[RFCI-Discuss] whois records with single ip address (CIDR aaa.bbb.ccc.ddd/32)

egor duda rfci-discuss@lists.megacity.org
Wed, 9 Oct 2002 19:25:22 +0400 

Hi!

Wednesday, 09 October, 2002 you wrote:

RJ> At 14:53 +0400 on 2002-10-09, egor duda wrote:
>> The problem, however, is the following. The CIDR of this whois record
>> is aaa.bbb.ccc.ddd/32. Other addresses (taken in random) in
>> 218.234.58.O/24 network have the same contact information, so spam

RJ> I can only consider KRNIC's failure to aggregate nearby entries managed by
RJ> the same Org Name into a single block entry as an attempt, perhaps
RJ> deliberate, to obscure the extent of a given entities' allocation.

The words on their web site saying that

"KRNIC will prohibit excessive querys by blocking network access."

make me suspect that someone have already tried to perform such search
"sequentially", by querying information about all addresses assigned
to KRNIC.

RJ> We resolve it via packet filters listing the containing /16.  If we see
RJ> hanaro or hananet in a lookup regarding an IP in our mail or other logs, we
RJ> immediately firewall the surrounding /16 [1].  Saves a lot of grief.

Agreed. I have private dnsbl zone blacklist.pvt and hananet and the
likes are listed there. I've used APNIC information (APNIC does have an
ability to perform searches by Org name), but i'm not sure their
listing is current and complete.

The bad thing is that it's _private_ zone, i.e. the whole point of RBL
is missed.

So, given such unfriendliness of KRNIC whois, should APNIC information
be used?

RJ> Back to the point:  Does KRNIC's lack of aggregation of consecutive entries
RJ> for a given Org Name make or enhance the case for ipwhois listing?  I'd
RJ> almost say yes, but our reason for firewalling the /16s has more to do with
RJ> exploit attempts than with spam.  If the case for listing is enhanced, do
RJ> we really want to be listing a /24 or /16 worth of individual /32s?

RJ> [1] So far, we have:

RJ> # 2002-06-03 hananet.net/hanaro.com incessant spam attempts, address
RJ> guessing, relay attacks, exploit attempts, usually in that order, minimum
RJ> block size /16 due to KRNIC attempt to drown us in separate entries run by
RJ> the same entities
RJ> block in from 210.180.0.0/16 to any
[...]
RJ> block in from 219.241.0.0/16 to any

Yes, something like this.

Egor.                                 mailto:deo@logos-m.ru