[members-discuss] Complaints against LIRs ignored by NCC

Fri Nov 22 14:39:41 CET 2013

On 22/11/2013, at 13.47, Alexandr Gurbo <a.gurbo at severen.net> wrote:

> Sascha Luck,
> 
> You are really believe, that so large ip addresses Mr Lu used in so small period of time??? Wake up!
> 
> This is only large blocks as said topic starter.
> 5.224.0.0/15  - RIPE - 131.070 IPs - 2012.09
> 5.132.0.0/16  - RIPE - 65.534 IPs  - 2012.07
> 37.222.0.0/15 - RIPE - 131.070 IPs - 2012.04
> 31.201.0.0/16 - RIPE - 65.534 IPs  - 2011.04
> 46.136.0.0/16 - RIPE - 65.534 IPs  - 2010.11
> 
> Try it for yourself to explore for example block 5.224.0.0/15. Traces, announces, netnames, etc,...
> I see only country code changed in different subnets from this block: GB, SE, SG, ... It looks like the resources in reserve.

I did a quick look using asused, and it seem there are whois records - they are very generic and by /24, and the sum is:

Detail of allocation(s)
------------------------------------------------------------------------------
 Range             Database Allocation                  a s s i g n e d
                                                     %      No.    free  total
------------------------------------------------------------------------------
31.201.0.0/16   31.201.0.0 - 31.201.255.255         0.0%       0  65536  65536
37.222.0.0/15   37.222.0.0 - 37.223.255.255       100.0%  131072      0 131072
46.136.0.0/16   46.136.0.0 - 46.136.255.255       100.0%   65536      0  65536
5.132.0.0/16    5.132.0.0 - 5.132.255.255          75.4%   49408  16128  65536
5.224.0.0/15    5.224.0.0 - 5.225.255.255         100.0%  131072      0 131072
------------------------------------------------------------------------------

I have no reason to believe currently that RIPE would treat Mr H.Lu any different from the rest, so I guess there is supporting evidence from the processing of those requests. I would like this matter to go back to RIPE, which due to this thread would be quite arrogant if NOT performing an audit. So perform an audit, and process this like any other reported ticket.

I can confirm Mr H. Lu was at RIPE65 in Amsterdam, and we did talk a bit during the social and he is "available" for talking.
Full-disclosure, I have not done business with him or know him more than this.  

and FWIW below are some show routes from our active core router.

I gather:
The networks ARE being announced on the internet, and I receive them from multiple providers
such as AS1299 Telia, AS174 Cogent so if this is a fraudulent network it at least has ISP's providing connectivity.

hlk at MX-CPH-01> show route 31.201.0.0/16 table i.inet.0

i.inet.0: 468863 destinations, 1373449 routes (467423 active, 15 holddown, 468196 hidden)
+ = Active Route, - = Last Active, * = Both

31.201.0.0/16      *[BGP/170] 2d 13:19:16, MED 912080, localpref 110
                      AS path: 174 35916 35916 I
                    > to 149.6.136.29 via xe-0/1/1.0
                    [BGP/170] 11w0d 05:18:54, localpref 110, from 94.126.183.247
                      AS path: 1299 3561 35916 I
                    > to 94.126.176.27 via ae2.35
31.201.128.0/17    *[BGP/170] 2d 13:19:16, MED 912080, localpref 110
                      AS path: 174 35916 35916 I
                    > to 149.6.136.29 via xe-0/1/1.0
                    [BGP/170] 11w0d 05:18:54, localpref 110, from 94.126.183.247
                      AS path: 1299 3561 35916 I
                    > to 94.126.176.27 via ae2.35

hlk at MX-CPH-01> show route 37.222.0.0/15 table i.inet.0

i.inet.0: 468848 destinations, 1373598 routes (467422 active, 1 holddown, 468190 hidden)
+ = Active Route, - = Last Active, * = Both

37.222.0.0/15      *[BGP/170] 11w0d 05:19:12, localpref 150, from 94.126.183.247
                      AS path: 1299 16276 I
                    > to 94.126.176.27 via ae2.35
                    [BGP/170] 2d 13:19:35, MED 774040, localpref 110
                      AS path: 174 16276 I
                    > to 149.6.136.29 via xe-0/1/1.0
37.222.128.0/17    *[BGP/170] 2d 13:19:34, MED 912080, localpref 110
                      AS path: 174 35916 35916 I
                    > to 149.6.136.29 via xe-0/1/1.0
                    [BGP/170] 11w0d 05:19:12, localpref 110, from 94.126.183.247
                      AS path: 1299 3561 35916 I
                    > to 94.126.176.27 via ae2.35

I did check the others, and you can perform your own investigations using RIPEstat?

Best regards

Henrik

--
Henrik Lund Kramshøj, Follower of the Great Way of Unix
internet samurai cand.scient CISSP
hlk at kramse.org hlk at solidonetworks.com +45 2026 6000 
http://solidonetworks.com/ Network Security is a business enabler