[anti-abuse-wg] Straw-man abuse reporting system (was: New on RIPE Labs: Botnets: As We See Them in 2017)

Hello Phishing,

The RIPE NCC cannot "suspend" anyone. There is no "ISP License", at
least not from the RIPE NCC. They could, however, revoke resources
(address space and ASN) or increase fees.

In order for such a system to be effective, you would need to define
what "respond appropriately" means. Also, one would need a way to
verify that the complaints were valid, to prevent evil or ignorant
people from using the complaint system against responsible ISP's.

These things are tricky to get correct. They are expensive, and make
both the RIPE NCC and the abuse reporter potentially legally liable for
damages. They also tend to be hard to change once in place (notice that
phone number is still required on RIPE person objects in the RIPE
Whois database, while e-mail address is optional).

In the past that this has come up, nobody who wants a system of
accountability has produced workable, concrete proposals. As my first
boss told me long, long ago: "It's easy to criticize, but hard to
create."

I can imagine a relatively simple system though. Here's a straw-man
proposal:

* RIPE NCC members can report abuse by other RIPE NCC members via a web
  portal. The abuse report identifies both members, and is visible to
  both of them. RIPE NCC staff may access reports if either member
  requests it, but reports are otherwise confidential. Abuse reports are
  kept for 12 months and then deleted.

* Abuse reports must be responded to within 72 hours using the web
  portal. Every late response results in a warning.

* After 3 calendar months where warnings are received each month, the
  member is put on notice. No new resources can be allocated or
  transferred to or from the member until a month has passed without
  late responses. The member is given a list of abuse reports for the 3
  month period.

* After a year where warnings are received each month, the membership
  is revoked, and their resources returned to the RIPE NCC for
  allocation. The former member is given a list of abuse reports for
  the 12 month period.

* The RIPE NCC Arbiters Panel resolves any disputes.

Note that this does nothing to prevent ISP's from just clicking "abuse
report handled", but it does require ISP's take some action. It also
requires that non-members convince a member to make a complaint on
their behalf.

It is somewhat resistant against people making false claims, since both
parties know who made the complaint. It preserves privacy since claims
are not published. It gives some time for ISP's to sort things out, but
has hard limits. It also has the drawback (or benefit) of not defining
abuse.

This proposal is flawed and thrown out here when I'm cutting back on
caffeine. But I think it shows that maybe a system can be put in place.

Cheers,

--
Shane

At 2017-08-03 20:51:15 -0700
"   " <phishing at storey.xxx> wrote:

> Well it would help if RIPE introduced a policy of accountability, that saw ISP's suspended if they don't respond appropriately to abuse complaints regarding said botnet infections............
> 
> 
> -------- Original Message --------
> > Subject: [anti-abuse-wg] New on RIPE Labs: Botnets: As We See Them in
> > 2017
> > From: Vesna Manojlovic <BECHA at ripe.net>
> > Date: Thu, August 03, 2017 3:54 am
> > To: RIPE Anti-Abuse WG <anti-abuse-wg at ripe.net>
> > 
> > Dear colleagues,
> > 
> > As a part of his research into detecting malicious network activities,
> > Alireza Vaziri is sharing his network/system engineer experiences on
> > defend network's infrastructure from outages.
> > 
> > Please read about it in this new article on RIPE Labs:
> > https://labs.ripe.net/Members/alireza_vaziri/botnet
> > 
> > Regards,
> > Vesna Manojlovic
> > Community Builder
> > RIPE NCC
> > 
> > 
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digitale handtekening
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20170804/ebece03d/attachment.sig>