<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">The frequency is on average roughly once a month that ARIN will receive a complaint about this. It is usually more than 5 and less than 20 reassignments that ARIN is asked to remove because the Admin POC that
did the reassignments is not responding to the request to remove it. ARIN has been informed that this has caused problems due to subpoenas being issued for nefarious activities that have taken place using these IP addresses. So yes, it does happen and yes,
there are negative effects to the organization that these reassignments are made to.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">ARIN-consult <arin-consult-bounces@arin.net> on behalf of William Herrin <bill@herrin.us><br>
<b>Date: </b>Tuesday, October 15, 2024 at 2:29</span><span style="font-family:"Arial",sans-serif;color:black"> </span><span style="color:black">PM<br>
<b>To: </b>Chris Woodfield <chris@semihuman.com><br>
<b>Cc: </b>arin-consult@arin.net <arin-consult@arin.net><br>
<b>Subject: </b>Re: [ARIN-consult] Consultation on Reallocation Control Features<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On Tue, Oct 15, 2024 at 10:48</span><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt">AM Chris Woodfield <chris@semihuman.com> wrote:<br>
> I’m reading Bill Herrin’s interpretation downthread as to the intent of this potential feature, and to the extent this is a not-theoretical issue, I’d be in full support. I’m slightly skeptical that an org controlling reallocate able resources would send
/24s to an unaffiliated party just to add a layer of obfuscation to their abuse, but I’ve seen bolder attempts to make money in more dubious ways on the internet, so…<br>
<br>
Well, it depends on what you're trying to obfuscate.<br>
<br>
Suppose Joe goes to an "IP leaser" and claims to be a particular<br>
ARIN-registered org. Joe gets IP addresses which he controls and<br>
announces them from a "bulletproof hoster" from which Joe proceeds to<br>
distribute child porn. As SWATting goes, it's a bit on the pricey side<br>
but it's not inconceivable.<br>
<br>
<br>
> Again, I’d be curious how often this actually happens in the wild, vs this being a theoretical brand of Bad Acting, before I think I could have an opinion here.<br>
<br>
Same. Additional questions for ARIN are:<br>
<br>
1. Has this happened to an ARIN registrant?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
2. If yes, how many times is ARIN aware of it having happened to an<br>
ARIN registrant?<br>
<br>
<br>
We can sit here and dream up all manner of ways to abuse the ARIN<br>
process, but at the end of the day security is a cost/value<br>
proposition. If delta threat x delta vulnerability x incident cost is<br>
less than the implementation and operational cost of the proposed<br>
security then it shouldn't be done.<br>
<br>
<br>
> another approach to this could be that an org can choose to require that they affirmatively accept any attempted reallocation request to their Org ID<br>
<br>
I like this approach much better than the whole screwy "domain lock"<br>
thing they do with the DNS.<br>
<br>
<br>
-- <br>
William Herrin<br>
bill@herrin.us<br>
<a href="https://bill.herrin.us/">https://bill.herrin.us/</a><br>
_______________________________________________<br>
ARIN-Consult<br>
You are receiving this message because you are subscribed to the ARIN Consult Mailing<br>
List (ARIN-consult@arin.net).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="https://lists.arin.net/mailman/listinfo/arin-consult">https://lists.arin.net/mailman/listinfo/arin-consult</a> Please contact the ARIN Member Services<br>
Help Desk at info@arin.net if you experience any issues.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>