Completewhois Bogons Project - Initial Intro

william_at_elan.net · October 17, 2003, 7:12pm

Hello all,

I've been working on creating bogon ip filtering system in order to stop
some of the dangerous activity that I've seen ip blocks not listed in
whois used for and now have first "milestone" to report. A complete
list of unallocated (bogon) ip space collected based on whois data from
all RIRs is now ready for your use. For more info, please see
http://www.completewhois.com/bogons/
and for the actual bogon ips lists see
http://www.completewhois.com/bogons/bogonips_lists.htm

This data is updated daily based on current whois data by two of our servers
and results compared to make sure its the same on both server before final
updates are made to public. Majority of the data comes from whois where
We've written scripts that examine RIR bulk whois data and produce info on
used and unused space based on that. Those who want "raw" data and create
list of only certain /8 blocks can also get all the files
http://www.completewhois.com/bogons/data/ directory

We also have dns-based service running at bogons.dnsiplists.completewhois.com
that can be used if any ip is allocated by RIR or not, this is used the same
way as similar rbl servers used for email servers and has been used by about
10 beta tests for the last 30 days without any problems. For more info see
http://www.completewhois.com/bogons/bogons_usage.htm

The lists in current form are too large to be used directly on the routers
as ACLs so next steps to fully deal with it in my view is to simply not
accept such routes from peers and customers in the first place. Since
many use RPSL route databases (whois.radb.net and similar), I'm working on
such database for bogons as well, but actual RPSL filtering does not work
because again ip lists are too large to be added all into one filter.
I therefore need your help in deciding how to best present the lists in
RPSL database that others could use with minimum modifications of existing
software ISPs have. I've setup separate mail list at
http://www.completewhois.com/mailman/listinfo/bogons
(or email to bogons-subscribe@completewhois.com)
to talk about this and would like some of your who are experts in RPSL
routing database and its use to help me develop this and test it. The
work will be done after NANOG & ARIN meeting, so I might make another
call for volunteers after the conferences.

Another way would be creating route server in provide list in BGP form,
if you would like to signup to beta-test it when this is ready (end of
November most likely), please let me know as well, including your ASN.
I did try to get specific ASN assigned by ARIN for use for such service
(also I suspect this would be usefull for RPSL server to tie all lists
together), but ARIN ufnortunetly said such ASN can not be assigned as it
would not be used for multihoming. I'll try again provided they pass
experimental resource allocation policy, but otherwise if there is
somebody here from some RIPE LIR who would like to sponsor me there under
RIPE's experimental resource policies, please let me know.

Finally below are the results of comparing bogon ip lists to active bgp table
as seen at Oregon University Route Views. As you might expect this looks
similar to what cidr-report posts every week but includes several additional
routes as well (and the problem is really bad for APNIC blocks, is anybody
at Telstra actually listining?). This file of active bogons is updated daily
and available at http://www.completewhois.com/bogons/active_bogons.htm

Alex_Pilosov · October 17, 2003, 10:59pm

Nice to finally see competition to those people in cymru, who apparently
got too sloppy with their work.

We can finally put an end to all those criminals like UU, L3, CW, GX, ATT,
DoD who are committing criminal activity by hijacking netblocks.

Enough is enough!

<snip>

207.47.39.0/24 ## AS816 : UUNET-AS4 : UUNET Technologies, Inc.
           207.47.0.0 - 207.47.255.255 ## Bogon (unallocated) ip range
208.65.232.0/23 ## AS701 : ALTERNET-AS : UUNET Technologies, Inc.
           208.64.0.0 - 208.127.255.255 ## Bogon (unallocated) ip range
209.169.219.0/24 ## AS189 : GENUITY-AS189 : Genuity
           209.168.128.0 - 209.169.255.255 ## Bogon (unallocated) ip range
216.226.108.0/22 ## AS3602 : SPRINT-CA-AS : Sprint Canada Inc.
           216.226.96.0 - 216.226.127.255 ## Bogon (unallocated) ip range
194.59.176.0/20 ## AS1273 : ECRC : Cable & Wireless Telecommunication
           194.59.177.0 - 194.59.177.255 ## Bogon (unallocated) ip range
           194.59.180.0 - 194.59.180.127 ## Bogon (unallocated) ip range
           194.59.182.0 - 194.59.182.255 ## Bogon (unallocated) ip range
           194.59.184.0 - 194.59.184.255 ## Bogon (unallocated) ip range
           194.59.188.0 - 194.59.188.255 ## Bogon (unallocated) ip range
199.114.0.0/21 ## AS568 : SUMNET-AS : DISO-UNRRA
           199.114.7.0 - 199.114.7.255 ## Bogon (unallocated) ip range
192.135.50.0/24 ## AS7018 : ATT-INTERNET4 : AT&T WorldNet Services
          192.135.50.0 - 192.135.50.255 ## Bogon (unallocated) ip range
203.30.219.0/24 ## AS3549 : GBLX : Global Crossing
          203.30.219.0 - 203.30.219.255 ## Bogon (unallocated) ip range

[If you read this far, this is very tongue-in-cheek]

Tom_UnitedLayer · October 18, 2003, 1:40am

Yeah! Those UU and DOD guys are real criminals!
I hear one has an arms stockpile...

Hank_Nussbacher · October 18, 2003, 6:51pm

It would appear you are not checking whois.nic.mil for allocations as well. All the US DOD/DISA stuff is registered there and will reduce your list somewhat.

Also, APNIC has a policy of removing all inetnums of customers who do not pay their membership dues within 90-120 days. That will cause many APNIC allocations to "appear" as being bogons when in fact they are just late in paying.

Regards,
Hank

william_at_elan.net · October 20, 2003, 6:12pm

Answering concerns presented here (did not have time before while
preparing to leave for nanog conference)

It would appear you are not checking whois.nic.mil for allocations as
well. All the US DOD/DISA stuff is registered there and will reduce your
list somewhat.

whois.nic.mil data is not available in bulk format together and doing many
individual queries will likely result in blacklisting our ips as they
might consider it hacking attempts. However majority if not all the DoD
blocks are listed in ARIN whois. That means that while we can not find
bogons within DoD space, their blocks are not actually listed as bogons
and their entire ip blocks are listed as allocated by ARIN (or by IANA) to
end-user organization. Any their ip space that maybe listed as bogons would
be the ones they on purpose or otherwise not listed as theirs in ARIN
whois and unless they actually want to acknoldege its their ip space, I
can not do anything about it.

Also, APNIC has a policy of removing all inetnums of customers who do not
pay their membership dues within 90-120 days. That will cause many APNIC
allocations to "appear" as being bogons when in fact they are just late in
paying.

if APNIC removed whois, that means they no longer consider those ip blocks
as allocated and its fair to list these as bogons. I would recommend
such organizations that got their whois removed by APNIC for not paying
their bills, quickly resolve this situation directly with APNIC (i.e. pay
their bills or otherwise force them to restore whois record).

William