Jean St-Laurent
CISSP #634103
ddosTest me security inc
tel: 438 806-9800
site: https://ddostest.me
email: jean@ddostest.me
I should have probably add more content or a comment.
I feel this is a good example that a pen is mightier than a sword.
I am impress by what I read in this article and would definitely like to hear/read more, maybe coming from Ronald Guilmette?
Thanks all
Jean
I’ll add that after reading the article, it doesn’t appear that Parler was specifically targeted, just DDoS-Guard prior to becoming their new host. Deplatforming of Parler wasn’t really on anyone’s radar back in November when the complaint with LACNIC was filed and I’m not under the impression they had lined DDoS-Guard up as a backup host at this point, or their downtime would have been much less after Amazon gave them the boot; still, they almost certainly would have been very tight lipped about who that provider would be.
It just seemed like a convenient coincidence that Parler has since become a customer and will be inconvenienced by this, the extent to which is not likely to be very high as they’ve probably re-written any modules of their backend that weren’t portable, and now have some experience with finding and deploying on a new host.
-Matt
Peace,
DDOS-Guard is only hosting a temporary static page for Parler, they are not hosting the full Parler application. (Source : Quote from Parler’s CEO, NYT, 1/19/21, https://www.nytimes.com/2021/01/19/technology/parler-russian-company.html)
am I the only one to believe that (given that LACNIC had allocated an IP block to a company that doesn’t conform to the LACNIC policies) what we urgently need to see next is the complete audit of the LACNIC operations, so that this doesn’t look like selective enforcement?
LACNIC received a complaint, they investigated that complaint, found it warranted, and took appropriate action. “Selective enforcement” would imply there have been other complaints filed with LACNIC that have been ignored.
Peace,
In my recent ( last 24 months) dealings with LACNIC, they were very thorough in validating information and enforcing documentation requirements as we needed to modify some things after some corporate changes. Obviously that may not be representative of all their operations, but they were quite on the ball in making sure we (still) were who we said we were.
I think it’s a tricky argument to say what LACNIC should or should not have done. We don’t know all the facts. But we all know that fraudulent business records are used all over the world for things like this all the time. Calling for a complete audit of LACNIC feels quite extreme absent a pattern of issues, which doesn’t seem to have been presented.
For context, from the article:
"The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups."
Anne
Peace,
Hi.
Just a question "this one hosted a Web site for a terrorist organization", which terrorist organizations web site did they host ?
Well,
FYI: I’m not getting getting this kind of vibe from him, more like of an IP Space janitor.
I’m wondering if it is a statement from Ron or the opinion of the author of the article.
Myself, I’m jealous of Ron for having the capacity of doing this kind of task =D on top of his daily $$$ one.
"The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups."
Sounds horrible. But now that the American flag is a hate symbol not surprising.
The real threat is new comers to the social media market creating competition for FB/Twitter. Hopefully Parler is just the start.
- E
Peace,
How many other Belize defuncts do they have? How many offshore countries like Belize are there in the region?
Based on my cursory knowledge of offshore corporate registrations in Belize, Panama and the Cayman Islands, identifying those locations which are only mailboxes versus actual business office addresses should not be overly complicated or difficult.
In the era of Google Street View for most major urban areas the initial search process can be done remotely, such as when it appears that dozens of companies occupy one street address of a very small office building.
For instance look at the company registration offices, with hundreds of corporate entities sharing one office suite address, which were created by Mossack Fonseca in Panama City.
https://en.wikipedia.org/wiki/Mossack_Fonseca
The same principle would apply not just to LACNIC, but also to anybody who wanted to go in detail through the number of ISPs and hosting companies that nominally exist in Malta and Cyprus.
In all honesty have we really given the sword a chance in these cases?
Eric Kuhnke wrote:
Based on my cursory knowledge of offshore corporate registrations in
Belize, Panama and the Cayman Islands, identifying those locations which
are only mailboxes versus actual business office addresses should not be
overly complicated or difficult.
A problem, however, is that, these days, one can perform
real business at remote locations without actual business
offices there.
