Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-31 Thread Selphie Keller 
Nick,

Very cool, learn something new every day :)

[root@stellarfrost(~)]> nicinfo 103.11.67.167
# NicInfo v.1.1.1

[ NOTICE ] Terms of Service
 1 By using the ARIN RDAP/Whois service, you are agreeing to the
RDAP/Whois Terms of Use
 About https://www.arin.net/whois_tou.html

# Query type is IP4ADDR. Result type is IP.

[ RESPONSE DATA ]
  1= NET-103-11-67-0-1
 |--- 1= Gaiacom, L.C. ( GL-299 )
 ||--- 1= GCM NY NOC ( GNN-ARIN )
 |`--- 2= GCM NET ABUSE ( GNA35-ARIN )
 `--- 2= Los Angeles NOC ( LAN55-ARIN )

   [ IP NETWORK ]
   Handle:  NET-103-11-67-0-1
Start Address:  103.011.067.000
  End Address:  103.011.067.255
   IP Version:  v4
 Last Changed:  Mon, 13 Jun 2016 15:20:51 -0700
 Registration:  Wed, 25 May 2016 17:17:12 -0700

   [ ENTITY ]
   Handle:  GL-299
 Name:  Gaiacom, L.C.
Roles:  Registrant
 Last Changed:  Fri, 15 Aug 2014 11:26:53 -0700
 Registration:  Wed, 04 Dec 2013 13:01:12 -0800

   [ ENTITY ]
   Handle:  GNN-ARIN
 Name:  GCM NY NOC
 Organization:  GCM NY NOC
Email:  n...@gaiacom.net
Phone:  +1-310-421-9099 ( work, voice )
Phone:  +1-310-421-9098 ( work, fax )
Roles:  Noc, Technical, Administrative
   Status:  Validated
 Last Changed:  Sat, 20 Aug 2016 09:21:23 -0700
 Registration:  Tue, 26 Nov 2013 22:58:12 -0800

   [ ENTITY ]
   Handle:  GNA35-ARIN
 Name:  GCM NET ABUSE
 Organization:  GCM NET ABUSE
Email:  n...@maya.net
Phone:  +1-310-421-9099 ( work, voice )
Phone:  +1-310-421-9098 ( work, fax )
Roles:  Abuse
   Status:  Validated
 Last Changed:  Wed, 03 Aug 2016 13:51:02 -0700
 Registration:  Tue, 26 Nov 2013 23:39:45 -0800

   [ ENTITY ]
   Handle:  LAN55-ARIN
 Name:  Los Angeles NOC
 Organization:  Los Angeles NOC
Email:  n...@maya.net
Phone:  +1-213-587-7995 ( work, voice )
Phone:  +1-213-587-7995 ( work, cell )
Phone:  +1-213-587-7995 ( work, fax )
Roles:  Technical, Noc
   Status:  Validated
 Last Changed:  Mon, 13 Jun 2016 15:14:38 -0700
 Registration:  Mon, 13 Jun 2016 15:14:38 -0700

# Use "nicinfo 1=" to show NET-103-11-67-0-1
# Use "nicinfo 1.1=" to show Gaiacom, L.C. ( GL-299 )
# Use "nicinfo 1.2=" to show Los Angeles NOC ( LAN55-ARIN )
# Use "nicinfo https://rdap.arin.net/registry/ip/103.011.067.000; to
directly query this resource in the future.
# Use "nicinfo -h" for help.

On 31 October 2016 at 17:21, Nick Hilliard  wrote:

> Selphie Keller wrote:
> > APNIC -> 103.11.64.0/22 -> then to WebNX 103.11.67.0/24, which would
> show
> > the full chain and a proper abuse contact for this subnet.
>
> the tl;dr on the thread scrollback was:
>
> 1. whois is irredeemably broken
> 2. use rdap, which supports referrals
> 3. open source RDAP client: https://github.com/arineng/nicinfo
>
> Nick
>

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-31 Thread Nick Hilliard 
Selphie Keller wrote:
> APNIC -> 103.11.64.0/22 -> then to WebNX 103.11.67.0/24, which would show
> the full chain and a proper abuse contact for this subnet.

