Hello everyone, Yes the FBI can't just rely on Whois for apart of their investigation. yes I will agree it's a big part but also those records are spoofed alot. But reverse Ip looks I can understand. James Smith CEO, CEH SmithwaySecurity Toronto, Canada On 12-06-17 08:29 PM, Owen DeLong wrote:
On Jun 17, 2012, at 10:53 AM, Joel jaeggli wrote:
On 6/17/12 10:24 , valdis.kletnieks@vt.edu wrote:
On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said:
Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line:
Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT)
Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;)
So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo
2800:af:ba30:e8cf:4881:973a:c68
2800:af:ba30:e8cf:d06f:4881:973a:c68
which like the wrong address in a search warrant can be a problem.
jjaeggli@cXX-XX-XX0> show route table inet6.0 2800:af:ba30:e8cf:4881:973a:c68 ^ invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at '2800:af:ba30:e8cf:4881:973a:c68'
jjaeggli@cXX-XX-XX0> show route table inet6.0 2800:af:ba30:e8cf:d06f:4881:973a:c68
inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, 19088 hidden) + = Active Route, - = Last Active, * = Both
2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, from 2620:102:8004::10 AS path: 7922 12956 6057 I
XXXX-XXXXX:~ jjaeggli$ whois -h whois.lacnic.net 2800:af:ba30:e8cf:d06f:4881:973a:c68
scopes it to not being a problem you can solve with policy in the arin region. Lather rinse repeat with a better choice of address...
2001:550:3ee3:f329:102a3:2aff:fe23:1f69
This is in the ARIN region...
It's from within a particular ISP's /32.
Has that ISP delegated some overlapping fraction to another ISP? If so, it's not in whois. Have they delegated it to an end user? Again, if so, it's not in whois.
Same for 2001:550:10:20:62a3:3eff:fe19:2909
I don't honestly know if either of those prefixes is allocated or not, so maybe nothing's wrong in this particular case, but if they have been delegated and not registered in whois, that's a real problem when it comes time to get a search warrant if speed is of the essence.
Owen