Network abuse, in particular the kind of network abuse where some spammer gets hold of an IP address block so that he can proceed to do snowshoe spamming out of it, is somewhat easier to detect and correctly identify within the ARIN region than other RiR regions due to the fact that ARIN whois records all contain date/time stamps. The date/time stamps on ARIN whois records help to make the true situation apparent whenever a spammer obtains a new IP block and proceeds immediately to start spamming from it. (One look at the whois often makes it obvious why some specific block has suddenly lit up like a Christmas tree, i.e. pumping out spam like there's no tomorrow... because some new resident has just recently moved into that spcific bit of IPv4 space.) So anyway, has it ever been considered to add date/time stamps to RIPE whois records, at least for record _creation_ if not also for last modification time? Regards, rfg
On 27 Sep 2010, at 4:57, Ronald F. Guilmette wrote: [...]
So anyway, has it ever been considered to add date/time stamps to RIPE whois records, at least for record _creation_ if not also for last modification time?
Andrei Robachevsky proposed something along those lines a while back: http://www.ripe.net/ripe/meetings/ripe-40/presentations/timestamping/index.h... I remember that there were some objections but as this was almost a decade ago it is possible that people have changed their minds. HTH, Leo Vegoda
In message <6D779DA7-C665-409B-903C-FC0A7DB47BBF@icann.org>, you wrote:
On 27 Sep 2010, at 4:57, Ronald F. Guilmette wrote:
[...]
So anyway, has it ever been considered to add date/time stamps to RIPE whois records, at least for record _creation_ if not also for last modification time?
Andrei Robachevsky proposed something along those lines a while back:
http://www.ripe.net/ripe/meetings/ripe-40/presentations/timestamping/index.= html
I remember that there were some objections but as this was almost a decade = ago it is possible that people have changed their minds.
All I can say is that we here in ARIN space seem to have been surviving having time stamps on our whois records, without too many ill effects, for quite a long time now. (And the world hasn't come to an end, as far as I know.) Regards, rfg
So anyway, has it ever been considered to add date/time stamps to RIPE whois records, at least for record _creation_ if not also for last modification time?
Uh, just because I myself often have problems to make foreign whois servers tell me what I need: We are not perhaps just missing the '-B' option the RIPE whois server requires to show "changed:" attributes? I don't know how much they can be maliciously set/removed, I never try to. Leo certainly does. Does know, I mean. :-) Sorry if I missed the point and stated something obvious. Martin ~ 7 > whois -h whois.ripe.net ' -B -r 195.80.148.0' % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '195.80.148.0 - 195.80.151.255' inetnum: 195.80.148.0 - 195.80.151.255 netname: INSTANTEXCHANGER-NET descr: InstantExchanger Ltd. country: EU org: ORG-IL196-RIPE admin-c: IL167-RIPE tech-c: IL167-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: INSTANTEXCHANGER-MNT mnt-lower: RIPE-NCC-END-MNT mnt-routes: INSTANTEXCHANGER-MNT mnt-domains: INSTANTEXCHANGER-MNT changed: hostmaster@ripe.net 20100414 source: RIPE % Information related to '195.80.148.0/22AS50877' route: 195.80.148.0/22 descr: InstantExchanger Ltd. origin: AS50877 mnt-by: INSTANTEXCHANGER-MNT org: ORG-IL196-RIPE changed: sp@instant-exchanger.com 20100414 source: RIPE (Or check out 194.45.135.0 for a nice long changed: history.)
In message <4ca19715.Egik5zh+ES4NMVmk%neitzel@gaertner.de>, Martin Neitzel <neitzel@gaertner.de> wrote:
So anyway, has it ever been considered to add date/time stamps to RIPE whois records, at least for record _creation_ if not also for last modification time?
Uh, just because I myself often have problems to make foreign whois servers tell me what I need:
We are not perhaps just missing the '-B' option the RIPE whois server requires to show "changed:" attributes?
Ummm... I must sheepishly admit that yes, I didn't even know about -B until now. Thank you! (Someone will probably slap me and tell me to go away and RTFM now. That's OK. I guess I deserve it in this case.)
I don't know how much they can be maliciously set/removed, I never try to. Leo certainly does. Does know, I mean. :-)
Yes, I'd really like to know about that. I do believe that in the case of the ARIN WHOIS records, it is ARIN itself that is setting the "RegDate:" and "Updated:" fields (which would tend to make those values reliable) but don't quote me on that, because I'm not completely sure. I just know that in prior cases when I've seen hijackings, and where it would have been very much to the hijacker's benefit to be able to fiddle those field values (to help to hide their crimes) the ARIN "RegDate:" and "Updated:" fields still do seem to have accurate info. So, I gather that in the case of the RIPE Changed: fields, anybody can put anything they want in there (?) Including no date info at all? If so, then that would be...ahh... how should I say it?... suboptimal.
Sorry if I missed the point and stated something obvious.
Nope. Not obvious to me anyway. Thanks. Regards, rfg
On 28 Sep 2010, at 12:44, Ronald F. Guilmette wrote: [...]
I don't know how much they can be maliciously set/removed, I never try to. Leo certainly does. Does know, I mean. :-)
Yes, I'd really like to know about that. I do believe that in the case of the ARIN WHOIS records, it is ARIN itself that is setting the "RegDate:" and "Updated:" fields (which would tend to make those values reliable) but don't quote me on that, because I'm not completely sure. I just know that in prior cases when I've seen hijackings, and where it would have been very much to the hijacker's benefit to be able to fiddle those field values (to help to hide their crimes) the ARIN "RegDate:" and "Updated:" fields still do seem to have accurate info.
So, I gather that in the case of the RIPE Changed: fields, anybody can put anything they want in there (?) Including no date info at all?
If so, then that would be...ahh... how should I say it?... suboptimal.
As I understand it, only the RIPE NCC's staff can update the "changed:" attribute values for allocations. The ISP, though, can update the "changed:" attribute values for the assignments it makes. If you are only interested in the allocations made by the RIPE NCC to the ISP then you can trust the veracity of the information in the "changed:" lines. You'll recognise the object as an allocation because it will have lines like these: status: ALLOCATED PA and mnt-by: RIPE-NCC-HM-MNT HTH, Leo
participants (3)
-
Leo Vegoda -
Martin Neitzel -
Ronald F. Guilmette