Last Friday, RIPE reallocated 2 address blocks involved in DNSChanger malware - one of them is already routed. Infected users are still sending DNS queries to this address space. The new holders of this space are getting a lot of DNS queries - they are in the position to see who is infected, what they are querying for and provide any DNS response they wish to those queries. News article: http://www.cso.com.au/article/433502/new_hijack_threat_emerges_dns_changer_v... RIPE's response: https://www.ripe.net/internet-coordination/news/clarification-on-reallocated... I think reallocation of this address space so quickly, is irresponsible and puts users at risk. The RIR's debogonize other address ranges and check their status before allocation. The court appointed honest DNS service was only turned down a month ago, with thousands of users still infected. While users have had plenty of opportunity to clean up their computers, many are still infected. In some cases, providers have intentionally chosen not to notify their customers. I asked on the address-policy list, how long RIPE holds back netblocks before allocation. From RIPE's response above, they hold address blocks for 6 weeks and it sounds as though they would have reallocated it while the court appointed honest DNS service was running had that 6 weeks expired before the court ordered honest service ended. Court order or not, should there be a policy/process to give guidance to RIR's on how to handle abused address space? Should address space that has been "poisoned" where it continues to get traffic from infected hosts long after the servers/malware/domains are removed be reallocated to new unsuspecting organizations? Should the space be held for some specified amount of time? Or until it drops below some threshold of traffic? Should a research or security organization be contracted to work on cleaning up the space? should the RIR do that? --Heather