<div><div dir="auto">Hi,</div><div dir="auto"><br></div><div dir="auto">I don’t think a one-off will cut it. This is, and has to be, a continuous process. </div><div dir="auto"><br></div><div dir="auto">A “did you know this happened in RIPE IRR”-notification would be good when non-auth objects are created. </div><div dir="auto"><br></div><div dir="auto">Maybe RPKI ghostbuster and Whois context info can be used to find the appropriate block owners.</div><div dir="auto"><br></div><div dir="auto">Kind regards,</div><div dir="auto"><br></div><div dir="auto">Job</div><br><div class="gmail_quote"><div>On Thu, 9 Nov 2017 at 19:44, denis walker <<a href="mailto:ripedenis@yahoo.co.uk">ripedenis@yahoo.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="color:#000;background-color:#fff;font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149840"><span>Hi guys</span></div><div><span><br></span></div><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149959"><span id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149958">Perhaps after the RIPE NCC implements the agreed actions on foreign ROUTE objects, it would be a good idea to do a (one time?) cleanup/review of all foreign ROUTE objects in the RIPE IRR. Find the contact details in the appropriate RIR Database for all non RIPE address space covered by these ROUTE objects. Send them a notification with a link to click if they approve of the ROUTE object. If no response is received within a defined time period, delete the ROUTE object.</span></div><div class="m_-6226179385485068984qtdSeparateBR" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149839"><div><br></div><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150034">cheers</div><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150036">denis</div><div>co-chair DB WG</div><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150038"><br></div><br></div><div class="m_-6226179385485068984yahoo_quoted" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149848" style="display:block">  <div style="font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149847"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,Sans-Serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149846"> <div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149845"> <font id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150040" size="2" face="Arial"> <hr id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150042" size="1"> <b><span style="font-weight:bold">From:</span></b> Job Snijders via db-wg <<a href="mailto:db-wg@ripe.net" target="_blank">db-wg@ripe.net</a>><br> <b><span style="font-weight:bold">To:</span></b> Brian Rak <<a href="mailto:brak@choopa.com" target="_blank">brak@choopa.com</a>> <br><b><span style="font-weight:bold">Cc:</span></b> <a href="mailto:db-wg@ripe.net" target="_blank">db-wg@ripe.net</a><br> <b><span style="font-weight:bold">Sent:</span></b> Thursday, 9 November 2017, 17:53</font></div></div></div></div></div></div><div><div style="color:#000;background-color:#fff;font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div class="m_-6226179385485068984yahoo_quoted" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149848" style="display:block"><div style="font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149847"><div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,Sans-Serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149846"><div id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149845"><font id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150040" size="2" face="Arial"><br> <b id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150060"><span style="font-weight:bold" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_150059">Subject:</span></b> Re: [db-wg] Getting fraudulent entries removed<br> </font></div></div></div></div></div></div><div><div style="color:#000;background-color:#fff;font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div class="m_-6226179385485068984yahoo_quoted" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149848" style="display:block"><div style="font-family:Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149847"><div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,Sans-Serif;font-size:16px" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149846"> <div class="m_-6226179385485068984y_msg_container" id="m_-6226179385485068984yui_3_16_0_ym19_1_1510143306444_149850"><br>Dear Brian,<br clear="none"><br clear="none">It appears that RIPE NCC is lacking a clear and expedient procedure to<br clear="none">remedy unauthorised route object creation. I'd be happy to volunteer to<br clear="none">work with the RIPE NCC to develop a procedure that aligns with industry<br clear="none">standards on how to verify abuse reports like these and resolve them in<br clear="none">a timely manner. (Of course this doesn't help you right now.)