Sounds right to me. Unless someone else can prove ownership of the allocation
beyond a doubt I would leave it up and running.
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Pedersen
Sent: Monday, March 12, 2018 2:46 PM
To: n...@imap.cc; firstname.lastname@example.org
Subject: RE: Proof of ownership; when someone demands you remove a prefix
Without revealing too much identifying information, the prefix is allocated to
a 3rd party that is a customer of our customer. We have a signed LOA on hand
that matches the RIR database object details (names, prefix, etc.), and the
request to stop announcing came from another 3rd party that does not appear to
be related to either our customer or their customer.
Both the individual making the demand as well as the 3rd party that "owns" the
prefix are in industries that suggest things are not entirely above-board. The
email came from a IP broker domain whose TLD is an eastern European country.
At this point I'm going to have to rely on our customer's POC, whom I've
already contacted, to verify whether or not this is true and err in their
I was just curious what others have experienced. Since so much of the Internet
is "best effort" in terms of validation, I wasn't sure if there was much else
that could be done.
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of n...@imap.cc
Sent: Monday, March 12, 2018 12:08 PM
Subject: Re: Proof of ownership; when someone demands you remove a prefix
I've seen this type of situation come up more than a few times with the shadier
IP brokers that lease and don't care who they lease to, for example Logicweb,
Cloudinnovation ( see
Digital Energy-host1plus. The ranges get abused to hell and back for garbage
traffic selling, rate limit bypassing, scraping, proxies, banned from
youtube/google/etc for view and like farms, and then thrown away, and the
leaser tries to get them unannounced quickly for further resale.
On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
> On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen
> > We recently received a demand to stop announcing a "fraudulent"
> > prefix. Is there an industry best practice when handling these kind
> > of requests? Do you have personal or company-specific preferences or
> > requirements? To the best of my knowledge, we've rarely, if ever,
> > received such a request. This is relatively new territory.
> This could definitely be an attempt at a DoS attack, and wouldn't be
> the first time I've heard of something like this being done as such.
> I thought about requesting they make changes to their RIR database
> > to confirm ownership, but all that does is verify that person has
> > access to the account tied to the ORG/resource, not ownership.
> > Current entries in the database list the same ORG and contact that
> > signed the LOA. When do you get to the point where things look "good
> > enough" to believe someone?
> They may also be leasing one chunk of space from an organization
> without actually having access to the RIR db too - in that case, they
> could ask the org they are leasing from to put in a SWIP with the RIR,
> but if they don't choose to, then that's not a hard requirement.
> On the same token, having access to the org account at the RIR pretty
> much makes you as legitimate as you're going to be as far as any of us
> can really tell. If there's an issue where the RIR account has been
> compromised, then that issue lies between the RIR and their customer,
> and isn't really your business because you have no way to know whatsoever.
> > Has anyone gone so far as to make the requestor provide something
> > like a notarized copy stating ownership? Have you ever gotten legal
> > departments involved? The RIR?
> A notarized copy stating *ownership* seems overboard. Lots of
> organizations lease IPv4 space, and lots more now since depletion in
> many regions, and their use of it is entirely legitimate in accordance
> with their contractual rights established in the lease agreement with
> the owner. I'd probably think about looking at the contact info in
> the RIR whois and ask them, if I had a situation like this myself.
> Ultimately, the RIR's contact which would be in their whois db should
> be authoritative more so than anyone else. I doubt the RIR would be
> able to say much if you contacted them beyond that everything that
> isn't in whois isn't something they'd share publicly.
> Take care,