the tl;dr on the thread scrollback was:

1. whois is irredeemably broken
2. use rdap, which supports referrals
3. open source RDAP client: https://github.com/arineng/nicinfo

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-31 Thread Selphie Keller 
Hi,

I noticed this thread and wanted to provide some information, subnet
103.11.67.0/24 is not an illicit squat this subnet is apart of
103.11.64.0/22 which was transferred from APNIC to ARIN back this last
February and is listed publicly at
https://www.arin.net/knowledge/statistics/transfers.html within the
"Inter-RIR Transfers to the ARIN Region", also WebNX AS18450 does have the
LOA's on file for the subnet.

I do agree with the others in this thread about the lack of WHOIS  as
looking up 103.11.67.0/24 does indeed provide very little information to go
on so I can see how this could be misunderstood as a squat of the subnet
due to the lack of whois information which is an updating issue
ARIN/APNIC's part, hopefully can get this resolved so that ARIN shows the
chain:

APNIC -> 103.11.64.0/22 -> then to WebNX 103.11.67.0/24, which would show
the full chain and a proper abuse contact for this subnet.

As for the spamming/spam email part of this thread, please send the said
spam email/emails with headers in question to ab...@webnx.com, this way we
can investigate and sort it out. We do take spamming seriously and will
work quickly to get it resolved.

-Selphie K

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-31 Thread Christopher Morrow 
On Fri, Oct 28, 2016 at 7:36 PM, Ronald F. Guilmette 
wrote:

> In my own defense, I didn't see the ARIN allocation because I have a
> normative process that I use for looking up IP addresses.  It's
> hierarchical, and I always start with whatver whois.iana.org has to
> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
> I only looked at what whois.apnic.net had to say about 103.11.67.105.
> And it says that it's unallocated.  (And apparently, data shown for
> announced prefixes on the bgp.he.net web site is also obtained in this
> same straightforward way, because it also is showing 103.11.67.0/24 as
> registered to "Asia Pacific Network Information Centre".)
>

In this new world of inter-rir transfers your process needs a revision.
it's also not uncommon for hosting folks to allocate address space to
non-local customers.

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-31 Thread Tony Finch 
Ronald F. Guilmette  wrote:
>
> You are correct.  In this case, it would have been helpful if APNIC's WHOIS
> server returned something, when queried about 103.11.67.105, that would
> include an explicit referral to the ARIN WHOIS server.  I mean they
> obviously know all the transfers they've made.

Yes, the state of whois referrals from RIRs is a bit of a mess.

I have changed FreeBSD whois to rely more on referrals than built-in
knowledge, and this mostly works. There are a couple of hacks to cope with
awkward RIRs: AfriNIC's referrals are human-readable though they can be
parsed if you assume the rubric is fixed; for RIPE, if the netname is
NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK it is treated as a referral to ARIN;
there's a similar hack for APNIC's ERX-NETBLOCKs - but evidently this
doesn't apply to more recently transferred net blocks :-(

It's probably time to make whois use RDAP under the covers for address
lookups. Bah.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Southeast Iceland: Westerly veering northwesterly 6 to gale 8, decreasing 4 or
5 for a time. Rough or very rough, occasionally high at first, then becoming
moderate in west. Showers. Good, occasionally poor.

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette 

In message <5815013f.2080...@foobar.org>, 
Nick Hilliard  wrote:

>> But my overall point remains.  If there were ever to be an election where
>> we were all asked who we wanted to see become the once and future Routing
>> Police, the RIRs would not be my own personal first choice.
>
>Great, we're agreed then.  So why do you keep on bringing them up in
>this context and criticising them whenever someone squats some block of
>address space?

References please?

*I* didn't introduce the topic of RIRs into this thread.  It would appear
that Ken Chase did that:

   http://mailman.nanog.org/pipermail/nanog/2016-October/088943.html

Later on, I bemoaned what I still feel is a rather lousey WHOIS referrals
system, among and between the various RIR WHOIS data bases... with
respect to *allocations* (not route registrations)... and it was
entirely appropriate for me to mention that, in this thread, as the
problem most definitely did impact not only _my_ ability to figure
out who the bleep, if anyone, 103.11.67.0/24 is actually registered
to, but actually, anyone's ability to do so, including, apparently,
bgp.he.net.

