Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

I just got a spam from 103.11.67.105. The containing /24 appears to
be unallocated APNIC space.

RIPE tools seem to say that AS18450 has been routing this block since
around May 23rd.

I see this kind of stuff almost every day now, it seems. And you know,
there are days when I really do start to wonder "Has the Internet gone
mad?"

I'm going to call these turkeys right now and just ask them, point
blank, what the bleep they think they're doing, routing unallocated
APNIC space. But if history is any guide, this is probably going to
turn out to be another one of these "absentee landlord" kinds of ASes,
where all they have is an answering machine.

I have to either laugh or cry when I see people posting here about the
non-functionality of abuse@ email addresses, and then see other people
saying "Well, this is why all ASes also have phone numbers."

I wish I had a dollar for every AS I had ever tried to contact where
-neither- the abuse@ address -nor- the phone number got me to any
actual human being.

Regards,
rfg

Makin' phat stacks.

One thing the RIRs could do is put pressure on AS's to not route
these objects, and start producing daily public output scores
for these orgs, and emailing them -- ultimately threatening them
with de-reg of their assets if they dont stop this nonsense.
Further more, could get the route db's involved in dereg threats.

Is the politcal will there tho?

Right now there's no stigma beyond nanog-l in being a bad actor
from where I sit.

/kc

How does one get ARIN to register resources to come up with this result?

https://whois.arin.net/rest/nets;q=103.11.67.105

The /16 is APNIC but there are 2 subnets that appear to be allocated from
ARIN. Having just typed 'whois 103.11.67.105' I completely missed the fact
that the supernet was APNIC until I checked the web interface.

--Doug

Spammers are doing a great job abusing the gaps in the systems. Another
common pattern in the last 12-14 months has been a combination of squatting
on an AS, forging some business documentation, buying transit to an IX, and
proceeding to hijack prefixes over bilateral peering sessions.

Pain in the rear to catch, even worse when the IX and transit providers
aren't receptive to do anything about it when it's brought to their
attention because the business docs used to instantiate those services are
'good enough', and they have a fiduciary interest in _not_ disconnecting
the IX port or circuit.

This will continue to be the norm until prefix validation is standardized
and in widespread use.

In message <20161028220510.GF14457@sizone.org>,

>I'm going to call these turkeys right now and just ask them, point
>blank, what the bleep they think they're doing, routing unallocated
>APNIC space.

Makin' phat stacks.

One thing the RIRs could do is put pressure on AS's to not route
these objects,

Will never happen. The RiRs have been crystal clear, and also utterly
consistant... "Not our job man! We am not the Internetz Police."

The thing that really baffles me about this kind of thing is how this
kind of crud can happen in the first place, and also, even more baffling,
how it can persist for months on end without anybody even noticing.

I'm looking at this:

   http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=103.11.67.105

which appears to provide a nice list of the rest of the netwits who are
also to blame for this one particular singular bit of idiocy:

     AS2914 -- NTT America, Inc.
     AS1299 -- Telia Company AB
     AS12798 -- Ace Data Centers, Inc.
     AS174 -- Cogent Communications
     AS6939 -- Hurricane Electric, Inc.
     AS3491 -- PCCW Global
     AS7922 -- Comcast Cable Communications, LLC
     AS6762 -- Telecom Italia Sparkle / Seabone
     AS10026 -- Pacnet Global Ltd
     AS11798 -- Ace Data Centers, Inc.

So, um, is it really the case that -none- of the above companies have even
noticed that anything was amiss here, and that all have failed to do so for
months on end? (Or did they notice, but then felt is wasn't their place to
say anything about it?)

Sorry if those are stupid or naive questions, but...

           "The more I know, the less I understand."
                                 -- Don Henley

Is this just another one of these cases where everybody is responsible and
thus, nobody is?

Is it really the case that none of the above companies ever check that what
their peers announce is consistant with any routing registry?

I don't pretend to understand this stuff. Somebody please 'splain it to
me. I'll be much obliged.

Regards,
rfg

Ronald F. Guilmette wrote:

Will never happen. The RiRs have been crystal clear, and also utterly
consistant... "Not our job man! We am not the Internetz Police."

