[dp-tf] Re: 91.198.71.0 - 91.198.71.255
Richard Cox cio at spamhaus.org
Sun Nov 4 17:50:12 CET 2007
(Copied to APWG-Chairs and DP-TF in view of the policy implications) On 02/11/2007 16:36:35, Alex Le Heux <alexlh at ripe.net> wrote: > As it turns out, we had already noticed the change in registration > data a few weeks ago and are currently in contact with the LIR. > We have established procedures that are designed to track changes > like this, and this case is already under investigation. There appear to be seven other ranges and ASNs, similarly acquired. 193.33.128.0/23 AS42672 194.110.69.0/24 AS42811 91.193.40.0/22 AS42662 91.193.56.0/22 AS42672 91.194.140.0/23 AS43188 91.195.116.0/23 AS43702 91.196.232.0/22 AS43259 91.198.71.0/24 AS43603 > We have audited the request and our policies and procedures > were correctly applied when this range was assigned. That's obviously very worrying - because it implies that any similar new application now would also be granted, and the claims that RIPE still has three years to go before IP4 exhaustion would then be seen as having been highly optimistic! I note your earlier comment about the data having been recently changed: so are you saying that the original application was valid just because it had an address in the RIPE region - even though that address may have been meaningless? If so, are you able to remind us what that address originally was (as at the time it would have been "public" data)? As you may know, the entity believed to be using these IP assignments is the notorious "Russian Business Network" about which much has recently been written: and http://en.wikipedia.org/wiki/Russian_Business_Network provides a convenient index to the more significant of those articles. The RIPE NCC cannot, of course, be concerned with any criminal activity that uses IP addresses it assigns, but I believe the RIPE NCC does need to be concerned about the obtaining by dishonest means of resources that are owned by the community and entrusted to the stewardship of RIPE NCC. During RIPE 55 I mentioned the earlier cases of shell companies set up apparently by a "Boris Mizhen" to apply for IP resources for spamming purposes (ie to avoid filters) and I understand that the LIR handling those applications (Merezha) has previously been linked to questionable assignments. For the record, the IP ranges and ASNs involved with that series of incidents, were as follows: 91.193.152.0/22 AS42719 91.193.192.0/22 AS42719 91.193.216.0/22 AS42719 91.193.88.0/22 AS42719 91.200.124.0/22 AS42719 91.200.132.0/22 AS42719 91.200.164.0/22 AS42719 91.200.176.0/22 AS42719 91.200.56.0/22 AS43791 91.200.60.0/22 AS43791 91.200.72.0/22 AS43799 91.200.80.0/22 AS43799 I (and others) mentioned at the Address Policy WG the probability of an imminent IPv4 landgrab - these two recent incidents seem to suggest that it has started. How well can RIPE policies stand up to such deliberate and abusive attacks? In particular, how protected would the community be against an LIR that intentionally submits applications which rely on data the LIR knows is bogus? The LIR is not identified on the WHOIS output - but if the only policing of the application is done by the LIRs (as I'm told that RIPE hostmasters are not allowed to question details supporting an application for resources) perhaps the identity of the LIR should be displayed against the IP range, so that patterns of dishonesty can quickly become visible? > We do sometimes assign resources to organisations for use outside our > region, although it rarely happens, and such requests are handled very > carefully as they are rather unusual. I'd welcome some clarification on the policies involved there: is that just to entities ("organisations") located, at least nominally, within the RIPE service region: with operations outside that region - or would entities/organisations within other regions qualify? I ask because the other questionable incident that came to our attention recently was the use of 85.255.112.0/20 in California USA, when it was shown in the RIPE database as unassigned space: and we discovered that an assignment was, mysteriously, made of that space by the RIPE Hostmaster to "Inhoster" on the very day I pointed out the inappropriate use, and that assignment has also recently had its data changed: showing it as now being assigned to a "UkrTeleGroup". But still it is used - solely - in California USA. > It is a normal occurrence that a request is denied by one of the RIRs. > If the reason for the denial is related to the location of the network, > the end-user is then referred to the correct RIR. This is normally > nothing to be suspicious about as there are many legitimate > organisations that have operations in multiple RIR regions. Given the (apparent) disparity in policy implementation between RIPE and the other RIRs - most of whose hostmasters are empowered to (and indeed do) check for and reject abusive applications it seems RIPE may soon be regularly targeted by organisations worldwide who cannot, for whatever reason, get resource assignments from their local RIR. > Could you tell us a little about the circumstances that brought > this range to your attention? Any information might help us with > our investigation. We have been tracking the "Russian Business Network" and also "Boris Mizhen" for some time now, and we have been monitoring routing and other changes which tell us their traffic has moved to new routes. It is, however, unlikely that their actual location has changed, as traceroutes to IP addresses in the new ranges are indicative of the use of a "traceroute simulator" rather than of a real network path. Best regards -- Richard D G Cox <cio at spamhaus.org> CIO, The Spamhaus Project http://www.spamhaus.org
[ dp-tf Archives ]