This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
furio ercolessi
furio+as at spin.it
Tue Jun 18 15:29:23 CEST 2013
On Tue, Jun 18, 2013 at 07:10:03AM +0200, Wilfried Woeber wrote: > [...] > May I suggest this description: > > http://www.ripe.net/ripe/groups/wg/anti-abuse > > On a more general aspect, please try to relate to the general raos traffic: > In most countries, I presume, the unique license plates are managed and issued > by one or even more entities. Those entities do not accept any responsibility > for the behaviour of the person using a uniquely identified vehicle. > > It is a task for the police or traffic wardens or whatever applies to your > jurisdiction, to oversee the use of the vehicle according to *local* law. > > If a violation is observed or reported, it is the job of the regular legal > system to follow up. If "someone" shouts to the maintainer of the unique > license plate numbers "stop what I don't like", instead of getting in touch > with the police, you will have see limited success. > > Is this something you can relate to? I think it is quite safe to assume that most readers here are well aware of what a RIR is, certainly including Ron who has been fighting network abuse for about two decades now - and I take this opportunity to thank him for working tirelessly during all this time. During this time, we all have learnt that criminals are getting more and more organized, that their creativity and ability should not be underestimated, that we can contribute to defend the Internet from their destructive behavior in many different ways and that, last but not least, that 'reporting to the police' does not scale well, due to a chronic lack of resources (time, skills, adequate international cooperation) on the law enforcement side. I do not believe that anybody is asking RIPE NCC to take actions that are pertinence of law enforcement. I do believe, however, that the RIPE area has a problem with respect to other RIRs, and that some changes (in policies, enforcement of rules, etc) could be made to mitigate the problem somehow, still remaining within the limits of the RIR mandate. One could have a fairly good idea of 'The Problem' by looking at the Spamhaus SBL listings attributed to the RIRs (as far as I understood, Spamhaus does that when the resources are directly allocated by the RIR to criminal groups and therefore no ISP can be accounted for them - the resources are freely moved from one ISP to another). Today: http://www.spamhaus.org/sbl/listings/AFRINIC ...... 4 listings [13] http://www.spamhaus.org/sbl/listings/APNIC ........ 19 listings [55] http://www.spamhaus.org/sbl/listings/ARIN ......... 289 listings [84] http://www.spamhaus.org/sbl/listings/LACNIC ....... 10 listings [20] http://www.spamhaus.org/sbl/listings/RIPE ......... 307 listings [49] The number in brackets is the approximate total allocation size of the RIR in units of /8, extracted from http://labs.apnic.net/ipv4/report.html . ARIN clearly has a serious problem too, but when the number of problem is normalized with the allocation size we obtain (number of problems per /8): AFRINIC ..... 0.31 APNIC ....... 0.35 ARIN ........ 3.44 LACNIC ...... 0.50 RIPENCC ..... 6.27 Certainly one could argue that this is not the best possible metrics as it reflects the point of view of a single actor, and I am sure one could find better metrics. Yet, the normalized result is a factor 2 worse than ARIN, and more than an order of magnitude worse than APNIC. I would doubt that other data could change the RIR order. It may be that this result is simply due to a higher concentration of criminals in the RIPE area than in other areas. In all cases, as an european and a RIPE community member I feel ashamed of this outcome, knowing that I am also in part responsible for it for not having dedicated enough time and thought to this problem. If you look at those Spamhaus listings, you will notice that a good fraction of them is due to 'snowshoe' spamming, where thousands of IP addresses are used as cannons to send unsolicited mail. There are networks as large as /14's used for this purpose. Is anyone here really thinking that this is a valid usage of scarce resources, considering that a well-behaved, opt-in based ESP can usually carry on its activity out of a /24 ? If snowshoe spamming is not an acceptable motivation to get an assignment when asking for it - and I really hope this to be the case - then people could use a network to do that only if they make a false statement when asking for the assignment. Now, RIPE-582 (February 2013) contains the following text: "6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid." Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment. Then the RIPENCC problem, it seems to me, is that "no longer valid" ranges remain in use for a long period of time. This seems to indicate that there is no effective mechanism to enforce the rules. Indeed, what is the semantic meaning of "no longer valid" if people continue to use those ranges for extended periods of time ? "Invalid" with respect to what ? RIPE-582 does not seem to address this point. If it does, please point me to the relevant section, or to another document that discuss this point. At the end, the problem seems to boil down to these questions: "Does the RIPE Community really want to have resources defined as "invalid", yet live without a real working mechanism to have these invalid resources claimed back and reassigned ? If not, would the introduction of such an enforcement mechanism go against the acceptable operational limits for a RIR ? And if yes, what is the purpose of defining rules that can not be enforced, and hence resulting in bad guys getting as much resources as they like by making false statements ?" Investigation on what other RIRs are doing in terms of reclaiming invalid resources could perhaps also be of help. Thanks for the attention furio ercolessi
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]