But this criticism has/had nothing whatever to do, specifically, with
either routing or the (hypothetical) Routing Police.  If the totality
of the RIR WHOIS data bases are needlessly difficult to extract accurate
information out of, then this negatively affects *all* uses (and all
users) of these data bases, whether one is investigating possible
routing squats, or whether one is just trying to figure out who
currently owns the block that all of your corporate intellectual
property has just been surreptitiously exfiltrated to.


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Nick Hilliard 
Ronald F. Guilmette wrote:
> Oh, gz!  ...
> 
> Showing 1 to 10 of 1,823 entries

Yeah, get over it.  Number resource transfers are a thing, and this
number is only going to increase.

> You are correct.  In this case, it would have been helpful if APNIC's WHOIS
> server returned something, when queried about 103.11.67.105, that would
> include an explicit referral to the ARIN WHOIS server.  I mean they
> obviously know all the transfers they've made.
> 
> But I guess that somebody somwhere decided that that's just too much
> trouble.

David Conrad already pointed out that this problem has been solved using
RDAP which supports referrals.  Try installing the nicinfo command from:

https://github.com/arineng/nicinfo

At a guess, I'd say referrals haven't been implemented in whois because
the whois "protocol" is unfixably broken and unsuitable for distributed
information sharing.

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Nick Hilliard 
Ronald F. Guilmette wrote:
> I wasn't talking about irrdb.  I was just talking about the WHOIS records
> for IPv4 allocations within the AFRINIC region.

afrinic, ripe ncc and apnic run a combined (+ partially authenticated)
irrdb and whois server.

> But my overall point remains.  If there were ever to be an election where
> we were all asked who we wanted to see become the once and future Routing
> Police, the RIRs would not be my own personal first choice.

Great, we're agreed then.  So why do you keep on bringing them up in
this context and criticising them whenever someone squats some block of
address space?

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette 

In message <58146e84.3030...@foobar.org>, 
Nick Hilliard  wrote:

>> P.S.  I may be wrong about this, but it has come to my attention that
>> many, most, or all of the WHOIS records reflecting allocations made by
>> the AFRINIC RIR are utterly devoid of either (a) information specifying
>> the dates on which the relevant allocations were made or (b) email
>> contact addresses for the relevant number resource registrants.
>
>Works fine for me.  Did you use the "-B" flag when querying the Afrinic
>irrdb?

I wasn't talking about irrdb.  I was just talking about the WHOIS records
for IPv4 allocations within the AFRINIC region.

Anyway, yes, I do believe that  used the -B flag.  But nontheless, I
really did see some AFRINIC WHOIS records that had -no- email contacts,
nor any date information.

I will have to try to see if I can dredge those out again.

But my overall point remains.  If there were ever to be an election where
we were all asked who we wanted to see become the once and future Routing
Police, the RIRs would not be my own personal first choice.


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette 

In message <5814696f.3060...@foobar.org>, 
Nick Hilliard  wrote:

>Ronald F. Guilmette wrote:
>>  I always start with whatver whois.iana.org has to
>> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
>> I only looked at what whois.apnic.net had to say about 103.11.67.105.
>
>yeah, this prefix was transferred from APNIC to ARIN.  You can search
>for the details here:
>
>https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs

Oh, gz!  ...

Showing 1 to 10 of 1,823 entries

>> This isn't the first time I've wished that the right hand knew (or cared)
>> what the left hand was doing.  I've asked the folks at IANA about this
>> sort of thing in the past, i.e. them giving pointers to the apparently
>> wrong RiR whois server, and they just won't fix it.
>
>It's not an IANA problem to fix.  IANA handles the initial allocation...

You are correct.  In this case, it would have been helpful if APNIC's WHOIS
server returned something, when queried about 103.11.67.105, that would
include an explicit referral to the ARIN WHOIS server.  I mean they
obviously know all the transfers they've made.

