From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Fri Oct 1 16:33:09 2010 From: John Curran <jcurran@arin.net> To: George Bonser <gbonser@seven.com> Date: Fri, 1 Oct 2010 17:32:47 -0400 Subject: Re: AS11296 -- Hijacked? Cc: "nanog@nanog.org" <nanog@nanog.org>
George - Full agreement; the next step is defining a deterministic process for id= entifying these specific resources which are hijacked,
That _seems_ fairly simple -- can you trace a 'continuity of ownership from the party that they were -originally- allocatd to to the party presently using them. If yes, legiitmate, if no, hijacked. With most States corporation records on-line, tracing corporate continuity is fairly straight foruard. As long as you recognize that a corpoation 'abadoned', 'dissolved' (or similar) in one state is *NOT* the 'parent' of a same-/similarly-named corporation established in another state. And that "documents" surfacing 'long after' a resource-holder has 'disappeared', puporting to show a transfer of those resources 'at the time of disappearance', are "highly suspect", and really require confirmation from someone who can be -independantly- verified as part of the 'old' organization at the time of the transfer. This isn't rocket science, it's straightforward corporate forensics, and the establishment of "provenence", or the equivalent of an 'abstract of title' for real-estate. "Somebody", either IANA, or the RIRs _should_ have been keeping track of what prefixes are announced, and _by_whom_, as a minimal check on utilization when an existing AS submits a request for additional space. A netblock (meaing an entire allocation, not just some sub-set thereof) that's been 'missing' for an extended period, and then shows up in an geographically distant locale is 'suspicious' to start with. All the more so it it was multi-homed, and now has only a single upstream.
On Oct 2, 2010, at 4:03 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote:
That _seems_ fairly simple -- can you trace a 'continuity of ownership from the party that they were -originally- allocatd to to the party presently using them. If yes, legiitmate, if no, hijacked. With most States corporation records on-line, tracing corporate continuity is fairly straight foruard. As long as you recognize that a corpoation 'abadoned', 'dissolved' (or similar) in one state is *NOT* the 'parent' of a same-/similarly-named corporation established in another state. And that "documents" surfacing 'long after' a resource-holder has 'disappeared', puporting to show a transfer of those resources 'at the time of disappearance', are "highly suspect", and really require confirmation from someone who can be -independantly- verified as part of the 'old' organization at the time of the transfer.
Robert - You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no "corporate" surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack. /John John Curran President and CEO ARIN
On Sat, Oct 2, 2010 at 3:41 PM, John Curran <jcurran@arin.net> wrote:
On Oct 2, 2010, at 4:03 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote: Robert - You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no "corporate" surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack. /John
Hm.. just a thought... if an org doesn't have and are unable to obtain any good written documentation at all, from even the public record, then aren't they (as far as the operator community should be concerned) not the same registrant, or authorized? Where would a person be if they were trying to claim the right to a certain piece of land, and someone else (an opportunist/scammer) also claimed ownership using "papers" they had created, but the 'rightful' owner had neither a deed, nor a transfer agreement, proof of their use of that land, nor other certified document, and the local authority did not have any record of a transfer from the now defunct original owner? --- So, I wonder why only ARIN itself is singled out.. Have other RIRs found something much better to do with fraud reports? This matters, because scammers can concentrate on whichever IP blocks are easiest to hijack. If ARIN somehow creates a hostile environment for scammers, they can concentrate on APNIC/RIPE/AfriNic/LACNIC-administered IP ranges instead. Assume scanners don't care or need to be undetected for long at all, they just need to stay off 'hijacked IP lists' for a very brief time, perhaps a week, until they are blacklisted by major RBLs for spamming, stop using the range, find a new one, under a new manufactured identity, lather, rinse, .... Even with excellent RIR detection and reclaiming of defunct ranges, the most capable anti-scammer mechanisms may still be independent Bogon lists and RBLs. Watch the global visibility of prefixes, and detect when part of a completely unannounced RIR assigned prefix starts being announced or when an entire RIR prefix stops being announced for more than a couple days or so. And it doesn't fall into the category of 'newly registered prefix' . Those should be additional "triggers" for defunct contact detection / additional verification, and anti-fraud detection by RIRs and others. Because address ranges can become defunct at any time.... Something really should be watching for a previously defunct range re-appearing from a different AS or from a completely different place net-wise. -- -J
On Oct 2, 2010, at 7:59 PM, James Hess wrote:
So, I wonder why only ARIN itself is singled out.. Have other RIRs found something much better to do with fraud reports? This matters, because scammers can concentrate on whichever IP blocks are easiest to hijack.