Moreover, as page 28 of:
https://www.lacnic.net/innovaportal/file/1016/3/lacnic-fasciculo-infraestructura-internet-en.pdf
says:
REQUIREMENTS FOR OBTAINING AN IP ADDRESS BLOCK AND AN ASN
The organization must be legally incorporated in the LACNIC
service region.
incorporation is enough and physical presence is *NOT* required
by LACNIC.
Though there may be other reasons, the article explains:
DDoS-Guard To Forfeit Internet Space Occupied by Parler — Krebs on Security
that are supposed to be given only to entities with a
physical presence in the region
Masataka Ohta
PS
I'm, anyway, glad that Ron now understand that "stealing" of IP
addresses through AFRINIC for money is a crime of fraud.
No, this is not correct. LACNIC policies, state:
1.14 Principles for Proper Administration and Stewardship
The fundamental principle is to distribute unique Internet numbering resources according to the technical and operational needs of the networks currently using, or that will use, these numbering resources, allowing the sustainable growth of the Internet.
The numbering resources under the stewardship of LACNIC must be distributed among organizations legally constituted within its service region [COBERTURA] and mainly *serving networks and services operating in this region. External clients connected directly to main infrastructure located in the region are allowed.
*“Mainly” is understood to mean more than 50%.
The 50% was not there before, so I submitted a "recent" policy proposal that reached consensus, so added that to make sure that we have a "clear" line of what is "mainly". Note that in LACNIC the policies are in Spanish, so the English translation, may not be "perfect".
So clearly, a resource holder needs to "have" the majority (>50%) of the services operating in the region. I think the English version is not sufficiently clear on that, but the Spanish one is accurate.
Also, the only reason why, as I explained to Ron when he contacted me about this case, it takes so long to recover resources, is because claiming for a resource is a really terrible situation. If a RIR makes a mistake, maybe there is no way back, so the RIR needs to ensure that all is very well investigated and the resource-holder has sufficient chances to clarify the situation.
The same policy proposal (Sistema de Políticas - LACNIC) also did lots of changes across the entire policy manual, and the most important ones are related to section 7 (resource revocation and return):
(look at the Spanish version, English seems not updated)
This proposal is not fully implemented yet, because it requires "automated" checking's for the policies, which will take some time to get fully implemented, and may not be possible to automate it 100%. So, for example ensuring that the IP addresses are actually (>50%) operating in the region, will be automatically detected.
If an organization get resources, say "we have a contract in a DC in Belize" to host them, and even they probe that to LANIC, but after obtaining the resources, they cancel the DC contract and use the resources outside the region, LACNIC didn't have a way to automatically verify it. Now with this policy, once fully implemented, they will have it and they will get alerts so they can manually do a verification, and if needed contact with the resource holder.
Of course, in case of non-compliance, section 7.1 of the policy, gives several chances, across 3 months, so the resource holder can either probe that there is compliance, or if they did a "mistake" they still have the opportunity to correct it.
In certain cases (such as fraud in documents), the RSA has precedence, and it can mean "no opportunity" to correct the situation, but still, the process may take 3 months, to give opportunity to the resource holder to probe it.
Regards,
Jordi
@jordipalet
El 22/1/21 9:32, "NANOG en nombre de Masataka Ohta" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de mohta@necom830.hpcl.titech.ac.jp> escribió:
Eric Kuhnke wrote:
> Based on my cursory knowledge of offshore corporate registrations in
> Belize, Panama and the Cayman Islands, identifying those locations which
> are only mailboxes versus actual business office addresses should not be
> overly complicated or difficult.
A problem, however, is that, these days, one can perform
real business at remote locations without actual business
offices there.
Moreover, as page 28 of:
https://www.lacnic.net/innovaportal/file/1016/3/lacnic-fasciculo-infraestructura-internet-en.pdf
says:
REQUIREMENTS FOR OBTAINING AN IP ADDRESS BLOCK AND AN ASN
The organization must be legally incorporated in the LACNIC
service region.
incorporation is enough and physical presence is *NOT* required
by LACNIC.
