This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
- Previous message (by thread): [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
- Next message (by thread): [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Clayton
richard at highwayman.com
Thu Nov 19 13:33:55 CET 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <5649F74A.70304 at heanet.ie>, Brian Nisbet <brian.nisbet at heanet.ie> writes >At this point we would like to invite any final comments from the WG (a >last call of sorts) before it is published. Ideally these comments would >be great before the WG Session at 11:00 EET on Thursday 19th November, >but definitely before the end of this week. I am concerned about the section on Geolocation -- not least because Geolocation doesn't work all that well, especially when abuse is occurring and the bad guys are seeking to confuse. The section starts: As discussed in the section "General remarks on abuse contact lookups", some incident reports should simply go to the national CERT. For this task, it is important to find the country code of an IP address or a domain. There is no further discussion of domains ... many of which don't have a "country code" and indeed many country codes are not operated by the relevant country (albeit if such a country had a CERT I expect they'd be happy to take the report and would have good contacts with the relevant people who could actually take action). So why mention domains at all ? Mapping IP addresses to a country and an AS works well most of the time, but the lack of any security in BGP means that the data one obtains from the RIRs or indeed from the "global routing table" [why is Team Cymru mentioned and not stat.ripe.net ??] requires careful interpretation. The suggestion of running your own copy of Quagga is a wise one, not least because an important way of dealing with abuse when an abuse contact cannot be found or does not respond is to deal with the company that is providing connectivity to the dubious block of IPs -- the routing table gives an indication (often, but not invariably, a correct indication) who that might be.... ... but now we're straying into advice as to how to deal with abuse rather than information about datasets... the change required to the document is a "known issues" statement about Geolocation (perhaps shorter than this): Maxmind -- deductions are made from other datasets and assumptions are made that delegating a block of address space to a company in country X means that the address space is in use in country X Team Cymru -- this is also derived data. For country it is assumes entire blocks are in a single country. For ASs it reports the BGP data that Team Cymru is aware of. Quagga -- data can require careful interpretation because of the lack of security in BGP generally - -- Dr Richard Clayton <richard.clayton at cl.cam.ac.uk> Director, Cambridge Cloud Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBVk3Bs+INNVchEYfiEQKc3ACfT7LuERV/DOfsjszwGzTqK51xgxoAoKLh avq/5iqVytoYHxzei2/8b9tg =qysj -----END PGP SIGNATURE-----
- Previous message (by thread): [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
- Next message (by thread): [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]