[anti-abuse-wg] What to do when both RIR and ISP don't care?

On Fri, 17 Apr 2009 18:07 UTC mouse at Rodents-Montreal.ORG wrote:

> It is LACNIC's responsibility in a moral sense; they have been granted
> a resource, and with authority over any resource comes responsibility
> for its use.

If that were the case I'm sure we would ALL be chasing LACNIC, AFRINIC,
ARIN, APNIC and indeed RIPE.  And while those bodies could do more to
persuade their members/users to comply with an AUP, they can only do
that where the resource they are providing is itself being abused.

An example of that would be fake or misleading WHOIS information, or
IP address range or ASN hijack, and so on: RIPE (due to the activities
of what we used to call "RBN") has seen plenty of those issues recently.

Logically, it is in the RIR's best interests to deal with all abuse
issues in a timely manner because when an RIR fails to do that, the
result is that the reputation of the IP ranges and ASNs becomes badly
tarnished.  End users will put in manual blocks so that IP addresses
in those ranges cannot connect, or cannot deliver mail.  Those blocks,
when discarded or returned to the RIR, can no longer be reassigned to
new users, and become wasted IP address space.  That is happening NOW.

> However, Internet governance is severely broken.

If there is a meaningful concept of "Internet governance" then yes, it
is severely broken.  I don't believe that the concept really exists,
in that I do not see how ICANN/IANA etc can be expected to enforce any
form of policy on countries with vastly differing social and political
structures, and with a wide range of cultures.  Try getting any Russian
prosecuted for any crimes committed outside Russia, for example.  And in
the case of cybercrime or issues of Internet Governance, there is the
fundamental obstacle that it is nigh impossible to state with certainty
exactly where (ie and in what jurisdiction) the cited offence occurred.

> Those who need to impose that responsibility (IANA/ICANN) refuse to,
> and few (no, AFAIK) RIRs are sufficiently ethical to assume it on
> their own.  So in a pragmatic sense, it is nobody's responsibility.

ARIN, to my personal knowledge, has done a lot more than the other RIRs
but I'm not at liberty to share any details.  However RIRs are limited
in what they can do - simply because they have no effective sanctions.

There are two situations to consider: (a) where the resource-user is
criminal in intent, and (b) where the resource-user provides resources
to criminals but ignores complaints and allows the crime to continue.

The only sanction an RIR would have (talking theoretically) is either to
withdraw the users' resources, or refuse to allocate them new resources.
But in case (a) no lack of resources would stop the criminals announcing
their own unauthorised IP ranges through ASNs they control (whether or
not that control is authorised), and in case (b) the action would only
harm the other innocent users of that provider, and that's something that
responsible people try to avoid doing.  Here I am talking about RIRs as
registries, which makes it a separate issue from what the COMMUNITY might
choose to do, and that community is in my view where the responsibility
for real Internet Governance should lie.

The effective control on all forms of abuse is sourced from the ability
of an upstream - in the ultimate - to remove connectivity.  So in theory
if the backbone providers become aware of crime or unmitigated abuse,
they can and should block the IP ranges involved.  And many of them do.

I raise a glass to Telia, Level3, and Cogent, who recently did exactly
that and stopped a considerable amount of criminal activity on the net
which was originating in Turkey.  Turkish law apparently does NOT allow
providers there to disconnect customers for abuse unless Turkish law is
broken: and Turkish law to deal with Cybercrime is close-to-nonexistent.

I think we should all raise a glass to Hurricane Electric and the other
USA upstreams that shut down McColo and Intercage: and now the trend has
reached Hong Kong where Pacnet shut down the criminal-hoster "Hostfresh".
(Hostfresh had previously got a lot of hosting from Intercage/Cernel Inc)

So what is now needed is that other backbones/upstreams, who have so far
operated a highly-diluted abuse policy, get with the program.  Abovenet,
Reach, VerizonBusiness (in the USA), RelianceGlobal, to name but a few.
Identifying which they are, and persuading them to "upgrade" their abuse
policies, is a task to which we can all contribute.

But don't forget the impact of "Neutral Exchange Points" such as LINX,
AMSIX etc: which by their own choices have NO Acceptable Use Policies.
It's far more difficult to block criminal and harmful traffic when it
is routed through such an Exchange, and the communities running those
Exchanges really should review whether their policies are relevant to
today's level criminal and abusive online activities.

> the abuses have grown to the point where email connectivity to the
> net has about equal positive and negative value.

A large part of the _email_ abuse is caused by the failure of the
US government to make the spamming of private persons illegal, just
as it is in most civilised countries (and particularly Europe).

But email abuse is now a very small part of the abuse on the Internet
(think of botnets, malware, DNS changing, and so on) and that is why
the name of this group was changed recently to reflect that trend.

-- 
Richard Cox