ARIN Fraud Reporting Form ... Don't waste your time

Ronald F. Guilmette rfg at tristatelogic.com
Sat Oct 2 00:08:27 UTC 2010


In message <608B18DB-6E75-4B5E-BA42-D1F69ECE4881 at arin.net>, 
John Curran wrote:

>You note the following:
>
>> They could say, to everyone involved, and to the community as a whole,
>> ``This ain't right.  *We* maintain the official allocation records. 
>> In most cases, *we* made the allocations, and that guy should NOT be
>> announcing routes to that IP space, and he shouldn't be announcing
>> anything at all via that AS number, because these things ain't his.''
>
>At present, ARIN doesn't review the routing of address space to see
>if an allocation made to party is being announced by another party.
>From your emails, I'm guess that you'd like ARIN to do so.

John,

First, let me say thanks for your personal response.

Second let me also say that I am pleased to know, at least, that my serious
efforts to express myself clearly were not lost on everyone.  You have
grasped my meaning clearly.  (But not everyone here has done likewise.)

>I've run several several ISPs and a hosting firm, and I'm not quite
>sure how ARIN can definitively know that any of the AS#'s involved
>should or should not be routing a given network block.

Please allow me to attempt to refute what you just said.  I think that
I can do so, briefly, in (at least) two different ways.

1)   You folks _are_ already (apparently) making some efforts... at least
as of this last summer, but perhaps also earlier... to ``validate'' (is
that the word you would use?) POC contacts.  I know because I've lately
seen quite a number of your POC contact records (from the WHOIS data base)
that have a very helpful annotation attached to them, saying quite
directly and explicitly, that ARIN has been unable to verify or make
contact with this POC or that POC.  So you are already passing judgement
on the validity and/or probable invalidity of things in your data base.
And more, you are making your determinations public, via the data base
itself.  I'm not quite sure how it constitutes such a big leap to merely
extend what you are already doing in the way of validating POCs and just
impute the exact same level of confidence, or lack thereof, to IP block
and/or AS records which are associated with unverifiable/uncontactable
POCs... a set which you are already making serious efforts to delineate
anyway.  If you can put an annotation into a whois records for a POC,
saying explicity that you can't get ahold of this person, then it would
seem to me to be a rather trivial matter of programming to transplant
a very similar sort of annotation into each and every IP block or AS
record that has that same specific POC record as one of its associated
POC records, either Admin, or Technical, or whatever.

You could just say, you know, something like ``We have been tring to contact
the Technical POC for this since XX-XX-2010, and we've been unable to do so.''
Well, not those words exactly, but I hope you get the general idea.  Just
take the determinations that you folks are _already_ making, for the POC
records, and just impute them to, and include them in, also, to the
relevant block and/or AS records.  Or alternatively, you could stop using
verbage altogether and just switch over to a system based on simple,
universally understood icons:

http://farm2.static.flickr.com/1082/820306671_6a0520fe17_m.jpg
http://farm2.static.flickr.com/1382/1263977902_d0e9a43821_o.jpg

Now, you may perhaps be tempted to quibble with my point here, and repeat
again what you said above, I.e. that ARIN cannot make ``definitive''
determinations.  Please don't yield to any such temptation.  Quite
frankly, to the best of my knowledge, no living human can reliably make
any truly ``definitive'' determinations about anything at all.  Only God
can do that.  (And frankly, I harbor lingering suspicions that even He
gets it wrong a fair percentage of the time.)

Nobody expects you to have the infallibility of God... or even of the
Pope.  And nobody is asking you to display such a level of infinite
perfection, least of all me.  But ya know, even in the abundant absence
of certainty in our day-to-day lives, we all still drag ourselves out
of bed in the morning and do the best that we can.  And that's all that
either I or anybody else has any right to ask of you/ARIN or to expect
of you/ARIN.  Just do the best you can.  Are your deteminations that
this POC or that POC cannot be contacted, or cannot currently be verified
``definitive''?  No, that's probably too stong a word.  But you/ARIN have
the good sense and the courtesy to publish the information you have gathered
regarding the contactability of POCs anyway, and it's appreciated.  It helps.
Please just do more of it.  This is not an all-or-nothing ``We can't say
anything definitively so we can't say anything at all, ever'' kind of
situation, I think.


