[arin-ppml] audit tools and techniques
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Nov 5 08:56:56 EDT 2010
In message <76036B6C-C69D-451D-B2C8-0BBA036428CC at arin.net>,
John Curran <jcurran at arin.net> wrote:
> ARIN would be happy to study and learn from any/all of your tools and
> techniques in this area, and would be happy to receive any information
> that you'd like to send in this area.
I already sent you (in private e-mail) my opinion that it should be fairly
easy to prove, to a preponderance of the evidence, that certain folks who
have been assigned certain /24s (or larger) may only have, say, one or two
hosts per /24 (because they are using the /24 for snowshoe spamming, which
requires LOTS of IPs, but relatively little CPU horsepower or bandwidth.
These snowshoe spammer infestations are the ultimate examples of crappy IP
space utilization, and I know that I can send you a list of hundreds, and
perhaps even thousands of such blocks.
You _might_ be able to verify cases like these (as being clear instances
of ultra-crappy utilization) via such existing tools as nmap. But if not,
I think that I could whip something together that would do the job for you.
But why would I foolishly invest the time and effort to do that when, for
all I know, you guys may already have (and may already be using) exactly
such software tools.
So this is a good example of how secrecy in your audit process is actually
counterproductive. You're never going to get any good ideas or any help
from anybody on the outside as long as you cling to this silly notion
that you can make your auditing process unbeatable (or less beatable)
Maybe you've heard this one before: Security through obscurity is no
security at all.
If your audit process is so lame that it could be beaten just by being made
public... well then you've ALREADY got a major problem.
Personally, I don't give a flying fig about the paperwork aspect of your
audits. If it pleases you, then by all means, keep that part of the process
on double-secret probation. I am only interested in what can be done over
the wire, and I do believe that most if not all of the current crop of
snowshoe frauds can be outted via purely automated ``over the wire'' means.
> I'll note that some techniques
> in use by the anti-spam community may not meet the fairness and process
> requirements that ARIN operates under,
I seriously have no idea what you are talking about.
All of the software that _I_ have ever written is inherently ``fair''... it
operates exactly the same way, no matter who I am using it to investigate.
Human biases don't enter into it.
Do you know about the software tool called "nmap"? Is that tool "fair"
or "unfair" in your view?
> and I recognize that this may be
> annoying to you, but reflects the reality of our legal system.
To reiterate, I have no idea what you are talking about.
The only thing annoying me is that I have no idea what your current audit
process is, and thus I can't figure out _either_ (a) how so many spammers
already seem to be beating it _or_ (b) how it might be improved so as to
> If you'd prefer to supply information on your tools and techniques under
> NDA, please send that to my attention or let me know and I'll send ARIN's
> NDA out for your review.
No, thank you. That's getting ahead of ourselves.
In the first instance, I'd just like to know if ARIN is currently employing
_any_ automated ``over the wire'' means to verify or validate claims about
existing network equipment.
Or is your audit process all just based on paperwork, e.g. like reciepts
for network equipment purchases, lists of customers, and so forth.
If the latter, then that would explain, I think, how so many of these spammers
are managing to slip through and aquire so much IPv4 space (which in turn
might also come to explain... in a few years time... how they will have
managed to aquire so much IPv6 address space).
More information about the ARIN-PPML