Re: [anti-abuse-wg] How to find abandoned networks (was Spam FAQs need revision)
Shane commented: #What a great method for finding networks that are poorly monitored and #maintained! Simply check ARIN's Whois database until you find networks #with POC that are marked as invalid! # #I hope that RIPE does not adopt this address-hijacking-friendly #technique. :( If I were a person inclined toward hijacking netblocks, I think I'd likely use data from Routeviews (or a similar routing table analysis project) to identify IP address ranges that consistently are absent from the global routing table. You could certainly use whois database queries in an effort to verify or validate potential target IP address ranges, but I don't really see stale data flags in whois as materially worsening the existing problem of abusers scavening apparently unused (or underused) network resources. After all, if a bad guy or bad gal sees a "juicy" likely-"abandoned" /16 or whatever, it really isn't that hard for them to try emailing the points of contact, or to try calling the listed phone POCs, etc. If the goal is to seriously deter address hijacking, I think we need to talk about things like RPKI (folks who may be interested may want to see Bush and Austein's NANOG RPKI Tutorial from June 2011, http://www.nanog.org/meetings/nanog52/abstracts.php?pt=MTc3MyZuYW5vZzUy&nm=nanog52 or for those who find URL shorteners more convenient, try http://tinyurl.com/rpki-tutorial for that same page). Or, if you're skeptical of RPKI, encourage your friends to carefully monitor their space and how it's being announced. But I digress :-; Regards, Joe
I fully agree with Joe here. Trying to hide this in the whois is not much more than a figleaf. The route registries aren't very heavily used at all (not even by providers like swisscom who prefer to filter on minimum allocation size rather than prefixes registered in route registries, but that's another can of worms) :) There are plenty of other places for malicious actors to hijack old IP space, register shell companies (yeah yeah you're not the document police) . etc. So - hiding stuff from the whois is just not going to cut it as much as RIRs fixign their process, and SPs adopting best practices. --srs On Wed, Dec 14, 2011 at 1:56 AM, Joe St Sauver <joe@oregon.uoregon.edu> wrote:
Shane commented:
#What a great method for finding networks that are poorly monitored and #maintained! Simply check ARIN's Whois database until you find networks #with POC that are marked as invalid! # #I hope that RIPE does not adopt this address-hijacking-friendly #technique. :(
If I were a person inclined toward hijacking netblocks, I think I'd likely use data from Routeviews (or a similar routing table analysis project) to identify IP address ranges that consistently are absent from the global routing table. You could certainly use whois database queries in an effort to verify or validate potential target IP address ranges, but I don't really see stale data flags in whois as materially worsening the existing problem of abusers scavening apparently unused (or underused) network resources. After all, if a bad guy or bad gal sees a "juicy" likely-"abandoned" /16 or whatever, it really isn't that hard for them to try emailing the points of contact, or to try calling the listed phone POCs, etc.
If the goal is to seriously deter address hijacking, I think we need to talk about things like RPKI (folks who may be interested may want to see Bush and Austein's NANOG RPKI Tutorial from June 2011, http://www.nanog.org/meetings/nanog52/abstracts.php?pt=MTc3MyZuYW5vZzUy&nm=nanog52 or for those who find URL shorteners more convenient, try http://tinyurl.com/rpki-tutorial for that same page).
Or, if you're skeptical of RPKI, encourage your friends to carefully monitor their space and how it's being announced. But I digress :-;
Regards,
Joe
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh, On Wed, 2011-12-14 at 07:17 +0530, Suresh Ramasubramanian wrote:
So - hiding stuff from the whois is just not going to cut it as much as RIRs fixign their process, and SPs adopting best practices.
To be clear, I'm not advocating hiding things in the Whois, I just don't see any value in spending resources to find unresponsive contacts if the only point is to label them in the Whois. I guess when you are trying to report a problem it can save the effort of sending an e-mail if the address has no contact. But I figure that most reporting is automated at least a little, so overall the actual efficiency gained is minimal. Now if there was some actual implications about the resource - which to be honest, means revoking the allocation - then it would make sense. The problem is, others have pointed out, making a requirement to have an abuse e-mail role that replies to messages is such a low bar it actually has no real value. But maybe others think that forcing address holders to set up an e-mail autoresponder is worthwhile? -- Shane
On Wed, Dec 14, 2011 at 2:04 PM, Shane Kerr <shane@time-travellers.org> wrote:
To be clear, I'm not advocating hiding things in the Whois, I just don't see any value in spending resources to find unresponsive contacts if the only point is to label them in the Whois. I guess when you are trying to report a problem it can save the effort of sending an e-mail if the
But this effort was, I thought, aimed at identifying defunct entities that still hold IP space and attempt to reclaim it? --srs
On Wed, 2011-12-14 at 15:11 +0530, Suresh Ramasubramanian wrote:
On Wed, Dec 14, 2011 at 2:04 PM, Shane Kerr <shane@time-travellers.org> wrote:
To be clear, I'm not advocating hiding things in the Whois, I just don't see any value in spending resources to find unresponsive contacts if the only point is to label them in the Whois. I guess when you are trying to report a problem it can save the effort of sending an e-mail if the
But this effort was, I thought, aimed at identifying defunct entities that still hold IP space and attempt to reclaim it?
I think that the ARIN policy only mandates that unresponsive contacts be clearly identified, and no further actions are taken. -- Shane
On Wed, Dec 14, 2011 at 3:13 PM, Shane Kerr <shane@time-travellers.org> wrote:
I think that the ARIN policy only mandates that unresponsive contacts be clearly identified, and no further actions are taken.
And this makes future efforts in the right direction easier, I expect. It also deters hijacking to some extent. -- Suresh Ramasubramanian (ops.lists@gmail.com)
Am 14.12.11 10:43, schrieb Shane Kerr:
On Wed, 2011-12-14 at 15:11 +0530, Suresh Ramasubramanian wrote:
On Wed, Dec 14, 2011 at 2:04 PM, Shane Kerr <shane@time-travellers.org> wrote:
To be clear, I'm not advocating hiding things in the Whois, I just don't see any value in spending resources to find unresponsive contacts if the only point is to label them in the Whois. I guess when you are trying to report a problem it can save the effort of sending an e-mail if the
But this effort was, I thought, aimed at identifying defunct entities that still hold IP space and attempt to reclaim it?
I think that the ARIN policy only mandates that unresponsive contacts be clearly identified, and no further actions are taken.
If that is the case, that there is no other action than publishing the information in whois it is imho not enough. RIPE NCC already has processes in place that contact maintainers and try to solve the open issues together. If that does not work deregistration processes can be started. This in addition with the annual process is imho a pretty good way to increase data accuracy in the database. Thanks, Tobias -- abusix
participants (4)
-
Joe St Sauver -
Shane Kerr -
Suresh Ramasubramanian -
Tobias Knecht