Ron,

Maybe you could suggest some ideas about how the RIRs can stop someone
from illegally squatting space?

Nick

If the space is unassigned, could the rir announce the space to park it to
null0. And register it in spamhaus ?

This would make the rir the custodian of the space in their possession

CB

Ca By wrote:

If the space is unassigned, could the rir announce the space to park it
to null0. And register it in spamhaus ?

This would make the rir the custodian of the space in their possession

The space isn't unallocated. It's allocated, but the assignee hasn't
announced it in the dfz.

There are some statistics about unallocated space here:

http://www.potaroo.net/tools/ipv4/index.html

summary: this isn't the problem area.

Nick

Ronald F. Guilmette wrote:
> Will never happen. The RiRs have been crystal clear, and also utterly
> consistant... "Not our job man! We am not the Internetz Police."

Ron,

Maybe you could suggest some ideas about how the RIRs can stop someone
from illegally squatting space?

It's not the RIR's job. They already provide the framework for
ISP's to do the job of policing route announcements themselves.
ISP's just need to use that framework.

Mark Andrews wrote:

It's not the RIR's job. They already provide the framework for
ISP's to do the job of policing route announcements themselves.
ISP's just need to use that framework.

Ron thinks otherwise. I'd like to understand what he thinks they can do
to stop this.

Nick

In message <CADVNyRb-LE2GAgxae149RUwz5fkzQh-9Es6ZcEg_e0N7LVDa9g@mail.gmail.com>

How does one get ARIN to register resources to come up with this result?

Whois-RWS

The /16 is APNIC but there are 2 subnets that appear to be allocated from
ARIN. Having just typed 'whois 103.11.67.105' I completely missed the fact
that the supernet was APNIC until I checked the web interface.

Oh!! Wow!! I totally missed this also, i.e. that ARIN is showing an
allocation for 103.11.64.0/22 to HostUs.Us in Texas.

That's really weird, but even that doesn't either explain or excuse
what still looks like an illicit squat (by an unrelated Los Angeles
company) on the 103.11.67.0/24 block to me... perhaps one that's been
re-sold to a spammer (which seems possible, given the spam I got).

In my own defense, I didn't see the ARIN allocation because I have a
normative process that I use for looking up IP addresses. It's
hierarchical, and I always start with whatver whois.iana.org has to
say. And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
I only looked at what whois.apnic.net had to say about 103.11.67.105.
And it says that it's unallocated. (And apparently, data shown for
announced prefixes on the bgp.he.net web site is also obtained in this
same straightforward way, because it also is showing 103.11.67.0/24 as
registered to "Asia Pacific Network Information Centre".)

This isn't the first time I've wished that the right hand knew (or cared)
what the left hand was doing. I've asked the folks at IANA about this
sort of thing in the past, i.e. them giving pointers to the apparently
wrong RiR whois server, and they just won't fix it. They just shrug and
say "Not our problem man!" And in this case, maybe they're right. If
APNIC gave two subparts of 103/8 to ARIN, it might have been helpful
if their own whois server was made aware of that fact.

Sigh. I have to keep reminding myself of what one friend of mine keeps
on telling me... "Ron, there you go again, trying to think about these
things logically."

Regards,
rfg

In message <5813DACD.3000309@foobar.org>,

Ronald F. Guilmette wrote:

Will never happen. The RiRs have been crystal clear, and also utterly
consistant... "Not our job man! We am not the Internetz Police."

Ron,

Maybe you could suggest some ideas about how the RIRs can stop someone
from illegally squatting space?

Oh, don't get me wrong. I never said that I either could or would
suggest how to convert RiRs into The Internet Police. Nor did I suggest
that such a conversion would even be either prudent or advisable.
(I am not persuaded that it would be.)

We have a longstanding 20 or 30 year tradition/precedent and a division
of labor that -does not- allocate to RiRs any responsibility for, or
authority over anything to do with what routes people announce, and I
am certainly not even nearly so presumptive as to believe that I either
can or should try to roll back 30 years of history and ask everyone to
start all over again and build governance structures anew, from scratch.
(Doing so would be both silly and the very height of arrogance on my part.)

