I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale.
On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote: > On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.li...@gmail.com> > wrote: > > > We recently received a demand to stop announcing a "fraudulent" prefix. Is > > there an industry best practice when handling these kind of requests? Do > > you > > have personal or company-specific preferences or requirements? To the best > > of my knowledge, we've rarely, if ever, received such a request. This is > > relatively new territory. > > > > This could definitely be an attempt at a DoS attack, and wouldn't be the > first time I've heard of something like this being done as such. > > I thought about requesting they make changes to their RIR database objects > > to confirm ownership, but all that does is verify that person has access to > > the account tied to the ORG/resource, not ownership. Current entries in the > > database list the same ORG and contact that signed the LOA. When do you get > > to the point where things look "good enough" to believe someone? > > > > They may also be leasing one chunk of space from an organization without > actually having access to the RIR db too - in that case, they could ask the > org they are leasing from to put in a SWIP with the RIR, but if they don't > choose to, then that's not a hard requirement. > > On the same token, having access to the org account at the RIR pretty much > makes you as legitimate as you're going to be as far as any of us can > really tell. If there's an issue where the RIR account has been > compromised, then that issue lies between the RIR and their customer, and > isn't really your business because you have no way to know whatsoever. > > > > Has anyone gone so far as to make the requestor provide something like a > > notarized copy stating ownership? Have you ever gotten legal departments > > involved? The RIR? > > > > A notarized copy stating *ownership* seems overboard. Lots of > organizations lease IPv4 space, and lots more now since depletion in many > regions, and their use of it is entirely legitimate in accordance with > their contractual rights established in the lease agreement with the > owner. I'd probably think about looking at the contact info in the RIR > whois and ask them, if I had a situation like this myself. Ultimately, the > RIR's contact which would be in their whois db should be authoritative more > so than anyone else. I doubt the RIR would be able to say much if you > contacted them beyond that everything that isn't in whois isn't something > they'd share publicly. > > Take care, > Matt