But I guess that somebody somwhere decided that that's just too much
trouble.


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread David Conrad 
On Oct 29, 2016, at 5:18 PM, Nick Hilliard  wrote:
> There
> are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
> authoritative for the address space once its been RIR-allocated.

While true, hopefully referrals in RDAP will address the need to identify 
registration information down to the leaves.

> I.e. you should no longer depend on whois.iana.org for accurate resource
> delegation information.

Well, it should be accurate at the top-level delegation (albeit, the IANA Whois 
server only deals with /8s).

Regards,
-drc
(speaking only for myself)





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Nick Hilliard 
Ronald F. Guilmette wrote:
> In my actual comment I merely noted that RIRs are in fact -not- the
> Internet Police, and that none of them have ever displayed even the
> slightest desire to become that (and indeed, when asked, they have,
> without exception, exhibited a clear desire -not- to be assigned any
> such role).

just to be clear: this is a bottom up position, not top-down.  The
registry roles of the RIRs exist by mandate of the communities they
serve to provide a database of integer allocations and assignments.  If
there's been no inclination to become "Internet Police", it's because
their memberships do not want their respective RIRs to take on this role.

> Given that I do not have an entirely unequivocal admiration for the
> quality and consistancy of the work that RIRs are already clearly
> responsible for, do you really believe that it would be my first
> choice to assign an entirely seperate but equally critical set of
> -new- authorities and responsibilities to the RiRs?

This will, of course, vary between RIRs.  At least in the RIPE NCC
service region, all allocations and assignments by the RIPE NCC are
covered by written contractual links and complete records of these
contracts are kept by the organisation.  Sub-assignments by LIRs may not
be as accurate.  Other RIR service regions will have different policies.

> P.S.  I may be wrong about this, but it has come to my attention that
> many, most, or all of the WHOIS records reflecting allocations made by
> the AFRINIC RIR are utterly devoid of either (a) information specifying
> the dates on which the relevant allocations were made or (b) email
> contact addresses for the relevant number resource registrants.

Works fine for me.  Did you use the "-B" flag when querying the Afrinic
irrdb?

% whois -h whois.afrinic.net " -B x.x.x.x"

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Nick Hilliard 
Ronald F. Guilmette wrote:
>  I always start with whatver whois.iana.org has to
> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
> I only looked at what whois.apnic.net had to say about 103.11.67.105.

yeah, this prefix was transferred from APNIC to ARIN.  You can search
for the details here:

https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs

There's a full log on their ftp site:

ftp://ftp.apnic.net/public/transfers/apnic/transfer-apnic-latest

No doubt other RIRs have their own transfer listings.

> This isn't the first time I've wished that the right hand knew (or cared)
> what the left hand was doing.  I've asked the folks at IANA about this
> sort of thing in the past, i.e. them giving pointers to the apparently
> wrong RiR whois server, and they just won't fix it.

It's not an IANA problem to fix.  IANA handles the initial allocation to
the RIR, but does not account for subsequent inter-RIR transfers.  There
are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
authoritative for the address space once its been RIR-allocated.  This
excludes ERX space, which is another bundle of fun.

I.e. you should no longer depend on whois.iana.org for accurate resource
delegation information.

The LACNIC whois server (whois.lacnic.net) appears to maintain pointer
information, judging by a couple of queries.

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Michael Smith 
I would use LACNIC’s whois server for these queries.  They have info from all 
the registries, which is an amazing service that seems beyond the other RIRs. 

whois -h whois.lacnic.net  103.11.67.105

HostUS HOSTUS-IPV4-5 (NET-103-11-64-0-1) 103.11.64.0 - 103.11.67.255
Gaiacom, L.C. SOLVPS-103-11-67-0-24 (NET-103-11-67-0-1) 103.11.67.0 - 
103.11.67.255

