Home » blogs » Prometheus 6's blog

Sunglasses? Check. Tin foil hat? Check. Favorite intoxicant? Check. Seat Belts? Check.

by Prometheus 6
August 28, 2004 - 9:09am.
on Seen online

I mentioned posting the IP information of trolls the other day so I thought I'd share this story that did not turn out as I thought it would.

Looking at the stats for The Niggerati Network I saw a HUGE page load number for yesterday. It turns out one "user" was responsible for most of it. I figure spider or spammer, right? Being made curious by the types of URLs tried (they weren't in general links that could be found on the front page) I decided to find out which it was.

My tools in such cases are the WHOIS servers for the four Regional Internet Registries: the American Registry for Internet Numbers (ARIN), Réseaux IP Européens (RIPE), the Latin American and Carribean Internet Address Registry (LACNIC) and the Asia Pacific Network Information Center (APNIC). I grabbed the IP of the offending party (170.150.100.150) and, proceeding in most-likely-offender order, started with ARIN.
The results?

No match found for 170.150.100.150.

# ARIN WHOIS database, last updated 2004-08-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS
database.

Okay, not unusual so far. It just means one of the other RIRs controls the block of addresses.

I went to RIPE next and got a fascinating bit of information:

inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
changed: [email protected] 20010529
changed: [email protected] 20020625
changed: [email protected] 20031014
changed: [email protected] 20040422
changed: [email protected] 20040504
source: RIPE

APNIC was even more informative:

inetnum: 170.0.0.0 - 170.255.255.255
netname: ERX-NETBLOCK
descr: Early registration addresses
remarks:
------------------------------------------------------
remarks: Important:
remarks:
remarks: Networks in this range were allocated by InterNIC
remarks: prior to the formation of Regional Internet
remarks: Registries (RIRs): APNIC, ARIN, LACNIC and RIPE.
remarks:
remarks: Address ranges from this historical space have now
remarks: been transferred to the appropriate RIR database.
remarks:
remarks: If your search has returned this record, it means the
remarks: address range is not administered by APNIC.
remarks:
remarks: Instead, please search one of the following databases:
remarks:
remarks: - ARIN (Northern Americas and southern Africa)
remarks: website: http://www.arin.net/
remarks: command line: whois.arin.net
remarks:
remarks: - LACNIC (Latin America and the Carribean)
remarks: website: http://www.lacnic.net/
remarks: command line: whois.lacnic.net
remarks:
remarks: - RIPE NCC (Europe and northern Africa)
remarks: website: http://www.ripe.net/
remarks: command line: whois.ripe.net
remarks:
remarks: For information on the Early Registration
Transfer
remarks: (ERX) project, see:
remarks:
remarks: http://www.apnic.net/db/erx

At this point the only RIR I haven't checked is LACNIC:

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2004-08-28 09:43:29 (BRT -03:00)

% Not assigned to LACNIC 170.150.100.150
% Please use the whois server at whois.arin.net

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

In case you missed the point, I've just demonstrated that there is at least one IP address that is

  1. on the Internet as opposed to in the private network address spaces
  2. no one lays claim to
  3. is the origin point of a spammer or spider that targets weblogs

The APNIC response had a link to an explanation of the Early Registration process, and being old as dirt and a reader of Boardwatch Magazine back before Jack Rickard was undercut I'm familiar with it. These were the pre-ARIN IP numbers, the ones assigned before the Internet went public and blew up.

Now. Put on your shades and hat while you cogitate that.

latest article | previous | next

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Submitted by dof (not verified) on August 29, 2004 - 8:19am.

Clearly someone using an unassigned number wants to remain anonymous. However, the perpetrator can just as likely be an individual, corporate or alphabet soup.

What you do is take an unassigned ip number and find an ISP who has sloppy security and accepts routeing data from customers. The unsecured router of the ISP sees a new ip number and just adds routeing for it, and that's all there is to it.

link
Submitted by Prometheus 6 on August 29, 2004 - 10:03am.

That's not quite all there is to it. Said routing records must be propagated all over the net due to the distributed nature of DNS. So it's VERY interesting that a tracert drops off the face of the earth after two hops.

And it's convenient that an entire Class B address range was left unattached to anyone so we know which numbers to work with, isn't it?

Bet you didn't follow the link at the end either.

Keep trying. The ARE some things I don't know about, trust me.

Just don't expect them to be among the subjects I myself raise.

link
Submitted by dof (not verified) on August 29, 2004 - 11:52am.

It depends.

If all you want to do is an untraceable DOS attack, then you do not need the unassigned IP address propagated.

If you want to get the results for your http requests then you either need some form of propagation, or connect somewhere upstream of your target, so the reply packets will get back to you by just following the default route.

Given that someone wanting to spider your site anonymously could do so far easier by using an open proxy server (and there's no shortage of those, judging by all those formmail scans on my site) a DOS attack seems the most likely.

Besides, if your website is hosted by your provider, and you admit the possibility that your provider works hand-in-glove with one of the alphabet soup factions by allowing them the use of unassigned numbers, your provider might as well give them a ftp password for its servers, so they can download your stuff without you seeing it in the logs. That's how I would do it if I were a black hat.

But then, the fact that there is nothing in the log could also be indicative that the feds are reading your site.

link
Submitted by Prometheus 6 on August 30, 2004 - 9:30am.

If you want to get the results for your http requests then you either need some form of propagation, or connect somewhere upstream of your target, so the reply packets will get back to you by just following the default route.

Way too inefficient to set up systems upstream from each site you'd want to monitor.

You see, I'm not thinking I'm being specifically targeted. That would be a little paranoid.

But given that it's been declared all these systems must be tappable for law enforcement purposes it would make no sense to think none of that is going on, or that they would depend on manual methods to do so. Don't you think so?

Nothing else in that comment is on topic. Something to discuss at other times.

link