuster and Whois context info can be used to find the
appropriate block owners.

Kind regards,

Job

On Thu, 9 Nov 2017 at 19:44, denis walker <ripedenis at yahoo.co.uk> wrote:

> Hi guys
>
> Perhaps after the RIPE NCC implements the agreed actions on foreign ROUTE
> objects, it would be a good idea to do a (one time?) cleanup/review of all
> foreign ROUTE objects in the RIPE IRR. Find the contact details in the
> appropriate RIR Database for all non RIPE address space covered by these
> ROUTE objects. Send them a notification with a link to click if they
> approve of the ROUTE object. If no response is received within a defined
> time period, delete the ROUTE object.
>
> cheers
> denis
> co-chair DB WG
>
>
> ------------------------------
> *From:* Job Snijders via db-wg <db-wg at ripe.net>
> *To:* Brian Rak <brak at choopa.com>
> *Cc:* db-wg at ripe.net
> *Sent:* Thursday, 9 November 2017, 17:53
>
> *Subject:* Re: [db-wg] Getting fraudulent entries removed
>
> Dear Brian,
>
> It appears that RIPE NCC is lacking a clear and expedient procedure to
> remedy unauthorised route object creation. I'd be happy to volunteer to
> work with the RIPE NCC to develop a procedure that aligns with industry
> standards on how to verify abuse reports like these and resolve them in
> a timely manner. (Of course this doesn't help you right now.)
>
> The topic of ARIN space in the RIPE database has been discussed
> extensively. A long thread on this topic started here
> https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005622.html,
> sadly, some people even indicated they don't see an issue with how things
> are
> right now
> https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005627.html
> Fortunately this was a minority view, and the RIPE NCC is now tasked to
> more clearly mark non-authoritative route objects as can be read here:
> https://www.ripe.net/ripe/mail/archives/routing-wg/2017-October/003456.html
>
> One thing I recommend you do is to set the "OriginAS" through the ARIN
> webinterface, this will show the world what the origin AS ought to be:
> https://www.arin.net/resources/originas.html. You could reference this
> field in your communication with RIPE NCC to demonstrate that the RIPE
> IRR version of the route object does not align with your intentions.
>
> Another thing you can do is file complaints with the upstreams of
> AS205869 (some of them visible here https://bgp.he.net/AS205869) Telia
> seems to be their main provider.
>
> Kind regards,
>
> Job
>
> On Thu, Nov 09, 2017 at 11:22:33AM -0500, Brian Rak via db-wg wrote:
> > Hi,
> >
> > We've run into an issue where an unknown malicious party appears to have
> > hijacked some of our IP space.  They created entries in the RIPE database
> > that they are using to actually get this space announced.  What's even
> worse
> > is their carrier is trying to say these announcements are legitimate
> because
> > they have IRR entries (which is a whole other issue)
> >
> > What is the process like for actually getting this fraudulent entry
> > removed?  I've been in contact with RIPE NCC Support, and they have been
> > super unhelpful (ref case #14523)
> >
> > The fraudulent entry is:
> >
> >
> https://apps.db.ripe.net/search/lookup.html?source=ripe&key=198.13.32.0/19AS39967&type=route
> >
> > route:           198.13.32.0/19
> > descr:           2nd route
> > origin:          AS39967
> > mnt-by:          ADMASTER-MNT
> > created:         2017-10-13T00:20:08Z
> > last-modified:   2017-10-13T00:20:08Z
> > source:          RIPE
> >
> > I should also note that this ASN suspiciously appears to be announcing
> other
> > people's space as well, but I can only confirm that this particular entry
> > does not belong.  I would suspect that their other IRR entries are fake
> as
> > well.
> >
> > You can verify my request by reaching out to any of the POCs associated
> with
> > this network: https://whois.arin.net/rest/net/NET-198-13-32-0-1
> >
> > Thanks,
> > Brian Rak
> >
> >
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/db-wg/attachments/20171109/6db39157/attachment.html>