Mike

> On Oct 28, 2016, at 4:36 PM, Ronald F. Guilmette  
> wrote:
> 
> 
> In message 
> 
> Doug Clements  wrote:
> 
>> How does one get ARIN to register resources to come up with this result?
>> 
>> https://whois.arin.net/rest/nets;q=103.11.67.105
>> 
>> The /16 is APNIC but there are 2 subnets that appear to be allocated from
>> ARIN. Having just typed 'whois 103.11.67.105' I completely missed the fact
>> that the supernet was APNIC until I checked the web interface.
> 
> Oh!!  Wow!!  I totally missed this also, i.e. that ARIN is showing an
> allocation for 103.11.64.0/22 to HostUs.Us in Texas.
> 
> That's really weird, but even that doesn't either explain or excuse
> what still looks like an illicit squat (by an unrelated Los Angeles
> company) on the 103.11.67.0/24 block to me... perhaps one that's been
> re-sold to a spammer (which seems possible, given the spam I got).
> 
> In my own defense, I didn't see the ARIN allocation because I have a
> normative process that I use for looking up IP addresses.  It's
> hierarchical, and I always start with whatver whois.iana.org has to
> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
> I only looked at what whois.apnic.net had to say about 103.11.67.105.
> And it says that it's unallocated.  (And apparently, data shown for
> announced prefixes on the bgp.he.net web site is also obtained in this
> same straightforward way, because it also is showing 103.11.67.0/24 as
> registered to "Asia Pacific Network Information Centre".)
> 
> This isn't the first time I've wished that the right hand knew (or cared)
> what the left hand was doing.  I've asked the folks at IANA about this
> sort of thing in the past, i.e. them giving pointers to the apparently
> wrong RiR whois server, and they just won't fix it.  They just shrug and
> say "Not our problem man!"  And in this case, maybe they're right.  If
> APNIC gave two subparts of 103/8 to ARIN, it might have been helpful
> if their own whois server was made aware of that fact.
> 
> Sigh.  I have to keep reminding myself of what one friend of mine keeps
> on telling me... "Ron, there you go again, trying to think about these
> things logically."
> 
> 
> Regards,
> rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Stephen Satchell 
On 10/28/2016 04:32 PM, Mark Andrews wrote:
> It's not the RIR's job.  They already provide the framework for
> ISP's to do the job of policing route announcements themselves.
> ISP's just need to use that framework.

Link to documentation on how to use that framework?

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette 

In message <5813e03e.6060...@foobar.org>, 
Mark Andrews  wrote:

>Mark Andrews wrote:
>> It's not the RIR's job.  They already provide the framework for
>> ISP's to do the job of policing route announcements themselves.
>> ISP's just need to use that framework.
>
>Ron thinks otherwise.

No, I don't.  You have made a incorrect inference from the text of my
actual comment.

In my actual comment I merely noted that RIRs are in fact -not- the
Internet Police, and that none of them have ever displayed even the
slightest desire to become that (and indeed, when asked, they have,
without exception, exhibited a clear desire -not- to be assigned any
such role).

These observations on my part are all merely recitations of well-
established historical facts, all of which are easily verifiable by
anyone with a browser.  I made no comment at all about who, if anyone,
should be tasked to take on the role of The Routing Police.

And indeed, if asked, I would express some degree of skepticism about
the ability of RIRs to even reliably execute their existing data base
maintenance responsibilities to a level which I personally would find
entirely satisfactory.  (The apparent goofyness relating to 103.11.64.0/22
is just one very small example of this, there being also many other and
more serious issues that I could also cite, if pressed, relating strictly
to allocation functions and/or to WHOIS data base issues.)

Given that I do not have an entirely unequivocal admiration for the
quality and consistancy of the work that RIRs are already clearly
responsible for, do you really believe that it would be my first
choice to assign an entirely seperate but equally critical set of
-new- authorities and responsibilities to the RiRs?  If so, please
allow me to disabuse you of that notion.  (I am also and likewise not
likely to support any effort any any part of the United States federal
government to assign new authorities and responsibilities to the Office
of Personnel Management.)


Regards,
rfg


P.S.  I may be wrong about this, but it has come to my attention that
many, most, or all of the WHOIS records reflecting allocations made by
the AFRINIC RIR are utterly devoid of either (a) information specifying
the dates on which the relevant allocations were made or (b) email
contact addresses for the relevant number resource registrants.

