[anti-abuse-wg] Re: Interaction between the RIPE and anti-abuse communities]

Dear Kauto, all,

In response to your email, here is some general information on abuse 
handling at the RIPE NCC.

The RIPE NCC has a procedure for handling abuse complaints. Anyone can 
send a complaint to the email address abuse at ripe.net. All complaints are 
replied to in an appropriate manner. The timeline for the handling of a 
complaint varies depending on the type of abuse reported and the 
investigation/actions needed from our side.

This procedure is currently not published. The RIPE NCC has realised the 
need for a publicly available procedural document in which all aspects 
of this procedure will be described in detail. The drafting of this 
document is in progress.

To reply to your last question, there are some RIPE Database queries
that will provide the information you require. Registration of an AS 
Number also requires this reference.

The command:

whois -r -Tinetnum,inet6num,aut-num -i org <LIRs organisation object>

will give a list of all allocations and AS numbers for this LIR. It may
also return assignments where the "org:" object is referenced.

Using the command:

whois -rM -Tinetnum,inet6num <allocation>

for each allocation will give a list of all the assignments below the
allocation. Please bear in mind, this may be a very long list and such
a query may take time.

These queries can be carried out from our web interfaces. But you might 
not get a full list as some of our web services have limits on the 
number of objects returned.

Information about the sponsoring LIR is not publicly available. However, 
this issue has been raised by the RIPE community and a RIPE Task Force 
will be organised to discuss this and other relevant issues. Please see:
http://www.ripe.net/ripe/policies/proposals/2010-10.html
http://www.ripe.net/ripe/maillists/archives/db-wg/2011/msg00032.html

Kind regards,
Athina Fragkouli
RIPE NCC



-------- Original Message --------
Subject: 	Re: [anti-abuse-wg] Re: Interaction between the RIPE and 
anti-abuse communities
Date: 	Wed, 02 Feb 2011 12:25:16 +0200
From: 	Kauto Huopio <kauto.huopio at ficora.fi>
To: 	anti-abuse-wg at ripe.net



Greetings all,

I am a relative newcomer within RIPE community - but been working for
some 10 years with CERT-FI, the national CERT team in Finland. During
this period I have got a feeling (no statistics - yet) that the majority
of cases where the validity of ipv4 / AS resource registration details
can be questioned are within RIPE service area. APNIC, AFRINIC, LACNIC, ARIN
-provided resources with this suspicion are quite rare on my radar.

I have a couple of questions on my mind:

1) What is the current procedure to initiate an investigation with RIPE NCC
on resource registration data consistency?

2) Are there any spesific requirements to be filled to trigger investiation
   procedures - what proof of suspicious registration data is needed?

3) Where I can find the current RIPE policies applied on this type of investigation request?

4) What kind of reply time one could expect from RIPE NCC for this type of request?

5) What methods I could use to extract
   -sponsoring LIR data of a inetnum / autnum object
   -all inetnum/autnum objects delegated by a spesified LIR

   from RIPE NCC WHOIS database?

   (personally I think there is no need to hide this information - all customer
   networks of an ISP can be easily extracted from BGP routing data, business
   protection needs IMHO do not warrant blocking this information)

I have a couple of examples that could perhaps warrant a concentrated look.
First is a recent and public one, documented here:

http://www.abuse.ch/?p=3130

Could regisgtry consistency procedures be initiated on the suspicious resources mentioned
in the blog post?

A second case I would like to work with appropriate RIPE NCC staff directly.

--Kauto

-- 
Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi