AS11296 -- Hijacked? (ARIN region & hijacking)
John Curran
jcurran at arin.net
Sun Oct 3 02:05:41 UTC 2010
On Oct 2, 2010, at 7:59 PM, James Hess wrote:
> So, I wonder why only ARIN itself is singled out.. Have other RIRs
> found something much better to do with fraud reports? This matters,
> because scammers can concentrate on whichever IP blocks are easiest to hijack.
The reason: approximately 15000 legacy address blocks which ARIN become the
successor registry for at its formation, many of which hadn't been updated
since they were allocated. In the other regions, there are significantly
fewer early allocations where the holders haven't also involved ongoing in
the combined registry/operator forum in the region. Two particular quicks of
this region is that the registry is not combined with the operator forum,
and many of the assignments from the earliest days of the Internet are in
this region, made with minimal documentation, and were often forgotten or
never put into publicly routed use...
Ergo, when a party appears and says that they'd like to update the contacts
on their WHOIS record, and we see an organization which exists back to the
original allocation, it is fairly straightforward to make it happen and know
that we're not facilitating a hijacking. For this reason, legacy holders are
allowed to change anything except the organization name without requiring
documentation.
It gets more challenging when you instead have a different organization name
XYX, which states it is the rightful holder of NET-ABC123 because it acquired
JKL company which in theory had earlier bought the right piece of company ABC
which is now defunct but never updated any of IP records post business deal,
and no one from ABC or JKL can be found and the public records may indeed show
that JKL bought some part of ABC but most assuredly don't say anything about
networks or as#'s... Circumstances such as the aformentioned are regretfully
the rule, not the exception.
(As an aside, I'll note that we do also look at the historical routing of the
address block, since that provides some insight which often can corroborate
an otherwise weak documentary record.)
Now, we really want folks to come in and update their records but when it
comes to updating the actual organization name for an address block, we either
need to hold the line on legal/commercial documents (which reduces hijacking
but almost sends some legitimate but underdocumented legacy folks away) or we
can simply have folks attest to their view of reality and update the records
accordingly (which will get us much more current Whois records but with
"current" not necessarily implying any more accurate records...)
This is *your* (the collective "your") WHOIS database, and ARIN will administer
it per any policy which adopted by the community.
/John
John Curran
President and CEO
ARIN
P.S. I will note that we fully have the potential to recreate this problem
in IPv6 if we're not careful, and establishing some very clear record
keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to
be very important if we ever hope to determine the party using a given
IPv6 block in just a few short years...
More information about the NANOG
mailing list