I am, of course, utterly appalled by the apparent inability of this RIR
to maintain a WHOIS data base which even approximates the modest and
minimal level of relevant information commonly available from the WHOIS
data bases of other and older RIRs.

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ken Chase 
On Sat, Oct 29, 2016 at 10:32:12AM +1100, Mark Andrews said:  
  >It's not the RIR's job. They already provide the framework for 
  >ISP's to do the job of policing route announcements themselves. 
  >ISP's just need to use that framework.

What incentive do the ISPs have to enforce any of this though? 

In fact, they're making money sending bits over these prefixes. 

What incentives could be created that the ISPs wont balk at as it
might affect their accidental revenues from "oh, gee, I didnt know it
was being squatted! " prefixes?

/kc   
--   
Ken Chase - m...@sizone.org guelph canada

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette 

In message <5813dacd.3000...@foobar.org>, 
Nick Hilliard  wrote:

>Ronald F. Guilmette wrote:
>> Will never happen.  The RiRs have been crystal clear, and also utterly
>> consistant... "Not our job man!  We am not the Internetz Police."
>
>Ron,
>
>Maybe you could suggest some ideas about how the RIRs can stop someone
>from illegally squatting space?

Oh, don't get me wrong.  I never said that I either could or would
suggest how to convert RiRs into The Internet Police.  Nor did I suggest
that such a conversion would even be either prudent or advisable.
(I am not persuaded that it would be.)

We have a longstanding 20 or 30 year tradition/precedent and a division
of labor that -does not- allocate to RiRs any responsibility for, or
authority over anything to do with what routes people announce, and I
am certainly not even nearly so presumptive as to believe that I either
can or should try to roll back 30 years of history and ask everyone to
start all over again and build governance structures anew, from scratch.
(Doing so would be both silly and the very height of arrogance on my part.)

I nontheless feel free to note, and to bemoan, the current utter lack
of -any- authority which routinely notices apparent routing funny business
and/or which works, on a routine basis, to try to put a stop to it all.

I do not suggest that RiRs should be "minding the store" with respect to
route announcements.  I do think it would be helpful if -somebody- were
doing so.  My own occasional and srictly ad hoc efforts have only succeded
in convincing me of how extensive the problem is, and how dire a need there
is for a more rigorous solution.


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette 

In message 
Doug Clements  wrote:

>How does one get ARIN to register resources to come up with this result?
>
>https://whois.arin.net/rest/nets;q=103.11.67.105
>
>The /16 is APNIC but there are 2 subnets that appear to be allocated from
>ARIN. Having just typed 'whois 103.11.67.105' I completely missed the fact
>that the supernet was APNIC until I checked the web interface.

Oh!!  Wow!!  I totally missed this also, i.e. that ARIN is showing an
allocation for 103.11.64.0/22 to HostUs.Us in Texas.

That's really weird, but even that doesn't either explain or excuse
what still looks like an illicit squat (by an unrelated Los Angeles
company) on the 103.11.67.0/24 block to me... perhaps one that's been
re-sold to a spammer (which seems possible, given the spam I got).

In my own defense, I didn't see the ARIN allocation because I have a
normative process that I use for looking up IP addresses.  It's
hierarchical, and I always start with whatver whois.iana.org has to
say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
I only looked at what whois.apnic.net had to say about 103.11.67.105.
And it says that it's unallocated.  (And apparently, data shown for
announced prefixes on the bgp.he.net web site is also obtained in this
same straightforward way, because it also is showing 103.11.67.0/24 as
registered to "Asia Pacific Network Information Centre".)

This isn't the first time I've wished that the right hand knew (or cared)
what the left hand was doing.  I've asked the folks at IANA about this
sort of thing in the past, i.e. them giving pointers to the apparently
wrong RiR whois server, and they just won't fix it.  They just shrug and
say "Not our problem man!"  And in this case, maybe they're right.  If
APNIC gave two subparts of 103/8 to ARIN, it might have been helpful
if their own whois server was made aware of that fact.

