I fully agree with Joe here. Trying to hide this in the whois is not much more than a figleaf. The route registries aren't very heavily used at all (not even by providers like swisscom who prefer to filter on minimum allocation size rather than prefixes registered in route registries, but that's another can of worms) :) There are plenty of other places for malicious actors to hijack old IP space, register shell companies (yeah yeah you're not the document police) . etc. So - hiding stuff from the whois is just not going to cut it as much as RIRs fixign their process, and SPs adopting best practices. --srs On Wed, Dec 14, 2011 at 1:56 AM, Joe St Sauver <joe@oregon.uoregon.edu> wrote:
Shane commented:
#What a great method for finding networks that are poorly monitored and #maintained! Simply check ARIN's Whois database until you find networks #with POC that are marked as invalid! # #I hope that RIPE does not adopt this address-hijacking-friendly #technique. :(
If I were a person inclined toward hijacking netblocks, I think I'd likely use data from Routeviews (or a similar routing table analysis project) to identify IP address ranges that consistently are absent from the global routing table. You could certainly use whois database queries in an effort to verify or validate potential target IP address ranges, but I don't really see stale data flags in whois as materially worsening the existing problem of abusers scavening apparently unused (or underused) network resources. After all, if a bad guy or bad gal sees a "juicy" likely-"abandoned" /16 or whatever, it really isn't that hard for them to try emailing the points of contact, or to try calling the listed phone POCs, etc.
If the goal is to seriously deter address hijacking, I think we need to talk about things like RPKI (folks who may be interested may want to see Bush and Austein's NANOG RPKI Tutorial from June 2011, http://www.nanog.org/meetings/nanog52/abstracts.php?pt=MTc3MyZuYW5vZzUy&nm=nanog52 or for those who find URL shorteners more convenient, try http://tinyurl.com/rpki-tutorial for that same page).
Or, if you're skeptical of RPKI, encourage your friends to carefully monitor their space and how it's being announced. But I digress :-;
Regards,
Joe
-- Suresh Ramasubramanian (ops.lists@gmail.com)