[anti-abuse-wg] {Disarmed} Re: Introducing the RIPE NCC Report Form

it depends, on whether we saw a pattern of such large allocations coming through the same LIR on multiple occasions.  engaging the LIR might work in some but not all cases such as where the LIR itself is a front for whatever activity you are complaining to it about.   Like say sending an abuse report to estdomains that a domain registered through them was used by the rbn.

--srs (iPad)

On 11-Apr-2012, at 23:46, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Suresh Ramasubramanian:
> 
>> The same thing with ARIN or any other RIR whois .. if you find a UPS
>> store maildrop with a bunch of /20s mapped to it .. and each
>> successive /20 you find is entirely populated with "something bad" ..
>> then a full text search of the RIR's db for all netblocks registered
>> to that UPS store might be instructive.
> 
> Instructive for what?
> 
> As long as the responsible LIR is readily identifiable, I don't think
> RIPE NCC needs to get involved, at least from a network abuse
> perspective.  Typically, the LIR is in a much better position to
> implement effective measures.  Other LIRs may have concerns about
> misuse of address resources and encourage RIPE NCC to investigate
> things more aggressively from a resource usage perspective, but this
> is unrelated to actual network and abuse, and it is totally unclear
> whether we will experience address shortage in a significant way,
> ever.
> 
> Admittedly, proper LIR identification is not a completely solved
> issue, mainly because the RIPE DB does not contain cross-references to
> official registers (where applicable; these are generally provided
> during LIR enrollment), the database does not contain the contracting
> LIR for provider-independent objects, and tools like the abuse mailbox
> finder do not implement LIR fallback even if the required information
> is present in the public database.