We recently received a demand to stop announcing a "fraudulent" prefix. Is
there an industry best practice when handling these kind of requests? Do you
have personal or company-specific preferences or requirements? To the best
of my knowledge, we've rarely, if ever, received such a request. This is
relatively new territory.
In this case we have a signed LOA on file for that prefix and I've reached
out to our customer to verify the validity of the sender's request. The
sender claims to have proof that they are authorized to speak on behalf of
the owner. I will wait until I hear from our customer before I consider a
response to the sender. I don't get a real sense of legitimacy from the
sender making the request. No one else announces the prefix. Nothing about
the request appears to be legitimate, especially considering the sender.
I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to
the account tied to the ORG/resource, not ownership. Current entries in the
database list the same ORG and contact that signed the LOA. When do you get
to the point where things look "good enough" to believe someone?
Has anyone gone so far as to make the requestor provide something like a
notarized copy stating ownership? Have you ever gotten legal departments
involved? The RIR?
We recently received a demand to stop announcing a "fraudulent" prefix. Is
there an industry best practice when handling these kind of requests? Do
you
have personal or company-specific preferences or requirements? To the best
of my knowledge, we've rarely, if ever, received such a request. This is
relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the
first time I've heard of something like this being done as such.
I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to
the account tied to the ORG/resource, not ownership. Current entries in the
database list the same ORG and contact that signed the LOA. When do you get
to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without
actually having access to the RIR db too - in that case, they could ask the
org they are leasing from to put in a SWIP with the RIR, but if they don't
choose to, then that's not a hard requirement.
On the same token, having access to the org account at the RIR pretty much
makes you as legitimate as you're going to be as far as any of us can
really tell. If there's an issue where the RIR account has been
compromised, then that issue lies between the RIR and their customer, and
isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a
notarized copy stating ownership? Have you ever gotten legal departments
involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of
organizations lease IPv4 space, and lots more now since depletion in many
regions, and their use of it is entirely legitimate in accordance with
their contractual rights established in the lease agreement with the
owner. I'd probably think about looking at the contact info in the RIR
whois and ask them, if I had a situation like this myself. Ultimately, the
RIR's contact which would be in their whois db should be authoritative more
so than anyone else. I doubt the RIR would be able to say much if you
contacted them beyond that everything that isn't in whois isn't something
they'd share publicly.
I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+"cloud+innovation" ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale.
Without revealing too much identifying information, the prefix is allocated to a 3rd party that is a customer of our customer. We have a signed LOA on hand that matches the RIR database object details (names, prefix, etc.), and the request to stop announcing came from another 3rd party that does not appear to be related to either our customer or their customer.
Both the individual making the demand as well as the 3rd party that "owns" the prefix are in industries that suggest things are not entirely above-board. The email came from a IP broker domain whose TLD is an eastern European country.
At this point I'm going to have to rely on our customer's POC, whom I've already contacted, to verify whether or not this is true and err in their favor.
I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, I wasn't sure if there was much else that could be done.
The best practice is to go for the status quo while you figure it out.
How long have you been announcing the prefix? If only briefly, stop.
If you've been announcing it for a long time, keep doing so.
The RIR is the arbiter of who controls the address space. That's the
purpose of a registry. Reach out to the published POC by email, by
phone and if necessary by postal mail. Until you get a response to the
query YOU initiated to the POC, stick with the status quo.
i have been the requestor of such actions before, and i generally sent the
take-down request with a referral to the ARIN entry with the netblock, which
shows the appropriate contacts.
i always sent the request from the account listed as ADMIN contact for
the netblock or OrgID.
in the request i noted that ARIN is the ultimate arbitor of who "owns" a block,
and as such you can validate my request for takedown by contacting me through
the details listed on their site. (i then provide the arin.net link).
anyone receiving such a request, who validated it through the ARIN data, should
probably act on it.
if the request is coming from anyone other than the ARIN ADMIN contact, the
response should be "we only accept such requests from parties what we can
authenticate through ARIN".
if the renter, et al, have not updated the ARIN data, then, that is their
problem, not yours, as you would have done your due diligence.
if they are not authorized by ARIN to speak on behalf of the block, i would be
very cautious about proceeding.
if they are unable to get the request sent on behalf of the ARIN ADMINs, then,
also, i would be very cautious about proceeding.
