RE: Proof of ownership; when someone demands you remove a prefix

["Sean Pedersen" <spedersen.lists () gmail com>]

Without revealing too much identifying information, the prefix is allocated to a 3rd party that is a customer of our 
customer. We have a signed LOA on hand that matches the RIR database object details (names, prefix, etc.), and the 
request to stop announcing came from another 3rd party that does not appear to be related to either our customer or 
their customer.

Both the individual making the demand as well as the 3rd party that "owns" the prefix are in industries that suggest 
things are not entirely above-board. The email came from a IP broker domain whose TLD is an eastern European country.

At this point I'm going to have to rely on our customer's POC, whom I've already contacted, to verify whether or not 
this is true and err in their favor. 

I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, 
I wasn't sure if there was much else that could be done.

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of nop () imap cc
Sent: Monday, March 12, 2018 12:08 PM
To: nanog () nanog org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care 
who they lease to, for example Logicweb, Cloudinnovation ( see 
bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get 
abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from 
youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly 
for further resale.



On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
> On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists () gmail com>
> wrote:
>
> > We recently received a demand to stop announcing a "fraudulent" prefix. Is
> > there an industry best practice when handling these kind of requests? Do
> > you
> > have personal or company-specific preferences or requirements? To the best
> > of my knowledge, we've rarely, if ever, received such a request. This is
> > relatively new territory.
>
> This could definitely be an attempt at a DoS attack, and wouldn't be the
> first time I've heard of something like this being done as such.
>
> I thought about requesting they make changes to their RIR database objects
> > to confirm ownership, but all that does is verify that person has access to
> > the account tied to the ORG/resource, not ownership. Current entries in the
> > database list the same ORG and contact that signed the LOA. When do you get
> > to the point where things look "good enough" to believe someone?
>
> They may also be leasing one chunk of space from an organization without
> actually having access to the RIR db too - in that case, they could ask the
> org they are leasing from to put in a SWIP with the RIR, but if they don't
> choose to, then that's not a hard requirement.
>
> On the same token, having access to the org account at the RIR pretty much
> makes you as legitimate as you're going to be as far as any of us can
> really tell.  If there's an issue where the RIR account has been
> compromised, then that issue lies between the RIR and their customer, and
> isn't really your business because you have no way to know whatsoever.
>
>
> > Has anyone gone so far as to make the requestor provide something like a
> > notarized copy stating ownership? Have you ever gotten legal departments
> > involved? The RIR?
>
> A notarized copy stating *ownership* seems overboard.  Lots of
> organizations lease IPv4 space, and lots more now since depletion in many
> regions, and their use of it is entirely legitimate in accordance with
> their contractual rights established in the lease agreement with the
> owner.  I'd probably think about looking at the contact info in the RIR
> whois and ask them, if I had a situation like this myself.  Ultimately, the
> RIR's contact which would be in their whois db should be authoritative more
> so than anyone else.  I doubt the RIR would be able to say much if you
> contacted them beyond that everything that isn't in whois isn't something
> they'd share publicly.
>
> Take care,
> Matt