Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
They define "hijacked netblocks" in
http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#258
And, if you look it up there: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2493 you can get: APNIC: 18 listings http://www.spamhaus.org/sbl/listings.lasso?isp=apnic ARIN: 258 listings http://www.spamhaus.org/sbl/listings.lasso?isp=arin LACNIC: 26 listings http://www.spamhaus.org/sbl/listings.lasso?isp=lacnic RIPE: has far too many records to list. This ISP has an extremely serious spam problem. http://www.spamhaus.org/sbl/listings.lasso?isp=arin Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many records to list.' What's this? Best regards, - Karl-Josef
Those are not all hijacked. They're also assigned PI / PA netblocks sourced directly from the RIR RIPE has to bear the cross of Romania which alone is responsible for a substantial chunk of those too many to list - including several /15s There's also the rest of eastern europe and russia with smaller assigned PI and PA netblocks controlled by botmasters and such. In any case, too many to list. Never mind the "ISP" there - spamhaus used the same script they use to generate per ISP reports of SBL listings. On Mon, Aug 8, 2011 at 11:57 PM, Karl-Josef Ziegler <kjz@gmx.net> wrote:
RIPE: has far too many records to list. This ISP has an extremely serious spam problem.
http://www.spamhaus.org/sbl/listings.lasso?isp=arin
Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many records to list.'
What's this?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote: [...]
In any case, too many to list.
...where is this notion or quote coming from? Checking http://www.spamhaus.org/sbl/listings.lasso?isp=ripe gives me "There are no current SBL listings for ripe"
Never mind the "ISP" there -
Sorry, IMHO we have to mind, considerably, because it misleads the folks with less insight, involvement or long-term exposure to the problem field.
spamhaus used the same script they use to generate per ISP reports of SBL listings.
And I am nit-picking here, because Spamhaus tends to be pretty liberal and fuzzy sometimes, with terminology, categorisation and/or actions. Like - quoting from the FAQ: "...in ranges assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others." In fact the "every" are exacly *5*. So either explicitely quoting the 3 or using the phrase "and others." is again misleading. And btw, it silently ignores the fact that there are NIRs, too ;-)
On Mon, Aug 8, 2011 at 11:57 PM, Karl-Josef Ziegler <kjz@gmx.net> wrote:
RIPE: has far too many records to list. This ISP has an extremely serious spam problem.
http://www.spamhaus.org/sbl/listings.lasso?isp=arin
Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many records to list.'
What's this?
Wilfried
On Tue, Aug 9, 2011 at 4:25 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
And btw, it silently ignores the fact that there are NIRs, too ;-)
Sure, but the problem here seems to be extensively caused by LIRs. Which RIPE is rather over supplied with. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On 9 Aug 2011, at 12:09, Suresh Ramasubramanian wrote:
On Tue, Aug 9, 2011 at 4:25 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
And btw, it silently ignores the fact that there are NIRs, too ;-)
Sure, but the problem here seems to be extensively caused by LIRs. Which RIPE is rather over supplied with.
Huh? So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Let us just say "on several LIRs". On Tue, Aug 9, 2011 at 4:46 PM, Michele Neylon :: Blacknight <michele@blacknight.ie> wrote:
Huh?
So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
So - let us get back to some very ancient history http://www.ripe.net/ripe/wg/ncc-services/r59-minutes.html
Uwe stated that there should be a check that organisations requesting resources actually exist before assigning to them.
Nick Hilliard (INEX) pointed out that this check is already done by the RIPE NCC. However, there is little the RIPE NCC can do if documents are fake. The RIPE NCC is not the routing police.
Is there anything being done to remedy this? [Yes, there is a process now to deregister LIRs for fraud. Is there fraud investigation built into the new LIR setup and netblock allocation through LIRs process? And some amount of auditability of existing LIRs? On Tue, Aug 9, 2011 at 4:57 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Let us just say "on several LIRs".
On Tue, Aug 9, 2011 at 4:46 PM, Michele Neylon :: Blacknight <michele@blacknight.ie> wrote:
Huh?
So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote: [...]
[...]Is there fraud investigation built into the new LIR setup and netblock allocation through LIRs process? And some amount of auditability of existing LIRs?
