APNIC Security Specialist Jamie Gillespie gives an overview of APNIC and how we engage with the LEA community.

1. 1
Regional Internet Registries (RIRs)
and Law Enforcement Agencies
UN INCB - Expert Group Meeting on Dangerous Substance Trafficking
through Social Media and other Internet-related Services
1 July 2020
Jamie Gillespie, Security Specialist at APNIC
jamie@apnic.net

2. whois: Jamie Gillespie
• Jamie Gillespie
– jamie@apnic.net
– Security Specialist @ APNIC
– Community engagement, CERT building, InfoSec training, awareness
• Work history
– 8 years at AusCERT, Australia’s national CERT
– Google
– Macquarie Telecom / Cloud Services
2

3. 5
Internet and IP Basics

4. Internet Basics
• Every device on the Internet needs an address, to be found by other
devices
– IPv4: 66.220.144.0
– IPv6: 2a03:2880:11:2f83:face:b00c:0:25de
• Humans are not good with numbers. We have domain names that
translate to address: www.facebook.com → 69.171.239.12
6

5. The Internet is a Series of Networks
• The Network of Networks
7

6. Names and Numbers
8
The Internet
2001:0C00:8888:: 2001:0400::
www.apnic.net
202.112.0.46
2001:0400::
My Computer www.apnic.net
www.apnic.net
202.112.0.46
2001:0400::

7. 9
Who is Who in the Internet

8. Acronyms and Initialisms
• Before we go any further, we should probably define what a
bunch of common acronyms and initialisms mean
– IETF - Internet Engineering Task Force
– IANA - Internet Assigned Numbers Authority
– ICANN - Internet Corporate for Assigned Names and Numbers
– TLD - Top Level Domain
– gTLD - Generic Top Level Domain
– ccTLD - Country Code Top Level Domain
– RIR - Regional Internet Registry
10

9. Where do IP addresses come from?
11

10. RIRs from a Global Perspective
12

11. Regional Internet Registries
13

12. How APNIC and the RIRs Operate
• APNIC is the Regional Internet Registry
(RIR) for the Asia Pacific region
• Membership-based, not-for-profit
• Industry self-regulatory body
– Open
– Consensus-based
– Transparent
• Delegates and manages Internet
number resources
– IPv4 and IPv6 addresses
• Diagram on next slide
– AS numbers
14

13. APNIC’s Roles and Services
• Delegates and manages Internet resources
– IPv4 & IPv6 addresses, AS Numbers
• Maintains the APNIC Whois Database
• Manages reverse DNS delegations
– But is NOT a domain name registry
• Facilitates IP address policy development
• Provides capacity building through training, workshops,
conferences, fellowships, and grants
– resource management, routing, IPv6 deployment, and security
• Research, measurements, publications
• Supports Internet infrastructure development
– Root server deployment, Internet Exchange Points (IXPs)
15

14. So who gets IP address and AS numbers?
• National Internet Registry
• Telcos, ISPs, Mobile Operators
• Hosting Company (Amazon/AWS, Azure, GCP, Linode)
• Universities, Government Departments, Banks
16

15. How APNIC and the RIRs work with LEAs
• APNIC provides LEAs with publicly available registry information
to help them respond to malicious activity on the Internet
• APNIC coordinates with the global technical community to share
information and develop trusted relationships to ensure
coordinated responses to major network security incidents
• APNIC has dedicated legal and network security experts to
support LEA requests
• APNIC’s legal and network security experts provide training to
LEOs, investigators, and the justice sector
(in addition to network operators and CSIRTs)
18

16. 19
https://www.apnic.net/community/security/security-cooperation/#LEAs

17. Working with INTERPOL/Europol/FBI
Improving Whois data quality and accuracy
20

18. How LEAs can Participate with RIRs
• Attend RIR and other industry meetings
– Each RIR runs open meeting and conferences each year
– Network Operator Groups (NOGs)
– Trusted community conferences (UE / RISE, FIRST, M3AAWG…)
• Request training sessions with RIRs
• Participate in the Policy Development Process
– Submit policy proposals, discuss other proposals
• Report invalid contacts from whois records
21

