[db-wg] Getting fraudulent entries removed
- Previous message (by thread): [db-wg] Getting fraudulent entries removed
- Next message (by thread): [db-wg] Getting fraudulent entries removed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at instituut.net
Thu Nov 9 20:12:38 CET 2017
Hi, I don’t think a one-off will cut it. This is, and has to be, a continuous process. A “did you know this happened in RIPE IRR”-notification would be good when non-auth objects are created. Maybe RPKI ghostbuster and Whois context info can be used to find the appropriate block owners. Kind regards, Job On Thu, 9 Nov 2017 at 19:44, denis walker <ripedenis at yahoo.co.uk> wrote: > Hi guys > > Perhaps after the RIPE NCC implements the agreed actions on foreign ROUTE > objects, it would be a good idea to do a (one time?) cleanup/review of all > foreign ROUTE objects in the RIPE IRR. Find the contact details in the > appropriate RIR Database for all non RIPE address space covered by these > ROUTE objects. Send them a notification with a link to click if they > approve of the ROUTE object. If no response is received within a defined > time period, delete the ROUTE object. > > cheers > denis > co-chair DB WG > > > ------------------------------ > *From:* Job Snijders via db-wg <db-wg at ripe.net> > *To:* Brian Rak <brak at choopa.com> > *Cc:* db-wg at ripe.net > *Sent:* Thursday, 9 November 2017, 17:53 > > *Subject:* Re: [db-wg] Getting fraudulent entries removed > > Dear Brian, > > It appears that RIPE NCC is lacking a clear and expedient procedure to > remedy unauthorised route object creation. I'd be happy to volunteer to > work with the RIPE NCC to develop a procedure that aligns with industry > standards on how to verify abuse reports like these and resolve them in > a timely manner. (Of course this doesn't help you right now.) > > The topic of ARIN space in the RIPE database has been discussed > extensively. A long thread on this topic started here > https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005622.html, > sadly, some people even indicated they don't see an issue with how things > are > right now > https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005627.html > Fortunately this was a minority view, and the RIPE NCC is now tasked to > more clearly mark non-authoritative route objects as can be read here: > https://www.ripe.net/ripe/mail/archives/routing-wg/2017-October/003456.html > > One thing I recommend you do is to set the "OriginAS" through the ARIN > webinterface, this will show the world what the origin AS ought to be: > https://www.arin.net/resources/originas.html. You could reference this > field in your communication with RIPE NCC to demonstrate that the RIPE > IRR version of the route object does not align with your intentions. > > Another thing you can do is file complaints with the upstreams of > AS205869 (some of them visible here https://bgp.he.net/AS205869) Telia > seems to be their main provider. > > Kind regards, > > Job > > On Thu, Nov 09, 2017 at 11:22:33AM -0500, Brian Rak via db-wg wrote: > > Hi, > > > > We've run into an issue where an unknown malicious party appears to have > > hijacked some of our IP space. They created entries in the RIPE database > > that they are using to actually get this space announced. What's even > worse > > is their carrier is trying to say these announcements are legitimate > because > > they have IRR entries (which is a whole other issue) > > > > What is the process like for actually getting this fraudulent entry > > removed? I've been in contact with RIPE NCC Support, and they have been > > super unhelpful (ref case #14523) > > > > The fraudulent entry is: > > > > > https://apps.db.ripe.net/search/lookup.html?source=ripe&key=198.13.32.0/19AS39967&type=route > > > > route: 198.13.32.0/19 > > descr: 2nd route > > origin: AS39967 > > mnt-by: ADMASTER-MNT > > created: 2017-10-13T00:20:08Z > > last-modified: 2017-10-13T00:20:08Z > > source: RIPE > > > > I should also note that this ASN suspiciously appears to be announcing > other > > people's space as well, but I can only confirm that this particular entry > > does not belong. I would suspect that their other IRR entries are fake > as > > well. > > > > You can verify my request by reaching out to any of the POCs associated > with > > this network: https://whois.arin.net/rest/net/NET-198-13-32-0-1 > > > > Thanks, > > Brian Rak > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20171109/6db39157/attachment.html>
- Previous message (by thread): [db-wg] Getting fraudulent entries removed
- Next message (by thread): [db-wg] Getting fraudulent entries removed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]