I nontheless feel free to note, and to bemoan, the current utter lack
of -any- authority which routinely notices apparent routing funny business
and/or which works, on a routine basis, to try to put a stop to it all.

I do not suggest that RiRs should be "minding the store" with respect to
route announcements. I do think it would be helpful if -somebody- were
doing so. My own occasional and srictly ad hoc efforts have only succeded
in convincing me of how extensive the problem is, and how dire a need there
is for a more rigorous solution.

Regards,
rfg

In message <5813E03E.6060907@foobar.org>,

Mark Andrews wrote:

It's not the RIR's job. They already provide the framework for
ISP's to do the job of policing route announcements themselves.
ISP's just need to use that framework.

Ron thinks otherwise.

No, I don't. You have made a incorrect inference from the text of my
actual comment.

In my actual comment I merely noted that RIRs are in fact -not- the
Internet Police, and that none of them have ever displayed even the
slightest desire to become that (and indeed, when asked, they have,
without exception, exhibited a clear desire -not- to be assigned any
such role).

These observations on my part are all merely recitations of well-
established historical facts, all of which are easily verifiable by
anyone with a browser. I made no comment at all about who, if anyone,
should be tasked to take on the role of The Routing Police.

And indeed, if asked, I would express some degree of skepticism about
the ability of RIRs to even reliably execute their existing data base
maintenance responsibilities to a level which I personally would find
entirely satisfactory. (The apparent goofyness relating to 103.11.64.0/22
is just one very small example of this, there being also many other and
more serious issues that I could also cite, if pressed, relating strictly
to allocation functions and/or to WHOIS data base issues.)

Given that I do not have an entirely unequivocal admiration for the
quality and consistancy of the work that RIRs are already clearly
responsible for, do you really believe that it would be my first
choice to assign an entirely seperate but equally critical set of
-new- authorities and responsibilities to the RiRs? If so, please
allow me to disabuse you of that notion. (I am also and likewise not
likely to support any effort any any part of the United States federal
government to assign new authorities and responsibilities to the Office
of Personnel Management.)

Regards,
rfg

P.S. I may be wrong about this, but it has come to my attention that
many, most, or all of the WHOIS records reflecting allocations made by
the AFRINIC RIR are utterly devoid of either (a) information specifying
the dates on which the relevant allocations were made or (b) email
contact addresses for the relevant number resource registrants.

I am, of course, utterly appalled by the apparent inability of this RIR
to maintain a WHOIS data base which even approximates the modest and
minimal level of relevant information commonly available from the WHOIS
data bases of other and older RIRs.

Link to documentation on how to use that framework?

I would use LACNIC’s whois server for these queries. They have info from all the registries, which is an amazing service that seems beyond the other RIRs.

whois -h whois.lacnic.net <http://whois.lacnic.net/> 103.11.67.105

HostUS HOSTUS-IPV4-5 (NET-103-11-64-0-1) 103.11.64.0 - 103.11.67.255
Gaiacom, L.C. SOLVPS-103-11-67-0-24 (NET-103-11-67-0-1) 103.11.67.0 - 103.11.67.255

Mike

Ronald F. Guilmette wrote:

I always start with whatver whois.iana.org has to
say. And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
I only looked at what whois.apnic.net had to say about 103.11.67.105.

yeah, this prefix was transferred from APNIC to ARIN. You can search
for the details here:

There's a full log on their ftp site:

ftp://ftp.apnic.net/public/transfers/apnic/transfer-apnic-latest

No doubt other RIRs have their own transfer listings.

This isn't the first time I've wished that the right hand knew (or cared)
what the left hand was doing. I've asked the folks at IANA about this
sort of thing in the past, i.e. them giving pointers to the apparently
wrong RiR whois server, and they just won't fix it.

It's not an IANA problem to fix. IANA handles the initial allocation to
the RIR, but does not account for subsequent inter-RIR transfers. There
are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
authoritative for the address space once its been RIR-allocated. This
excludes ERX space, which is another bundle of fun.