19. 25
Whois Databases

20. Important – About Whois DB
• Number vs Domain Whois
o Two different types of databases
o APNIC and the other RIRs operate the numbers whois DBs
o Top level domains and registrars operate domain whois DBs
• Other Databases
– Reputation
– Data enrichment
• e.g. http://www.team-cymru.com/IP-ASN-mapping.html
26

21. What are the numbers Whois databases?
• Public network management database
– Operated by Internet Registries (like APNIC!)
• Public data only
– Tracks network resources
• IP Addresses, ASNs, Reverse DNS Delegations, Routing Policies
• Records administrative information
– Contact information (persons/roles)
– Authorization for updating this info
– Network abuse handling (IRT)
27

22. IP Address Delegation
28

23. Whois Database Accuracy
• Accurate & Reliable
• Responsiveness
– Stop / Mitigate on going attack
– Reduce impact / exposure of incidents
– Do not have to go through various loops & hoops
• Ideally
– Ability to provide assistance or do something about it
– Escalation
• Features
– Mechanism for reporting invalid contacts
– Trigger other actions
• Other Databases?
– FIRST, APCERT, Trusted Introducer, etc
32
irt: IRT-APNIC-IS-AP
address: South Brisbane, Australia
e-mail: helpdesk@apnic.net
abuse-mailbox: helpdesk@apnic.net
admin-c: AIC1-AP
tech-c: AIC1-AP
auth: # Filtered
remarks: APNIC Infrastructure Services
mnt-by: MAINT-APNIC-IS-AP
changed: hm-changed@apnic.net 20110704
source: APNIC

24. Which Whois to Use?
• APNIC
– Asia Pacific
– APNIC Whois Database (previous slide)
• AFRINIC
– Africa
– https://www.afrinic.net/whois-web/public
• RIPE NCC
– Europe, Central Asia and the Middle East
– https://apps.db.ripe.net
• ARIN
– Northern America
– http://whois.arin.net
• LACNIC
– Latin America and the Caribbean
– http://lacnic.net/cgi-bin/lacnic/whois
33
Regional Internet Registries (RIRs)

25. The APNIC Whois Database
• Holds IP address records within the AP region
• Can use this database to track down the source of the
network abuse
– IP addresses, ASNs, Reverse Domains, Routing policies
• Can find contact details of the relevant network
administrators
– not the individual users
– use administrators log files to contact the individual involved
35

26. Whois Database Access
• APNIC website
– https://www.apnic.net/manage-ip/using-whois/searching
• Whois search tool
– https://wq.apnic.net/whois-search/static/search.html
• Whois client, query tool, or RDAP
– Point the tools at whois.apnic.net
36

27. What if Whois info is invalid?
• Members (ISPs and Network Operators) are responsible for
reporting changes to APNIC
– Under formal membership agreement
• Anyone can report invalid ISP/NetOp contacts to APNIC
– http://www.apnic.net/invalidcontact
– APNIC will contact member and update registration details
• Each RIR has a similar process for handling invalid contacts
37

28. Whois Output
38

29. Whois Output
39

30. Future of Whois
• RDAP – Registration Data Access Protocol
• RDAP is a newer standard for accessing whois information
– Uses standardised queries and responses (JSON)
– Internationalisation
– Redirection for seamless referrals to other registries
• Working now but still under development for NIR data
– www.apnic.net/about-apnic/whois_search/about/rdap/
– www.openrdap.org (GoLang client)
• APNIC is also developing a Network ToolBox
– https://netox.apnic.net (let me know your feedback & suggestions!)
42

31. Reverse DNS
• Reverse DNS translates the IP number back to a name
• Reverse DNS answers are optional for network operators
– The internet works without it
dig -x 202.55.92.5
;; ANSWER SECTION:
5.92.55.202.in-addr.arpa. 5 IN PTR fnet5-m92-access.vqbn.com.sg.
• You can now use whois and other tools/techniques to look
up contact details for vqbn.com.sg
57

32. Current Challenges
• Fraudulent acquisition and transfer of IPv4 addresses
• Route hijacking
• Leasing, buying, and selling of IPv4 addresses outside of
the registry system
• Invalid contact information
58

33. Questions?
Jamie Gillespie
jamie@apnic.net
59