Re: [apops] Fwd: [ppml] Policy Proposal 2003-2: Network Abuse]

  • To: Suresh Ramasubramanian <suresh at outblaze dot com>
  • Subject: Re: [apops] Fwd: [ppml] Policy Proposal 2003-2: Network Abuse]
  • From: Philip Smith <pfs at cisco dot com>
  • Date: Wed, 05 Mar 2003 11:56:48 +1000
  • Cc: apops at apops dot net, sig-policy at lists dot apnic dot net
  • In-reply-to: < at frodo dot hserus dot net>
  • List-archive: <>
  • List-help: <>
  • List-id: Asia Pacific Operations Forum <>
  • List-post: <>
  • List-subscribe: <>,<>
  • List-unsubscribe: <>,<>
  • Sender:
    • Hi Suresh,

      Well, you could propose this, or something like this, as APNIC Policy at the next APNIC meeting in August? Why not, I'm sure some aspects would be quite useful for this part of the world?

      The first four points sound easy enough, 5 and 6 sounds more of a challenge (who will regulate), and 7 could be a nightmare. 5 and 6 is all about proper operational practices anyway, and folks who actually are interested in providing a decent service to their customers will know about the nsp-security list ( as well as the INOC-DBA system ( Not sure how that could fit into an RIR's policy, apart from being part of their educational process.


      At 06:19 05/03/2003 +0530, Suresh Ramasubramanian wrote:
      How workable is this? Most of this sounds like a good idea.

      #7 sounds a lot like a lawsuit-magnet if done on a formalized basis, but does work very well on a "buddy buddy" basis (ISP abuse ops personnel mailing their friends and colleagues at other ISPs and asking for informal opinions - that goes on a lot)


      From: Member Services <memsvcs at arin dot net>
      Subject: [ppml] Policy Proposal 2003-2: Network Abuse
      To: arin-announce at arin dot net, ppml at arin dot net
      Date: Tue, 4 Mar 2003 12:43:18 -0500 (EST)
      X-Mailer: ELM [version 2.4 PL24 PGP2]
      Precedence: bulk
      ARIN welcomes feedback and discussion about the following policy
      proposal in the weeks leading to the ARIN Public Policy Meeting
      in Memphis, Tennessee, scheduled for April 7-8, 2003. All feedback
      received on the mailing list about this policy proposal will be
      included in the discussions that will take place at the upcoming
      Public Policy Meeting.
      This policy proposal discussion will take place on the ARIN Public
      Policy Mailing List (ppml at arin dot net). Subscription information is
      available at
      Richard Jimmerson
      Director of Operations
      American Registry for Internet Numbers (ARIN)
      ### * ###
      Policy Proposal 2003-2: Network Abuse
      Proposal for a world wide IP Range Policy for fighting
      Network Abuse.
      1. All networks should have valid owner name or Company name with
      a valid mailing address and phone number. Phone number and address
      doesn't need to be visible through the WHOIS Database, but the
      Regional Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC]
      should have that information.
      2. All networks should [regardless of geographical location] provide
      a valid e-mail contact for network [NOC@] and abuse [Abuse@] contact.
      Make it standard.
      3. Regional Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC]
      should set up a simple auto system that would periodically send an
      auto e-mail every quarter to all networks using their services to
      check reliability of contact information to help regulate
      distribution of IP Ranges and network security. Those networks would
      be responsible to reply back to the system within a set time period
      to confirm network contact. It could all be done with little or no
      staffing once set-up.
      4. If an IP Range / Network or Dial-Up is found to have invalid
      contact information, address, phone #, e-mail address etc, Regional
      Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC] should try
      to contact then via e-mail first [which is already being done]. At
      that time if contact is not established via e-mail and returned
      Failure/Undeliverable, they should be contacted via phone or mail
      with the understanding that if they do not reply with in say 30 days
      their IP range will be terminated and no connections will be allowed
      in or out of their network until they comply to the terms of service.
      5. All large networks and Dial-ups should have some type of security
      system or team that regulate the network to some level or extent.
      Whether it's a few people, a team of people or some type of software.
      Most do but not all.
      6. All Network administrators responsible for reviewing network abuse
      reports sent about their end users, accused of malicious activity
      should be judge on the level of severity by the reported service used,
      not the number of access attempts to a network or end user. I say this
      because I have time and time again got replies back from networks
      stating, it was only one or two access attempts, we will warn them,
      regardless of what service they used to try to access, and then that
      same individual is right back at you. A Sub7 Trojan Horse is not a
      friendly thing, nor is it a mistake etc. I believe that the service
      greatly shows their intent, if your venerable it only takes one try
      regardless of service. If you break down someone's door on their home,
      it only takes once, the police don't tell the home owner, well he only
      broke your door down once, we will warn him, let us know if he breaks
      your door down again.
      7. There should be some type of database that all IPS's / Dial-Ups use
      and could reference to check new users real names to determine whether
      new subscribers have a past history of network abuse and hacking. This
      database could be managed and updated, all ISP would add new names of
      users that we're found to be guilty of or had had their account
      terminated due to network abuse complaints etc. The dial-up provider
      could at that time at least be alerted to a possible situation. This
      would also make it difficult for hackers to jump from ISP to ISP.
      apops mailing list
      apops at apops dot net