The reason: approximately 15000 legacy address blocks which ARIN become the successor registry for at its formation, many of which hadn't been updated since they were allocated. In the other regions, there are significantly fewer early allocations where the holders haven't also involved ongoing in the combined registry/operator forum in the region. Two particular quicks of this region is that the registry is not combined with the operator forum, and many of the assignments from the earliest days of the Internet are in this region, made with minimal documentation, and were often forgotten or never put into publicly routed use... Ergo, when a party appears and says that they'd like to update the contacts on their WHOIS record, and we see an organization which exists back to the original allocation, it is fairly straightforward to make it happen and know that we're not facilitating a hijacking. For this reason, legacy holders are allowed to change anything except the organization name without requiring documentation. It gets more challenging when you instead have a different organization name XYX, which states it is the rightful holder of NET-ABC123 because it acquired JKL company which in theory had earlier bought the right piece of company ABC which is now defunct but never updated any of IP records post business deal, and no one from ABC or JKL can be found and the public records may indeed show that JKL bought some part of ABC but most assuredly don't say anything about networks or as#'s... Circumstances such as the aformentioned are regretfully the rule, not the exception. (As an aside, I'll note that we do also look at the historical routing of the address block, since that provides some insight which often can corroborate an otherwise weak documentary record.) Now, we really want folks to come in and update their records but when it comes to updating the actual organization name for an address block, we either need to hold the line on legal/commercial documents (which reduces hijacking but almost sends some legitimate but underdocumented legacy folks away) or we can simply have folks attest to their view of reality and update the records accordingly (which will get us much more current Whois records but with "current" not necessarily implying any more accurate records...) This is *your* (the collective "your") WHOIS database, and ARIN will administer it per any policy which adopted by the community. /John John Curran President and CEO ARIN P.S. I will note that we fully have the potential to recreate this problem in IPv6 if we're not careful, and establishing some very clear record keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to be very important if we ever hope to determine the party using a given IPv6 block in just a few short years...
This is *your* (the collective "your") WHOIS database, and ARIN will administer it per any policy which adopted by the community.
/John
John Curran President and CEO ARIN
P.S. I will note that we fully have the potential to recreate this problem in IPv6 if we're not careful, and establishing some very clear record keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to be very important if we ever hope to determine the party using a given IPv6 block in just a few short years...
So then the question is, what can we as a community (note that is not ARIN specific) do that makes it more difficult for someone to fraudulently announce number resources they aren't really entitled to? On the reactive side, we could have more people actively searching for such abuse. What can be done on the proactive side to make it more difficult to do it in the first place?
On Sat, Oct 2, 2010 at 4:03 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote:
That _seems_ fairly simple [...] it's straightforward corporate forensics, and the establishment of "provenence", or the equivalent of an 'abstract of title' for real-estate.
Hi Robert, It may seem simple but it only seems that way. The legacy registrants (pre-arin registrants) in particular were not necessarily legal entities. Like trademarks with a TM instead of a Circle-R, they were nothing more than unverified names asserted by the individuals requesting IP addresses. In some cases they were obviously corporations but in many others there are only ambiguous forensics to examine. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (5)
-
George Bonser
-
James Hess
-
John Curran
-
Robert Bonomi
-
William Herrin