Sigh.  I have to keep reminding myself of what one friend of mine keeps
on telling me... "Ron, there you go again, trying to think about these
things logically."


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Nick Hilliard 
Mark Andrews wrote:
> It's not the RIR's job.  They already provide the framework for
> ISP's to do the job of policing route announcements themselves.
> ISP's just need to use that framework.

Ron thinks otherwise. I'd like to understand what he thinks they can do
to stop this.

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Mark Andrews 

In message <5813dacd.3000...@foobar.org>, Nick Hilliard writes:
> Ronald F. Guilmette wrote:
> > Will never happen.  The RiRs have been crystal clear, and also utterly
> > consistant... "Not our job man!  We am not the Internetz Police."
> 
> Ron,
> 
> Maybe you could suggest some ideas about how the RIRs can stop someone
> from illegally squatting space?

It's not the RIR's job.  They already provide the framework for
ISP's to do the job of policing route announcements themselves.
ISP's just need to use that framework.

> Nick
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Nick Hilliard 
Ca By wrote:
> If the space is unassigned, could the rir announce the space to park it
> to null0. And register it in spamhaus ?
> 
> This would make the rir the custodian of the space in their possession 

The space isn't unallocated.  It's allocated, but the assignee hasn't
announced it in the dfz.

There are some statistics about unallocated space here:

http://www.potaroo.net/tools/ipv4/index.html

summary: this isn't the problem area.

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ca By 
On Friday, October 28, 2016, Nick Hilliard  wrote:

> Ronald F. Guilmette wrote:
> > Will never happen.  The RiRs have been crystal clear, and also utterly
> > consistant... "Not our job man!  We am not the Internetz Police."
>
> Ron,
>
> Maybe you could suggest some ideas about how the RIRs can stop someone
> from illegally squatting space?
>
> Nick
>

If the space is unassigned, could the rir announce the space to park it to
null0. And register it in spamhaus ?

This would make the rir the custodian of the space in their possession

CB

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Nick Hilliard 
Ronald F. Guilmette wrote:
> Will never happen.  The RiRs have been crystal clear, and also utterly
> consistant... "Not our job man!  We am not the Internetz Police."

Ron,

Maybe you could suggest some ideas about how the RIRs can stop someone
from illegally squatting space?

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette 

In message <20161028220510.gf14...@sizone.org>, 
Ken Chase  wrote:

>On Fri, Oct 28, 2016 at 02:40:23PM -0700, Ronald F. Guilmette said:
>  >I'm going to call these turkeys right now and just ask them, point
>  >blank, what the bleep they think they're doing, routing unallocated
>  >APNIC space. 
>
>Makin' phat stacks.
>
>One thing the RIRs could do is put pressure on AS's to not route
>these objects,

Will never happen.  The RiRs have been crystal clear, and also utterly
consistant... "Not our job man!  We am not the Internetz Police."

The thing that really baffles me about this kind of thing is how this
kind of crud can happen in the first place, and also, even more baffling,
how it can persist for months on end without anybody even noticing.

I'm looking at this:

   http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=103.11.67.105

which appears to provide a nice list of the rest of the netwits who are
also to blame for this one particular singular bit of idiocy:

 AS2914 -- NTT America, Inc.
 AS1299 -- Telia Company AB
 AS12798 -- Ace Data Centers, Inc.
 AS174 -- Cogent Communications
 AS6939 -- Hurricane Electric, Inc.
 AS3491 -- PCCW Global
 AS7922 -- Comcast Cable Communications, LLC
 AS6762 -- Telecom Italia Sparkle / Seabone
 AS10026 -- Pacnet Global Ltd
 AS11798 -- Ace Data Centers, Inc.

So, um, is it really the case that -none- of the above companies have even
noticed that anything was amiss here, and that all have failed to do so for
months on end?  (Or did they notice, but then felt is wasn't their place to
say anything about it?)

Sorry if those are stupid or naive questions, but...

   "The more I know, the less I understand."
 -- Don Henley

Is this just another one of these cases where everybody is responsible and
thus, nobody is?

