AS11296 -- Hijacked? (ARIN region & hijacking)

John Curran jcurran at arin.net
Sun Oct 3 02:05:41 UTC 2010


On Oct 2, 2010, at 7:59 PM, James Hess wrote:

> So, I wonder why only ARIN itself is singled out.. Have other RIRs
> found something much better to do with fraud reports?   This matters,  
> because scammers can concentrate on whichever IP blocks are easiest to hijack.

The reason: approximately 15000 legacy address blocks which ARIN become the 
successor registry for at its formation, many of which hadn't been updated 
since they were allocated.  In the other regions, there are significantly 
fewer early allocations where the holders haven't also involved ongoing in
the combined registry/operator forum in the region. Two particular quicks of 
this region is that the registry is not combined with the operator forum,
and many of the assignments from the earliest days of the Internet are in 
this region, made with minimal documentation, and were often forgotten or
never put into publicly routed use...

Ergo, when a party appears and says that they'd like to update the contacts
on their WHOIS record, and we see an organization which exists back to the 
original allocation, it is fairly straightforward to make it happen and know
that we're not facilitating a hijacking.  For this reason, legacy holders are 
allowed to change anything except the organization name without requiring
documentation.

It gets more challenging when you instead have a different organization name 
XYX, which states it is the rightful holder of NET-ABC123 because it acquired 
JKL company which in theory had earlier bought the right piece of company ABC 
which is now defunct but never updated any of IP records post business deal,
and no one from ABC or JKL can be found and the public records may indeed show
that JKL bought some part of ABC but most assuredly don't say anything about 
networks or as#'s...  Circumstances such as the aformentioned are regretfully 
the rule, not the exception.

(As an aside, I'll note that we do also look at the historical routing of the 
address block, since that provides some insight which often can corroborate 
an otherwise weak documentary record.)

Now, we really want folks to come in and update their records  but when it 
comes to updating the actual organization name for an address block, we either
need to hold the line on legal/commercial documents (which reduces hijacking 
but almost sends some legitimate but underdocumented legacy folks away) or we 
can simply have folks attest to their view of reality and update the records 
accordingly (which will get us much more current Whois records but with 
"current" not necessarily implying any more accurate records...)

This is *your* (the collective "your") WHOIS database, and ARIN will administer
it per any policy which adopted by the community. 

/John

John Curran
President and CEO
ARIN

P.S.  I will note that we fully have the potential to recreate this problem 
      in IPv6 if we're not careful, and establishing some very clear record 
      keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going to
      be very important if we ever hope to determine the party using a given 
      IPv6 block in just a few short years...





More information about the NANOG mailing list