2)  You are already (apparently) processing _some_ certain flavors of
``fraud reports''  that come in to you via that nice fancy web form you
folks built and put up on the ARIN web site... you know... the one with
the nice (and misleading) introduction that entices people like me to
take the time to use it enter reports about incidents that have traditionally
been called around these parts ``hijacking''.

(Note:  That's the word that _you_ used on your web site to say what
should be reported via the form.  Was I a fool to take you at your word?
Let me be clear... I am *not* *not* *not* encouraging you to simply
redact/delete that word from your web site.  No no!  Rather I hope to
encourage you/ARIN to actually accept and at least investigate reports
of _all_ flavors of what we around here used to call good old fashioned
``hijacking'', regardless of whether the perp was gracious enough to
also make your choice clearer by dicking with the relevant WHOIS records
or not.)

So anyway, you are already, obviously, geared up to do ``investigations''.
And you _are_ already doing them.  Yes?  And you are not doing these
investigatons just for your health, as the saying goes, correct?  I mean
you have a goal when you do these investigations... an end goal.  Right?
And what is that goal?  What comes out the other end when you feed the
raw facts into the top of this process and then turn the crank?  What do
you have at the end of the day, eh?  Do you have a... ahhh.. conclusion?
Might one even say that at the end of the process, ARIN reaches a
``determination''?  Would you characterize these determinations... which
you obviously use as a basis for further action... as ``definitive
detrminations''?  (If not, why not?  And if you use these determinations
as a basis for further action, and yet you claim that they are not actually
``defininite determinations'', then aren't you placing ARIN at great risk
of a lawsuit by so doing?)

I think you can see where I'm going with this.  You have, I think, tried to
demur (is that the right word?) on ARIN's behalf, from _either_ investigating
or, subsequently, from issuing any kind of ``determination'' as regards to
whether a given block is being routed by the party or parties who ought to
be routing it, or by some uninvited interloper.  And you have done so on
that basis of your very reasonable sounding claim that ARIN cannot make
``definitive'' determinations about such things.  I would argue that this
claim simply does not wash for two reasons:

    1)  ARIN is _already_, apparently, conducting investigations and thence
	making ``definitive'' determinations, presumably on a routine and
	ongoing basis, about things relating to the allocations that it,
	and it alone, is the official Keeper of Records for.  And ARIN
	is already doing this, even in the absence of God-like certainty
	about the conclusions it reaches, and which it subsequently uses
	as a basis for further action.

    2)  If you (ARIN) claim to be utterly unable to make definitive determina-
	tions about what blocks belong to who, or who should be routing what,
	then (a) what exactly are we paying you for?? ... just kidding... *I*
	am not personally paying you... but more importantly (b) if even
	*you guys* cannot make definitive determinations about these things,
	then God help the rest of us!  Because we mere mortals out here have
	a lot less data, knowledge, expertise, and experience than you ARIN
	folks have, and if you folks say you can't ``definitively'' figure
	out what belongs to who, then it sounds from where I'm sitting like
	you're saying that things inside of ARIN are just as bad as they were
	inside AIG the day _it_ went belly up... papers scattered all over
	the floors, and nobody even knows what all they actually own.

	Do I think that this is what you are trying to tell me?  No.  Do I
	even for a moment imagine that the inside of your shop... ARIN...
	is a confused and tangled mess like AIG was in its last days?  No.
	No way.  Not at all.  Quiet the opposite.  I think you folks... as
	the official Keepers of the Records... can... and apparently _do_
	routinely make ``definitive'' determinations about the proper
	interpretation of the records that you yourselves keep.