Is it really the case that none of the above companies ever check that what
their peers announce is consistant with any routing registry?

I don't pretend to understand this stuff.  Somebody please 'splain it to
me.  I'll be much obliged.


Regards,
rfg

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Tom Beecher 
Spammers are doing a great job abusing the gaps in the systems. Another
common pattern in the last 12-14 months has been a combination of squatting
on an AS, forging some business documentation, buying transit to an IX, and
proceeding to hijack prefixes over bilateral peering sessions.

Pain in the rear to catch, even worse when the IX and transit providers
aren't receptive to do anything about it when it's brought to their
attention because the business docs used to instantiate those services are
'good enough', and they have a fiduciary interest in _not_ disconnecting
the IX port or circuit.

This will continue to be the norm until prefix validation is standardized
and in widespread use.




On Fri, Oct 28, 2016 at 5:40 PM, Ronald F. Guilmette 
wrote:

>
>
> I just got a spam from 103.11.67.105.  The containing /24 appears to
> be unallocated APNIC space.
>
> RIPE tools seem to say that AS18450 has been routing this block since
> around May 23rd.
>
> I see this kind of stuff almost every day now, it seems.  And you know,
> there are days when I really do start to wonder "Has the Internet gone
> mad?"
>
> I'm going to call these turkeys right now and just ask them, point
> blank, what the bleep they think they're doing, routing unallocated
> APNIC space.  But if history is any guide, this is probably going to
> turn out to be another one of these "absentee landlord" kinds of ASes,
> where all they have is an answering machine.
>
> I have to either laugh or cry when I see people posting here about the
> non-functionality of abuse@ email addresses, and then see other people
> saying "Well, this is why all ASes also have phone numbers."
>
> I wish I had a dollar for every AS I had ever tried to contact where
> -neither- the abuse@ address -nor- the phone number got me to any
> actual human being.
>
>
> Regards,
> rfg
>

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Doug Clements 
How does one get ARIN to register resources to come up with this result?

https://whois.arin.net/rest/nets;q=103.11.67.105

The /16 is APNIC but there are 2 subnets that appear to be allocated from
ARIN. Having just typed 'whois 103.11.67.105' I completely missed the fact
that the supernet was APNIC until I checked the web interface.

--Doug


On Fri, Oct 28, 2016 at 5:40 PM, Ronald F. Guilmette 
wrote:

>
>
> I just got a spam from 103.11.67.105.  The containing /24 appears to
> be unallocated APNIC space.
>
> RIPE tools seem to say that AS18450 has been routing this block since
> around May 23rd.
>
> I see this kind of stuff almost every day now, it seems.  And you know,
> there are days when I really do start to wonder "Has the Internet gone
> mad?"
>
> I'm going to call these turkeys right now and just ask them, point
> blank, what the bleep they think they're doing, routing unallocated
> APNIC space.  But if history is any guide, this is probably going to
> turn out to be another one of these "absentee landlord" kinds of ASes,
> where all they have is an answering machine.
>
> I have to either laugh or cry when I see people posting here about the
> non-functionality of abuse@ email addresses, and then see other people
> saying "Well, this is why all ASes also have phone numbers."
>
> I wish I had a dollar for every AS I had ever tried to contact where
> -neither- the abuse@ address -nor- the phone number got me to any
> actual human being.
>
>
> Regards,
> rfg
>

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ken Chase 
On Fri, Oct 28, 2016 at 02:40:23PM -0700, Ronald F. Guilmette said:
  >I'm going to call these turkeys right now and just ask them, point
  >blank, what the bleep they think they're doing, routing unallocated
  >APNIC space. 

Makin' phat stacks.

One thing the RIRs could do is put pressure on AS's to not route
these objects, and start producing daily public output scores
for these orgs, and emailing them -- ultimately threatening them
with de-reg of their assets if they dont stop this nonsense.
Further more, could get the route db's involved in dereg threats.

Is the politcal will there tho?

Right now there's no stigma beyond nanog-l in being a bad actor
from where I sit.

/kc
-- 
Ken Chase - m...@sizone.org guelph canada