Yes there is. And very painstakingly so. Like when we (a LIR that exists since 1993 under the same identity) had to sign a new service contract, the NCC wanted to get a copy of the legal document that proves our existence. Again within the framework of PI stuff. Interestingly enough, a university that was established in the 14th century does not have an entry in the current business register. Also, a publicly funded university in our little country is not a regular legal entity, but exists due to a law passed by national parliament. Even a reference to the official website of our government, offering the auhoritative version of the law, was not enough. I had to print the respective law, have it signed by a ministry rep. and have it scanned and shipped to Amsterdam. So, yes checks are made, regularly. But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-( Wilfried.
Which is what is sought to be addressed. Granted the due diligence exists, but the fact remains that there are botmasters and spammers who manage to game this process. While the LIR revocation process exists, a more "user friendly" / transparent complaint handling mechanism and periodic audits might make things interesting On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-(
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 08/09/2011 04:37 PM, Suresh Ramasubramanian wrote:
Which is what is sought to be addressed. Granted the due diligence exists, but the fact remains that there are botmasters and spammers who manage to game this process.
While the LIR revocation process exists, a more "user friendly" / transparent complaint handling mechanism and periodic audits might make things interesting
Do you Suresh, or anyone else, know what, if any, are the policies in other RIRs in respect to the problem of faked evidence to get IP number resources? Do other RIRs have audit rules or policies that work well? And in any case what seems to be the problem (if any) in the RIPE region specifically? I remember Richard Cox of Spamhaus keep repeating problems in the RIPE region but no policies or proposals ever came. I am far from expert, but it would be a good thing if someone could summarize what seem to be problem areas in the RIPE region and what other RIRs are doing. Kostas
On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-(
Kostas Zorbadelos wrote:
On 08/09/2011 04:37 PM, Suresh Ramasubramanian wrote:
Which is what is sought to be addressed. Granted the due diligence exists, but the fact remains that there are botmasters and spammers who manage to game this process.
While the LIR revocation process exists, a more "user friendly" / transparent complaint handling mechanism and periodic audits might make things interesting
Do you Suresh, or anyone else, know what, if any, are the policies in other RIRs in respect to the problem of faked evidence to get IP number resources? Do other RIRs have audit rules or policies that work well? And in any case what seems to be the problem (if any) in the RIPE region specifically? I remember Richard Cox of Spamhaus keep repeating problems in the RIPE region but no policies or proposals ever came.
Well, there are none or they are not communicated or not looked after from RIPE NCC. And its no wonder, if anybody in the world (community) can influence progress in the development of RFCs and rules for the NCC (e.g. via this list). This way they can even influence how NCC spends its money. There are simply too many opinions on this list and too many mails and discussions that have nothing to do with this list (what does not mean that a dicision process CAN listen to to comments from the world community). And thats no wonder, if the range goes from uneducated end users, smalls ISP, big organisations, spam friendly providers or even people that attacks from group like "Anonymous" are ok (well, they might in some weird and small foreign countries, but they are crime in (what I think) every country in the RIPE region). So: I would like an additional abuse mailling-list only for RIPE members to get things going. And I also like to dedicate more money to RIPE NCC staff to stop abuse. Kind regards, Frank
I am far from expert, but it would be a good thing if someone could summarize what seem to be problem areas in the RIPE region and what other RIRs are doing.
Kostas
On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-(
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
So: I would like an additional abuse mailling-list only for RIPE members to get things going. And I also like to dedicate more money to RIPE NCC staff to stop abuse.
Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC and their outcome? Or are those reports non-public? Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit? Because the latter document does not say anything about the presumed correctness of most of the records? Kind regards, Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
This is a question I have, as well. On Tue, Aug 9, 2011 at 7:57 PM, Vissers, Pepijn <P.Vissers@opta.nl> wrote:
Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC and their outcome? Or are those reports non-public?
Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit? Because the latter document does not say anything about the presumed correctness of most of the records?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Hi Pepijn, Vissers, Pepijn wrote:
So: I would like an additional abuse mailling-list only for RIPE members to get things going. And I also like to dedicate more money to RIPE NCC staff to stop abuse.
Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC
I don't have an overview, but personal experience, maybe this is useful, too. My LIR was subject to the audit process twice already (and passed successfully - so if a LIR has its act together, this is pretty easy to survive!). Plus the extended verification of existence and identity that was triggered (automatically, I presume) by some clerial inconsistencies. This involved the Service Contract stuff between the LIR and the NCC, and was again triggered by the request of Direct End-User Resources.
and their outcome? Or are those reports non-public?