Though there may be other reasons, the article explains:
DDoS-Guard To Forfeit Internet Space Occupied by Parler — Krebs on Security
that are supposed to be given only to entities with a
physical presence in the region
Masataka Ohta
PS
I'm, anyway, glad that Ron now understand that "stealing" of IP
addresses through AFRINIC for money is a crime of fraud.
No, this is not correct. LACNIC policies, state:
that LACNIC has contradicting statements is a problem
of LACNIC and you can not say others that the statement
of your choice is the one others must follow.
> (look at the Spanish version, English seems not updated)
If there is a reservation statement such as "English
version is just informational and not authentic" or
"Certain restrictions may apply. See xxxxx for details."
in PDF I quoted, your point could have been valid.
Moreover,
The numbering resources under the stewardship of LACNIC must be
distributed among organizations legally constituted within its
service region [COBERTURA] and mainly *serving networks and services
operating in this region. External clients connected directly to main
infrastructure located in the region are allowed.*“Mainly” is understood to mean more than 50%.
requirement of such locality is, these days, seemingly
badly impractical and attempt to enforce it will likely
to be considered invalid.
For example, what if someone sells part of IP addresses assigned
from LACNIC to someone else performing business outside of
LACNIC region? If there is no restriction, it means locality
requirement is effectively invalidated.
Masataka Ohta
Not at all.
The "top" mandate of any RIR, in terms or resource allocation, is what the policies say.
The document that you linked is just a "guide" and unfortunately, unless I missed it, the document doesn't have a "publication date", but I bet is several years old. Further to that is authored by NIC.BR, it can have mistakes. LACNIC only did the English translation.
As we all know, the policies in all the RIRs evolve. The only valid document in terms of policies, in any RIR, is the *last version* of the policy manual (or equivalent web pages).
If you look at the LACNIC policy manual at https://www.lacnic.net/680/2/lacnic/policy-manual-[v214---24_07_2020], it clearly states that the official source is the Spanish version:
"This document and/or information was originally written in Spanish, the official language of Uruguay, the country where LACNIC is legally incorporated and whose laws and regulations LACNIC must meet. Likewise, unofficial information and/or documents are also written in Spanish, as this is the language in which most of LACNIC's collaborators and officers work and communicate. We do our best to ensure that our translations are reliable and serve as a guide for our non-Spanish-speaking members. However, discrepancies may exist between the translations and the original document and/or information written in Spanish. In this case, the original text written in Spanish will always prevail."
Regarding the resource transfer that you mention, it will follow the transfer policy (2.3.2.18 - IPv4 address transfers) and there will be checks in both RIRs (source and destination), depending on the policies of each one. There is not a single answer to your example, we will need to see if is LACNIC to LACNIC (intra-RIR, and in that case the 50% usage in the region rule is sustained) or if it is from LACNIC to another RIR (inter-RIR, then it will not depend anymore on the LACNIC rules - after the transfer, but the destination RIR).
Regards,
Jordi
@jordipalet
El 22/1/21 11:37, "NANOG en nombre de Masataka Ohta" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de mohta@necom830.hpcl.titech.ac.jp> escribió:
> No, this is not correct. LACNIC policies, state:
that LACNIC has contradicting statements is a problem
of LACNIC and you can not say others that the statement
of your choice is the one others must follow.
> (look at the Spanish version, English seems not updated)
If there is a reservation statement such as "English
version is just informational and not authentic" or
"Certain restrictions may apply. See xxxxx for details."
in PDF I quoted, your point could have been valid.
Moreover,
> The numbering resources under the stewardship of LACNIC must be
> distributed among organizations legally constituted within its
> service region [COBERTURA] and mainly *serving networks and services
> operating in this region. External clients connected directly to main
> infrastructure located in the region are allowed.
>
> *“Mainly” is understood to mean more than 50%.
requirement of such locality is, these days, seemingly
badly impractical and attempt to enforce it will likely
to be considered invalid.
For example, what if someone sells part of IP addresses assigned
from LACNIC to someone else performing business outside of
LACNIC region? If there is no restriction, it means locality
requirement is effectively invalidated.
Masataka Ohta