Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog - Whois someone else? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Whois someone else?

Published: 2014-11-04
Last Updated: 2014-11-04 00:07:57 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

A couple of weeks ago, I already covered the situation where a "cloud" IP address gets re-assigned, and the new owner still sees some of your traffic.  Recently, one of our clients had the opposite problem: They had changed their Internet provider, and had held on to the old address range for a decent decay time. They even confirmed with a week-long packet capture that there was no afterglow on the link, and then dismantled the setup.

Until last week, when they got an annoyed rant into their abuse@ mailbox, accusing them of hosting an active spam operation. The guy on duty in the NOC didn't notice the IP address at first  (it was still "familiar" to him), and he triggered their incident response team, who then rather quickly confirmed: "Duh, this ain't us!"

A full 18 months after the old ISP contract expired, it turns out that their entire contact information was still listed in the WHOIS record for that old netblock. After this experience, we ran a quick check on ~20 IP ranges that we knew whose owner had changed in the past two years, and it looks like this problem is kinda common: Four of them were indeed still showing old owner and contact information in whois records.

So, if you change IP's, don't just keep the "afterglow" in mind, also remember to chase your former ISP until all traces of your contact information are removed from the public records associated with that network.

If you have @!#%%%! stories to share about stale whois information, feel free to use the comments below, or our contacts form.

 

1 comment(s)
Diary Archives