(i suspect that all of this could also apply to RIPE/etc/etc, but i have not
had to do so).
How about signed ownership ? (https://keybase.io) if you are able to update the record … and it is able to be signed then shouldn’t that be proof enough of ownership of the ASN ?
If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and signed by a third party to provide first party of authoritative ownership… Assuming you have an assigned ASN and the admin has taken the time to let alone understand the concept and properly prove the identity in the first place… (EV cert ?)
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a technical angle would be great.
In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact.
I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not reached.
I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that 3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc.
I believe the suggested process would be.... submit the stranger's request to
the administrative & technical contacts listed for the organization
and IP resource
in public WHOIS at the time the request is received, and in order to
confirm:
Request whether their organization approves that the announcements must be
withdrawn, and if so: that they also submit to you a signed official
form to either
revise, rescind, or repudiate the existing LOA provided by that WHOIS contact.
Then reply to the "stranger" that official documentation is required
to cancel the
announcement, and you are unable to verify you have the right to make
the request,
and you will forward their message to the IP Address registry and
officially listed WHOIS and customer technical contacts who must
approve of the request,
before any further actions can be taken.
Best practice is for the prefix-user to have correct data of
subdelegation in the correct RIR. LOA letters have been forged
since well before runout, in the days when they were faxed.
Issues with potential RIR haacks should be taken straight to
that RIR; those hve also been unfortunately common. These
days, ROAs would be nice to see for anyone up-to-date on methods.
At the very least, the low bar of IRR data should be present.
If there's only a private letter between two parties, no one
a few hops away can validate that, so the user of the space
flatly should expect poor propagation. If there's no data
published that a remote party can use, there should be zero
expectation any remote party will accept the prefix on that
path.
IME this is pretty old territory, and should be part of any
providers' M&P for handling PI space.
Another thing that would affect me as a service provider would be the account history. I would probably be more skeptical if this was a long term customer who has been announcing this prefix for a long period of time vs a new customer that just began announcing it.
i.e. If I just began announcing it and there is an ownership dispute right away, I might suspect my new customer misappropriated the block. If he had been announcing it for years and now someone wants it taken down, that is a higher burden of proof for me. As always bottom line is who has the block registered with RAR is the final authority.
I would insist that this customer get with the RIR and resolve ownership of the account and prove that they did so. I would leave the burden on the RIR to figure out who is the rightful owner and not make any changes until that is done.
Do you have a record of what the RIR account contact was when you began announcing the block? The fact that the requester has the RIR account and the email of the account contact makes me wonder if your customer did not renew with the RIR or something else that caused them to lose ownership of the net block. I could see this happen during an acquisition or change of ownership of a company or entity. I would give the customer a short period of time to open a dispute with the RIR and then hold the changes until the RIR makes a determination. I think that protects you from a legal perspective more than deciding on your own. Of course, keep a good record of all communications on this subject especially with the RIR, this could get ugly.
There is a definitive technical means. It's called contact the POC
published in WHOIS by the RIR and ask. It isn't flawless and you don't
have to like it, but there it is.
If you contacted the POC and the POC replied stop, you stop. If the
POC was hijacked at the RIR, that's between your customer and the RIR.
The RIR has a standard process and an expert team for dealing with
these situations. It's their job.
Biggest problems we had as a service provider is that the block is registered to a corporate entity which is then acquired or dissolves and then you have to figure out who actually has control. We always tried to push the dispute process to go between the customer and the RIR when this happens. It takes too many legal resources to get involved in figuring out who owns what during an acquisition or dissolution. Often this particular resources does not get called out specifically and can be a problem. Sometimes they get treated like corporate intellectual property and sometimes they get treated more like a utility. It’s a legal nightmare to get in the middle of it. I have had cases where it was so complex we forced one of the parties to get a court order one way or another.