I.e. you should no longer depend on whois.iana.org for accurate resource
delegation information.

The LACNIC whois server (whois.lacnic.net) appears to maintain pointer
information, judging by a couple of queries.

Nick

Ronald F. Guilmette wrote:

In my actual comment I merely noted that RIRs are in fact -not- the
Internet Police, and that none of them have ever displayed even the
slightest desire to become that (and indeed, when asked, they have,
without exception, exhibited a clear desire -not- to be assigned any
such role).

just to be clear: this is a bottom up position, not top-down. The
registry roles of the RIRs exist by mandate of the communities they
serve to provide a database of integer allocations and assignments. If
there's been no inclination to become "Internet Police", it's because
their memberships do not want their respective RIRs to take on this role.

Given that I do not have an entirely unequivocal admiration for the
quality and consistancy of the work that RIRs are already clearly
responsible for, do you really believe that it would be my first
choice to assign an entirely seperate but equally critical set of
-new- authorities and responsibilities to the RiRs?

This will, of course, vary between RIRs. At least in the RIPE NCC
service region, all allocations and assignments by the RIPE NCC are
covered by written contractual links and complete records of these
contracts are kept by the organisation. Sub-assignments by LIRs may not
be as accurate. Other RIR service regions will have different policies.

P.S. I may be wrong about this, but it has come to my attention that
many, most, or all of the WHOIS records reflecting allocations made by
the AFRINIC RIR are utterly devoid of either (a) information specifying
the dates on which the relevant allocations were made or (b) email
contact addresses for the relevant number resource registrants.

Works fine for me. Did you use the "-B" flag when querying the Afrinic
irrdb?

% whois -h whois.afrinic.net " -B x.x.x.x"

Nick

There
are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
authoritative for the address space once its been RIR-allocated.

While true, hopefully referrals in RDAP will address the need to identify registration information down to the leaves.

I.e. you should no longer depend on whois.iana.org for accurate resource
delegation information.

Well, it should be accurate at the top-level delegation (albeit, the IANA Whois server only deals with /8s).

Regards,
-drc
(speaking only for myself)

In message <5814696F.3060106@foobar.org>,

Ronald F. Guilmette wrote:

I always start with whatver whois.iana.org has to
say. And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
I only looked at what whois.apnic.net had to say about 103.11.67.105.

yeah, this prefix was transferred from APNIC to ARIN. You can search
for the details here:

Transfer logs – APNIC

Oh, geeeezzzzz! ...

    Showing 1 to 10 of 1,823 entries

This isn't the first time I've wished that the right hand knew (or cared)
what the left hand was doing. I've asked the folks at IANA about this
sort of thing in the past, i.e. them giving pointers to the apparently
wrong RiR whois server, and they just won't fix it.

It's not an IANA problem to fix. IANA handles the initial allocation...

You are correct. In this case, it would have been helpful if APNIC's WHOIS
server returned something, when queried about 103.11.67.105, that would
include an explicit referral to the ARIN WHOIS server. I mean they
obviously know all the transfers they've made.

But I guess that somebody somwhere decided that that's just too much
trouble.

Regards,
rfg

In message <58146E84.3030000@foobar.org>,

P.S. I may be wrong about this, but it has come to my attention that
many, most, or all of the WHOIS records reflecting allocations made by
the AFRINIC RIR are utterly devoid of either (a) information specifying
the dates on which the relevant allocations were made or (b) email
contact addresses for the relevant number resource registrants.

Works fine for me. Did you use the "-B" flag when querying the Afrinic
irrdb?

I wasn't talking about irrdb. I was just talking about the WHOIS records
for IPv4 allocations within the AFRINIC region.

Anyway, yes, I do believe that used the -B flag. But nontheless, I
really did see some AFRINIC WHOIS records that had -no- email contacts,
nor any date information.

I will have to try to see if I can dredge those out again.

But my overall point remains. If there were ever to be an election where
we were all asked who we wanted to see become the once and future Routing
Police, the RIRs would not be my own personal first choice.

Regards,
rfg