On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the first time I've heard of something like this being done as such. I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without actually having access to the RIR db too - in that case, they could ask the org they are leasing from to put in a SWIP with the RIR, but if they don't choose to, then that's not a hard requirement. On the same token, having access to the org account at the RIR pretty much makes you as legitimate as you're going to be as far as any of us can really tell. If there's an issue where the RIR account has been compromised, then that issue lies between the RIR and their customer, and isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of organizations lease IPv4 space, and lots more now since depletion in many regions, and their use of it is entirely legitimate in accordance with their contractual rights established in the lease agreement with the owner. I'd probably think about looking at the contact info in the RIR whois and ask them, if I had a situation like this myself. Ultimately, the RIR's contact which would be in their whois db should be authoritative more so than anyone else. I doubt the RIR would be able to say much if you contacted them beyond that everything that isn't in whois isn't something they'd share publicly. Take care, Matt