On a more general level, I am not aware from the top of my head, that I would have seen such a report. That doesn't imply that it doesn't exist, though! I am pretty sure that the NCC would be happy to point to or provide such a report, probably in some anonymised format. Brian - would you be willing to talk to the NCC and ask for help with this? Alternatively, I think we could equally well pass that to the NCC by way of the NCC Services WG Chairs.
Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit?
This document lists the aspects of an audit as a checklist for both sides during an audit. I do agree, that the focus here is on the management of resources and the registration thereof. But I'd guess it would be very easy to amend that to actively include the formal and contractual aspects.
Because the latter document does not say anything about the presumed correctness of most of the records?
I think it does, indirectly, by way of the "Standard Service Agreement" and the "RIPE NCC Standard Terms and Conditions", list of relevant documents: "...making sure that assignment guidelines are applied equally." Similarly, in http://www.ripe.net/ripe/docs/ripe-452 please see towards the end of Section 2.0 I openly admit that I did not go through the full list of ref'd doc.s in the Std Terms&Conds document to find the equivalent provisions. As a last reminder, we have to keep in mind that the formal coverage and "power" of the NCC to enforce all of that stuff is limited to the resources that have been distributed by way of the RIR and LIR system hierarchy. Legacy Stuff, aka ERX (early registration xfer resources) are not covered - yet. The 2007-01 activities should be seen, imho, as the initial steps towards closing that gap, maybe in a similar way, for the legacy blocks. That's up for a nice PDP exercise, as soon as 2007-01-Phase3 is converging, and/or for progress with the "legacy resource registration service" (or whatever the name finally may be).
Kind regards, Pepijn
Best regards, Wilfried.
Wilfried, Pepijn
and their outcome? Or are those reports non-public?
On a more general level, I am not aware from the top of my head, that I would have seen such a report. That doesn't imply that it doesn't exist, though!
I am pretty sure that the NCC would be happy to point to or provide such a report, probably in some anonymised format.
Brian - would you be willing to talk to the NCC and ask for help with this? Alternatively, I think we could equally well pass that to the NCC by way of the NCC Services WG Chairs.
No, I'm more than happy to talk to the NCC about this. I will do so and get back to the WG. Brian.
No, I'm more than happy to talk to the NCC about this. I will do so and get back to the WG.
Thanks Brian and Wilfried, that will definitely add to the understanding of the audit process; it would be nice to know what is covered and what not and what steps the community would have to take to initiate an audit towards a LIR with (or that allows) obvious bogus registration information. Could be a cautious step towards a dedicated audit team focusing on these LIRs. Thanks, Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
Suresh Ramasubramanian wrote:
Which is what is sought to be addressed. Granted the due diligence exists, but the fact remains that there are botmasters and spammers who manage to game this process.
While the LIR revocation process exists, a more "user friendly" / transparent complaint handling mechanism and periodic audits might make things interesting
Again, the mechanism of audits does exist (since at least 1996) and is documented here: http://www.ripe.net/ripe/docs/ripe-423?searchterm=lir+audit See section 4. Types, 3rd type: Reported Regarding "user friendly", I guess you do have a point here, as the AudiT Procedure document is maybe not easy to find, or the description of the technical procedue to use for "Reported" is not documented.
On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-(
Actually, it might even be more useful to emphasise the "Reported" type over the "Random" type; assuming that the Community does exercise that channel responsibly and that this mechanism is not abused to bully some parties (and the NCC) for whatever unrelated reason. Hth, Wilfried.
But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-(
You hit the nail on the head. And unfortunately the results of those successful forgeries (and consequently the lack of proper registration at the CIDR level) are popping up as fresh grass after rain. Maybe RIPE (or trans-RIR maybe) should hire some dedicated personnel with teeth that can do high volumes of proper audits based on complaints about lack of documents. A team that actually has the power to de-register a LIR/resources. The RIR's are simply being too nice to entities that successfully say FFFFUUU to the policies while being seemingly over-accomplishing to the good guys, as I deduct from your story. Mr. abuse@ raised a valid point, though not in a very polite matter. Which ultimately draws more attention than the issue at hand. Yes, I noticed the smiley :) Pepijn Vissers Team Internetsafety OPTA +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
participants (8)
-
Brian Nisbet -
Frank Gadegast -
Karl-Josef Ziegler -
Kostas Zorbadelos -
Michele Neylon :: Blacknight -
Suresh Ramasubramanian -
Vissers, Pepijn -
Wilfried Woeber, UniVie/ACOnet