	I'd just like to see you get on with it.

	Just saying that you can't ever know anything, definitively, because
	you're not God, is not a compelling argument to support the view
	that you should never do anything, or say anything, because you are
	not omniscient.  None of us are.  But we still get up in the morning
	and go to work.  One does one's best, and leave the rest to history.


>There are
>some heuristics that will suggest something is "fishy" about use of
>a network block...

SOME???  Try a lot.  (I'll be more than happy to share with you folks anything
and everything that I, bloodhound-like, manage to gleen.  All I ask is that
you at least accept it... which the response I received earlier seemed to
indicate that you were not even willing to do.  The teeny little one-inch
by two-inch data entry window you have on your fraud reporting form doesn't
help much either, and is very off-putting in a way that makes it seem like
it was intended to be that way.)

>but are you actually suggesting that ARIN would
>revoke resources as a result of that?

Did I say that?

Again, I have tried to be clear, but in this case it seems that I may have
failed.  No, I *do not* expect ARIN to go out, guns drawn, and start choping
people's wires.  No, I *do not* expect ARIN do do whatever might be
implied by this terminology you are using now, which is entirely foreign
to me.  I have no real idea what sorts of hot-pokers-up-the-backside you
may be implying by your use of this terminology "revoke resources", but
whatever it means, it certainly sounds terribly ominous and foreboding,
and rather like something that I wouldn't wish on my worst enemy...
especially given the context and the way you phrased your question.

So no, please *do not* go around ``revoking resources''... whatever the hell
that means.  Certainly, if some half-dead, left-for-dead dot-bomb company
has a /18, and if your records still say that they have a /18, then they still
have a /18.  Period.  And if then, some hijacker punk criminal comes along
and starts routing that /18... well... he's a shmuck, and ought to be dealt
with.  But the old Dot-Bomb semi-defunct company still does ``own'' (please
excuse my use of that terminology, which I'm sure you won't approve) that
block.  So you shouldn't be ``revoking'' anything.  That's not what any of
this is about.

All I want from ARIN, and all I expect from ARIN, in cases like these are
(a) at least some willingness and effort expended to investigate and (2)
at least *some sort* of (perhaps minimalist) public statement to the effect
of ``Look folks, we've looked at this, and in our opinion, what's going on
here just doesn't look kosher.''

I would be satisfied if that ``minimalist public statement'' would be in
the form of a discrete little annotation within the relevant WHOIS record(s)...
you know... rather like what you folks are _already_ attaching to POC records,
only maybe worded a little stronger than that, when you can see some really
clear hanky panky going on... as in the cases I have publicised here recently.

Of course, that said, that's kind-of my minimum request.  If it were entirely
up to me, you guys would call a big press conference, with CNN, MSNBC (and
of course, Comedy Central, BUT NOT FIXED NEWS!) every time you caught another
one of these fly-by-night hijacker jokers red-handed... as it would appear I
just have, in at least two of the cases I've reported on.  (I infer that, with
a high level of certainty, from the fact that these nitwits already stopped
announcing routes to the space they had so obviously stolen.  If it was
really your's in the first place, then you wouldn't just give it back the
minute somebody yelled ``thief'', now would you?)  And after the press
conference, everyone would be invited to come out by the pool for free beer
and sandwiches, and a good time would be had by all, as we collectively
burned the hijacker in effigy.  But you know, I'm not really expecting all
of that, so just however much of it you can manage to put together would be
just fine by me.  (Hell!  I'll even volunteer to spring for, and bring, the
beer and the sandwiches.  Did I mention I was from California?  I guess it's
kind-of obvious now, huh?)

