The following might add some clarity, depending upon how you look at it:
We, as "core" engineers know better than to use some of the sources listed
below, tho, my suspicion is that when an engineer or local IT person, on an
edge network starts to see various types of attacks, they play wack-a-mole,
based upon outdated or incomplete data, and never think twice about
revisiting such, as, from their perspective, everything is working just
In a networking psychology test, earlier this morning, I wrote to ten
well-known colleagues that I was fairly confident didn't regularly follow
the nanog lists. Such individuals comprised of IP and IT engineers for
which manage various network sizes and enterprises, ultimately posing the
question of "Where in the world is 184.108.40.206, as we were researching
some unique traffic patterns".
*Seven out of ten came back with overseas*. Two came back with more
questions "as the address space appeared to be assigned to APNIC", but was
*One came back with the correct response.* (MORENET)
Two of the queried parties were representative of major networks, one for
an entire state governmental network with hundreds of thousands of actual
users and tens of thousands of routers, the other from another major
university. (Names left out, in the event they see this message later in
the day or week)
After probing the origin of their responses, I found the following methods
or data-sources were used:
-Search Engines - by far, the worst offender. Not necessarily "the engines"
at fault, but a result of indexed sites containing inaccurate or outdated
-User generated forums, such as "Block non-North American Traffic for
Dummies Like Me
(Yes - that's the actual thread name on WebMasterWorld.com, from a Sr.
-Static (or aged) CIDR web-page based lists, usually placed for advertorial
generation purposes and rarely up to date or accurate. (usually via SE's or
-APNIC themselves - A basic SE search resulted in an APNIC page
on it's face, appears to indicate 220.127.116.11/8 is in fact, part of the
current APNIC range.
-GitHub BGP Ranking tools: CIRCL / bgp-ranging example
updated on May 16th, 2011, tho an RT lookup
<http://bgpranking.circl.lu/ip_lookup?ip=18.104.22.168> via the CIRCL tool
does shows the appropriate redirect/org)
-Several routing oriented books and Cisco examples
such range, for example, FR/ISBN 2-212-09238-5.
-And even established ISPs, that are publically announcing their "block list
<http://www.albury.net.au/netstatus/derouted.html>", such as Albury's Local
ISP in Australia
The simple answer is to point IT directors, IP engineers or "the
receptionists that manages the network" to the appropriate registry
data-source, which should convince them that corrective action is
necessary, i.e. fix your routing table or firewall. The complexity begins
in trying to locate all of these people and directing them to the
appropriate data-source, which I think is an unrealistic task, even for the
largest of operators. Maybe a nanog-edge group is in order.
If the issue was beyond just a nuisance and If I were in your shoes, i'd
renumber or use an alternate range for the types of traffic affected by
such blocks, i.e. administrative web traffic trying to reach major
insurance portals. (Looks like AS2572 is announcing just over 700k IPv4
address, over about 43 ranges with only some potentially affected)
Realizing that renumbering is also extremely unrealistic, if you haven't
already reached the IPv6 bandwagon, that's an option or, if none of the
above seem reasonable, you could always put together a one-page PDF that
points these administrators to the appropriate resource to validate that
you, are in fact, part of the domestic United States.
I agree that a more accurate tool probably needs to be created for the
"general population to consume," but then again, even that solution, is
"just another tool" for the search-engines to index, and you're back at
As much as I think most of us would like to help fix this issue, I don't
know that a decent, non-invasive solution exists, at least based upon the
few hours we threw at this issue today...