Faked entries in the RIPE db
There appears to be abuse happening in the RIPE db - presumably to allow other online activity to be done with abuse indirection to an innocent bystander (e.g. my employer) - all over the last day or two... The specific items I noticed are all inet6num maintained by BSKYB-BROADBAND44-MNT, along with BSKYB-BROADBAND44-MNT itself, and ORG-BBH4-RIPE and ACRO772-RIPE This was due to the fake objects referring to our real role/person objects. It appears that there are many other faked entries under 2a07:7ec0::/29 - pretending to be Deutsche Telekom or Time Warner Cable for example. Either that LIR is a bad actor, or their maintainer credentials have been 0wned. This needs to be killed off. Cheers, -- Ian Dickinson Network Architect Sky Network Services ian.dickinson@sky.uk Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
On Tue, May 31, 2016 at 10:21:31AM +0000, Dickinson, Ian wrote: Dear Ian
There appears to be abuse happening in the RIPE db - presumably to allow other online activity to be done with abuse indirection to an innocent bystander (e.g. my employer) - all over the last day or two...
The specific items I noticed are all inet6num maintained by BSKYB-BROADBAND44-MNT, along with BSKYB-BROADBAND44-MNT itself, and ORG-BBH4-RIPE and ACRO772-RIPE This was due to the fake objects referring to our real role/person objects.
It appears that there are many other faked entries under 2a07:7ec0::/29 - pretending to be Deutsche Telekom or Time Warner Cable for example. Either that LIR is a bad actor, or their maintainer credentials have been 0wned.
This needs to be killed off.
Have a look at https://www.ripe.net/report-form All the best, Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
I will submit a report as suggested. Object creation came from here: Change requested from: - From-Host: 2a03:b0c0:0:1010::16d:d001 - Date/Time: Mon May 30 22:20:40 2016 Ian -----Original Message----- From: Piotr Strzyzewski [mailto:Piotr.Strzyzewski@polsl.pl] Sent: 31 May 2016 11:26 To: Dickinson, Ian <Ian.Dickinson@sky.uk> Cc: Database WG (db-wg@ripe.net) <db-wg@ripe.net> Subject: Re: [db-wg] Faked entries in the RIPE db On Tue, May 31, 2016 at 10:21:31AM +0000, Dickinson, Ian wrote: Dear Ian
There appears to be abuse happening in the RIPE db - presumably to allow other online activity to be done with abuse indirection to an innocent bystander (e.g. my employer) - all over the last day or two...
The specific items I noticed are all inet6num maintained by BSKYB-BROADBAND44-MNT, along with BSKYB-BROADBAND44-MNT itself, and ORG-BBH4-RIPE and ACRO772-RIPE This was due to the fake objects referring to our real role/person objects.
It appears that there are many other faked entries under 2a07:7ec0::/29 - pretending to be Deutsche Telekom or Time Warner Cable for example. Either that LIR is a bad actor, or their maintainer credentials have been 0wned.
This needs to be killed off.
Have a look at https://www.ripe.net/report-form All the best, Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
On Tue, May 31, 2016 at 10:44:24AM +0000, Dickinson, Ian wrote:
I will submit a report as suggested.
It appears the faux entries have been removed. I would conjecture this was an attempt to establish some form of IP based reputation, to influence search or ranking engines. Will be good to keep an eye out for this type of activity. Kind regards, Job
On Tue, May 31, 2016 at 10:21:31AM +0000, Dickinson, Ian wrote:
There appears to be abuse happening in the RIPE db - presumably to allow other online activity to be done with abuse indirection to an innocent bystander (e.g. my employer) - all over the last day or two...
The specific items I noticed are all inet6num maintained by BSKYB-BROADBAND44-MNT, along with BSKYB-BROADBAND44-MNT itself, and ORG-BBH4-RIPE and ACRO772-RIPE This was due to the fake objects referring to our real role/person objects.
It appears that there are many other faked entries under 2a07:7ec0::/29 - pretending to be Deutsche Telekom or Time Warner Cable for example. Either that LIR is a bad actor, or their maintainer credentials have been 0wned.
This needs to be killed off.
I concur that this looks like a purposefully engineered effort to hide something. Review the output of the following command: $ whois -h whois.ripe.net -- "-M 2a07:7ec0::/29 -T inet6num" <snip tons of inet6nums> $ whois -h whois.ripe.net -- "-M 2a07:7ec0::/29 -T inet6num" | grep org-name | sort -u org-name: ASAHI Net,Inc. org-name: BSkyB Broadband Hostmaster org-name: Deutsche Telekom AG org-name: KPN B.V. org-name: Orange France S.A. org-name: Telstra Pty Ltd org-name: Time Warner Cable LLC Kind regards, Job
participants (3)
-
Dickinson, Ian -
Job Snijders -
Piotr Strzyzewski