<br clear="none"><br clear="none">The topic of ARIN space in the RIPE database has been discussed<br clear="none">extensively. A long thread on this topic started here<br clear="none"><a href="https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005622.html" target="_blank">https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005622.html</a>,<br clear="none">sadly, some people even indicated they don't see an issue with how things are<br clear="none">right now <a shape="rect" href="https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005627.html" target="_blank">https://www.ripe.net/ripe/mail/archives/db-wg/2017-October/005627.html</a><br clear="none">Fortunately this was a minority view, and the RIPE NCC is now tasked to<br clear="none">more clearly mark non-authoritative route objects as can be read here:<br clear="none"><a shape="rect" href="https://www.ripe.net/ripe/mail/archives/routing-wg/2017-October/003456.html" target="_blank">https://www.ripe.net/ripe/mail/archives/routing-wg/2017-October/003456.html</a><br clear="none"><br clear="none">One thing I recommend you do is to set the "OriginAS" through the ARIN<br clear="none">webinterface, this will show the world what the origin AS ought to be:<br clear="none"><a shape="rect" href="https://www.arin.net/resources/originas.html." target="_blank">https://www.arin.net/resources/originas.html. </a>You could reference this<br clear="none">field in your communication with RIPE NCC to demonstrate that the RIPE<br clear="none">IRR version of the route object does not align with your intentions.<br clear="none"><br clear="none">Another thing you can do is file complaints with the upstreams of<br clear="none">AS205869 (some of them visible here <a shape="rect" href="https://bgp.he.net/AS205869" target="_blank">https://bgp.he.net/AS205869</a>) Telia<br clear="none">seems to be their main provider.<br clear="none"><br clear="none">Kind regards,<br clear="none"><br clear="none">Job<br clear="none"><div class="m_-6226179385485068984yqt9263948147" id="m_-6226179385485068984yqtfd40109"><br clear="none">On Thu, Nov 09, 2017 at 11:22:33AM -0500, Brian Rak via db-wg wrote:<br clear="none">> Hi,<br clear="none">> <br clear="none">> We've run into an issue where an unknown malicious party appears to have<br clear="none">> hijacked some of our IP space.  They created entries in the RIPE database<br clear="none">> that they are using to actually get this space announced.  What's even worse<br clear="none">> is their carrier is trying to say these announcements are legitimate because<br clear="none">> they have IRR entries (which is a whole other issue)<br clear="none">> <br clear="none">> What is the process like for actually getting this fraudulent entry<br clear="none">> removed?  I've been in contact with RIPE NCC Support, and they have been<br clear="none">> super unhelpful (ref case #14523)<br clear="none">> <br clear="none">> The fraudulent entry is:<br clear="none">> <br clear="none">> <a shape="rect" href="https://apps.db.ripe.net/search/lookup.html?source=ripe&key=198.13.32.0/19AS39967&type=route" target="_blank">https://apps.db.ripe.net/search/lookup.html?source=ripe&key=198.13.32.0/19AS39967&type=route</a><br clear="none">> <br clear="none">> route:           <a href="http://198.13.32.0/19" target="_blank">198.13.32.0/19</a><br clear="none">> descr:           2nd route<br clear="none">> origin:          AS39967<br clear="none">> mnt-by:          ADMASTER-MNT<br clear="none">> created:         2017-10-13T00:20:08Z<br clear="none">> last-modified:   2017-10-13T00:20:08Z<br clear="none">> source:          RIPE<br clear="none">> <br clear="none">> I should also note that this ASN suspiciously appears to be announcing other<br clear="none">> people's space as well, but I can only confirm that this particular entry<br clear="none">> does not belong.  I would suspect that their other IRR entries are fake as<br clear="none">> well.<br clear="none">> <br clear="none">> You can verify my request by reaching out to any of the POCs associated with<br clear="none">> this network: <a shape="rect" href="https://whois.arin.net/rest/net/NET-198-13-32-0-1" target="_blank">https://whois.arin.net/rest/net/NET-198-13-32-0-1</a><br clear="none">> <br clear="none">> Thanks,<br clear="none">> Brian Rak<br clear="none">> <br clear="none">> <br clear="none"><br clear="none"></div><br><br></div> </div></div></div></div></div></blockquote></div></div>