So anyway, have I managed, successfully, to make my desires more clear and
apparent now?  I hope so.  No, I neither want nor expect ARIN to be pulling
plugs out of sockets, or to be diddling the global routing table, or to be
``revoking'' anything... least of all any allocations previously made to
some perfectly legit company who, through only the minor sin of inattention,
got their stuff hijacked out from under them.  Revoking _their_ right-to-use
would simply be adding insult to injury.  Don't you agree?  I'd just like
to see investigations and some form of public statement(s) at the ends of
those.  And I won't even mind if you have corporate counsel water down
the public statement so much that it ends up looking like the verbal
equivalent of barely raising an eyebrow.  I do understand that ARIN, like
the rest of us, has to somehow survive and get by in this litigous environ-
ment.  So I don't even care what the public statements say, or even what
subtle or un-subtle forms they take.  Just so long as it is understood,
within the community, that (wink wink nod nod) whenever ARIN says that
``Some evidence suggests that the routing for this block may be non-normative,
as per Paragraph B, Subsection F, of the Addendum to the Bylaws of the
Regulations, updated, (c)1947, (c)1972, revised Sept 27th, 2007, with
respect to E.12 in sum and overview, as pertaining to all parts or to
the sum of the parts, together, when viewed as a unit.'' we all know and
understand that this really means ``hijacked''.  (Ask your corporate
counsel.  I'm sure that he'll be able to suggest some equally obscure and
convoluted way of saying ``hijacked'' without ever actually using that
word itself.  That's what they are best at, after all... making simple
English statements utterly imponderable.[1]) Whatever doesn't get you sued
is fine by me.  As long as you investigate and then say _something_ about
these kinds of cases.

>> In those rare
>> cases where the perp is considerate enough to ALSO fiddle the relevant
>> WHOIS records in some fradulent way, THEN (apparently) ARIN will get
>> involved, but only to the extent of re-jiggering the WHOIS record(s).
>> Once that's been done, they will happily leave the perp to announce
>> all of the fradulent routes and hijacked space he wants, in perpetuity.
>
>Correct.  We will revoke the address space, but I'm uncertain what else
>you suggest we do... could you elaborate here?

See above.

Investigate.  Then somehow... in watered-down words, and burried in the
WHOIS records, if necessary... tell us what you found out.

As I've said, I really don't think I'm asking for much.

And I'll say again too, you guys are the Keepers of the Records.  If even
you guys can't say what they mean or how that meaning might or might not
comport with current existing objective reality (as known to us all via
looking glass servers) they God help us all!  Because in that case, I think
we are REALLY screwed, and nobody knows anything, and the next stop is
canibalism.


Regards,
rfg


P.S.  I meant to also inquire about those POC unable-to-contact annotations.
What should be infered frm those, exactly?  Could you please enumerate the
ways in which your staff try (and sometimes, apparently, fail) to make
contact with these POCs?  Is it all sytrictly done via e-mail?  Do your
people ever try to _telephone_ any of these folks at the numbers you force
them to give ou as part of establishing a POC record in the first place?
Do your people ever try contacting the POCs via snail-mail?

I hope you see where I'm headed.  If some poor fool with too much time on
his hands... you know... like me... submits something via your fraud reporting
form... I mean... you know...after you fix it so that the amount of info
that can be sent to you folks via the form is somewhat bigger than this:

 http://www.active-robots.com/products/intelligent-displays/lcd/16x2lcd-750.jpg

...then my hope is that you would *not* just ``investigate'' by sending off
an e-mail to the purported POC e-mail address, and then waiting a week to
see if anything comes back.  There's this wonderful new invention... you
may have heard of it, although in my experience, an awful lot of Internet
geeks refuse to use it.  Why, I don't really know.  Actually, here is a rare
photo of a geek actually using one:

   http://farm1.static.flickr.com/5/5040260_a2c426a753.jpg

So, you know, if you get a hijacking report, maybe, just maybe, could you
please, please, please pick up the phone and make a call and just even try
to see if the POC is alive or dead?

   http://farm4.static.flickr.com/3433/3176717757_20515698bf.jpg


=======
[1]  See also: "Sir Humphrey Appleby"




More information about the NANOG mailing list