[RFCI-Discuss] whois records with single ip address (CIDR aaa.bbb.ccc.ddd/32)

Richard Johnson rfci-discuss@lists.megacity.org
Wed, 9 Oct 2002 08:48:28 -0600 

At 14:53 +0400 on 2002-10-09, egor duda wrote:
> The problem, however, is the following. The CIDR of this whois record
> is aaa.bbb.ccc.ddd/32. Other addresses (taken in random) in
> 218.234.58.O/24 network have the same contact information, so spam
> reports for them will certainly be bouncing too. If course, it's
> possible to submit every single IP address in HANANET network to
> ipwhois, but it's hardly practical. I've also haven't found a way to
> query Korean whois to get all records which contain reference to
> either security@hanaro.com or HANANET organization name.


I can only consider KRNIC's failure to aggregate nearby entries managed by
the same Org Name into a single block entry as an attempt, perhaps
deliberate, to obscure the extent of a given entities' allocation.

security@hanaro.net not only bounces spam reports, they also don't deal
with situations where their spammer escalates to dictionary attacks, relay
attempts, and apache/SSL exploit attempts.


> Any hints of how to resolve such situation?


We resolve it via packet filters listing the containing /16.  If we see
hanaro or hananet in a lookup regarding an IP in our mail or other logs, we
immediately firewall the surrounding /16 [1].  Saves a lot of grief.

Back to the point:  Does KRNIC's lack of aggregation of consecutive entries
for a given Org Name make or enhance the case for ipwhois listing?  I'd
almost say yes, but our reason for firewalling the /16s has more to do with
exploit attempts than with spam.  If the case for listing is enhanced, do
we really want to be listing a /24 or /16 worth of individual /32s?


Richard

-------
[1] So far, we have:

# 2002-06-03 hananet.net/hanaro.com incessant spam attempts, address
guessing, relay attacks, exploit attempts, usually in that order, minimum
block size /16 due to KRNIC attempt to drown us in separate entries run by
the same entities
block in from 210.180.0.0/16 to any
block in from 210.217.0.0/16 to any
block in from 211.108.0.0/16 to any
block in from 211.117.0.0/16 to any
block in from 211.176.0.0/16 to any
block in from 211.200.0.0/16 to any
block in from 211.201.0.0/16 to any
block in from 211.202.0.0/16 to any
block in from 211.203.0.0/16 to any
block in from 211.204.0.0/16 to any
block in from 211.205.0.0/16 to any
block in from 211.207.0.0/16 to any
block in from 211.208.0.0/16 to any
block in from 211.209.0.0/16 to any
block in from 211.210.0.0/16 to any
block in from 211.211.0.0/16 to any
block in from 211.212.0.0/16 to any
block in from 211.213.0.0/16 to any
block in from 211.215.0.0/16 to any
block in from 211.250.0.0/16 to any
block in from 211.44.0.0/16 to any
block in from 211.58.0.0/16 to any
block in from 218.233.0.0/16 to any
block in from 218.234.0.0/16 to any
block in from 218.235.0.0/16 to any
block in from 218.49.0.0/16 to any
block in from 218.50.0.0/16 to any
block in from 219.241.0.0/16 to any