Proof of ownership; when someone demands you remove a prefix
nop at imap.cc
nop at imap.cc
Mon Mar 12 19:07:37 UTC 2018
I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale.
On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
> On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists at gmail.com>
> > We recently received a demand to stop announcing a "fraudulent" prefix. Is
> > there an industry best practice when handling these kind of requests? Do
> > you
> > have personal or company-specific preferences or requirements? To the best
> > of my knowledge, we've rarely, if ever, received such a request. This is
> > relatively new territory.
> This could definitely be an attempt at a DoS attack, and wouldn't be the
> first time I've heard of something like this being done as such.
> I thought about requesting they make changes to their RIR database objects
> > to confirm ownership, but all that does is verify that person has access to
> > the account tied to the ORG/resource, not ownership. Current entries in the
> > database list the same ORG and contact that signed the LOA. When do you get
> > to the point where things look "good enough" to believe someone?
> They may also be leasing one chunk of space from an organization without
> actually having access to the RIR db too - in that case, they could ask the
> org they are leasing from to put in a SWIP with the RIR, but if they don't
> choose to, then that's not a hard requirement.
> On the same token, having access to the org account at the RIR pretty much
> makes you as legitimate as you're going to be as far as any of us can
> really tell. If there's an issue where the RIR account has been
> compromised, then that issue lies between the RIR and their customer, and
> isn't really your business because you have no way to know whatsoever.
> > Has anyone gone so far as to make the requestor provide something like a
> > notarized copy stating ownership? Have you ever gotten legal departments
> > involved? The RIR?
> A notarized copy stating *ownership* seems overboard. Lots of
> organizations lease IPv4 space, and lots more now since depletion in many
> regions, and their use of it is entirely legitimate in accordance with
> their contractual rights established in the lease agreement with the
> owner. I'd probably think about looking at the contact info in the RIR
> whois and ask them, if I had a situation like this myself. Ultimately, the
> RIR's contact which would be in their whois db should be authoritative more
> so than anyone else. I doubt the RIR would be able to say much if you
> contacted them beyond that everything that isn't in whois isn't something
> they'd share publicly.
> Take care,
More information about the NANOG