Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RIPE Down or DOSed ?

  • From: Kai Schlichting
  • Date: Fri Feb 28 16:51:12 2003

On 2/27/2003 at 9:58 PM, wrote:

> ...
> NetRange: -
> NetName:    WHOLE-2
> NetHandle:  NET-69-6-0-0-1
> Parent:     NET-69-0-0-0-0
> NetType:    Direct Allocation
> ...

> Where are the swips?  The rest of that record makes no mention of an
> rwhois server.  Doing a bunch of whois requests for IPs in that block, I
> found only one swip (for a /21).  I realize the ARIN regs don't seem to
> require that reassignment info be made available to the public (just to
> ARIN), but using your innocent customers (if there are any) as a shield to
> hide your spammer customers is just wrong.  Should I block
> from sending email into my systems?

Correct answer: the /18, and then some.

Oh, how you wished you hadn't posted this to the list (and Cc:'d on it), but chosen reply-to-poster :)

Random example from this block appearing in my rejects: or: "I see red!"

Extended answer directly from my auto-complaint override map:

 'as:26956' => 'as:17054,isp:cogent', # - rogue AS
 'as:11938' => ',isp:verio', # - rogue AS
 'as:17054' => ',isp:genuity,,isp:gblx', # - rogue AS?

Anything announced out of 26956 and 11938 goes straight to the sendmail
access file here, and given the various pointers from OTHER rogues back
to 17054, routes will be there RSN, too.

And if you thought /18 is a big block in spammer-hand, go check out various
DNSBLs for listings and the history of AS's announcing portions of:

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.