Jump to content
gnarlymarley

IP being used, but not in whois

Recommended Posts

Sounds to me like the IP registries are confused.  Seems to be that 185.254.121.237 is said by arin to be RIPE, but by everyone else to be IANA.  The IP is in use and is routable.  Does anyone else see what I am seeing returned from RIPE or is this just me?

https://www.spamcop.net/sc?id=z6578180134z80ef26afa691a5047d301c474dcaaf8bz

https://www.spamcop.net/sc?id=z6578095270z15fc50e4b2d4dad674d00394b23c6c24z

https://www.spamcop.net/sc?action=rcache;ip=185.254.121.237

$ whois 185.254.121.237@whois.ripe.net

[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '0.0.0.0 - 255.255.255.255'

% No abuse contact registered for 0.0.0.0 - 255.255.255.255

inetnum:        0.0.0.0 - 255.255.255.255
netname:        IANA-BLK
descr:          The whole IPv4 address space

 

Share this post


Link to post
Share on other sites
37 minutes ago, gnarlymarley said:

Sounds to me like the IP registries are confused.  Seems to be that 185.254.121.237 is said by arin to be RIPE, but by everyone else to be IANA.  The IP is in use and is routable.  Does anyone else see what I am seeing returned from RIPE or is this just me?

https://www.spamcop.net/sc?id=z6578180134z80ef26afa691a5047d301c474dcaaf8bz

no abuse address there is a registrar address 
 

domain:        SWEETREBECCA.SU
nserver:       a.dnspod.com.
nserver:       b.dnspod.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:         mailto:hunderalex[AT]rambler[DOT]ru
registrar:     RUCENTER-SU
created:       2019-09-26T18:39:07Z
paid-till:     2020-09-26T18:39:07Z
free-date:     2020-10-29
source:        TCI

Phishing site
https://www.virustotal.com/gui/url/59d1efd146c2e4a124360c3ae9dc0ad238fa7d12317e299fd12a3b3c2ca3990a/detection

Share this post


Link to post
Share on other sites
On 10/4/2019 at 11:17 PM, gnarlymarley said:

Sounds to me like the IP registries are confused.  Seems to be that 185.254.121.237 is said by arin to be RIPE, but by everyone else to be IANA.  The IP is in use and is routable.  Does anyone else see what I am seeing returned from RIPE or is this just me?

I see the same in the whois records - whois.iana.org says that RIPE is authoritative for the 185.0.0.0/8 IP address range, so ARIN is correct in referring to RIPE. The RIPE whois records have plenty of allocations in that block, but there's a hole spanning 185.254.120.0-185.254.123.254 which RIPE lists with the referral back to IANA (i.e. their "we're not the RIR for those addresses" response.)

RIPE publish a daily report of what IP address ranges they're allocated (no contact details shown, just the address ranges, allocation date, and country of the registrant) at ftp://ftp.ripe.net/ripe/stats/, and the entry for these disappeared on 26 September:

delegated-ripencc-20190925:
ripencc|DE|ipv4|185.254.112.0|1024|20180410|allocated
ripencc|AL|ipv4|185.254.116.0|1024|20180410|allocated
ripencc|LT|ipv4|185.254.120.0|1024|20180410|allocated
ripencc|DE|ipv4|185.254.124.0|1024|20180410|allocated
ripencc|DK|ipv4|185.254.128.0|1024|20180410|allocated

delegated-ripencc-20190926:
ripencc|DE|ipv4|185.254.112.0|1024|20180410|allocated
ripencc|AL|ipv4|185.254.116.0|1024|20180410|allocated
ripencc|DE|ipv4|185.254.124.0|1024|20180410|allocated
ripencc|DK|ipv4|185.254.128.0|1024|20180410|allocated

I.e. on 25 September those addresses were listed as having been allocated to someone in Latvia on 10 April 2018, and become unallocated on the following day. There's no entry for these addresses in RIPE's published transfer records (https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/transfer-statistics), TL;DR: so those addresses don't currently belong to anyone, and if, as they appear to be, the previous holder is still routing them then they are now squatting on those addresses.

Share this post


Link to post
Share on other sites
1 hour ago, AJR said:

I.e. on 25 September those addresses were listed as having been allocated to someone in Latvia on 10 April 2018, and become unallocated on the following day. There's no entry for these addresses in RIPE's published transfer records (https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/transfer-statistics), TL;DR: so those addresses don't currently belong to anyone, and if, as they appear to be, the previous holder is still routing them then they are now squatting on those addresses.

Thanks, good to know.  Yeah, it was picked up by Media Land as an be seen in BGP tables, https://bgp.he.net/AS206728#_prefixes out of Russia.

I had contacted RIPE and all I got is Media Land is what I currently know about it.  My contact at RIPE seems to think 185.254.121.0/24 has never been allocated to any organization (which leads me to believe they are only looking at what I can see and their front end support is not very helpful.)

Hello,

Thank you for coming back to us.
 
The AS206728 belongs to MEDIALAND. However the range is not allocated.

https://apps.db.ripe.net/db-web-ui/#/query?searchtext=AS206728

So they are announcing a network with a range which is unassigned from their own servers.

Hope to have informed you sufficiently at this stage.

Kind Regards,

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×