[anti-abuse-wg] What to do when both RIR and ISP don't care?
Richard Cox richard.cox at btuser.net
Mon Apr 20 12:29:49 CEST 2009
On Fri, 17 Apr 2009 18:07 UTC mouse at Rodents-Montreal.ORG wrote: > It is LACNIC's responsibility in a moral sense; they have been granted > a resource, and with authority over any resource comes responsibility > for its use. If that were the case I'm sure we would ALL be chasing LACNIC, AFRINIC, ARIN, APNIC and indeed RIPE. And while those bodies could do more to persuade their members/users to comply with an AUP, they can only do that where the resource they are providing is itself being abused. An example of that would be fake or misleading WHOIS information, or IP address range or ASN hijack, and so on: RIPE (due to the activities of what we used to call "RBN") has seen plenty of those issues recently. Logically, it is in the RIR's best interests to deal with all abuse issues in a timely manner because when an RIR fails to do that, the result is that the reputation of the IP ranges and ASNs becomes badly tarnished. End users will put in manual blocks so that IP addresses in those ranges cannot connect, or cannot deliver mail. Those blocks, when discarded or returned to the RIR, can no longer be reassigned to new users, and become wasted IP address space. That is happening NOW. > However, Internet governance is severely broken. If there is a meaningful concept of "Internet governance" then yes, it is severely broken. I don't believe that the concept really exists, in that I do not see how ICANN/IANA etc can be expected to enforce any form of policy on countries with vastly differing social and political structures, and with a wide range of cultures. Try getting any Russian prosecuted for any crimes committed outside Russia, for example. And in the case of cybercrime or issues of Internet Governance, there is the fundamental obstacle that it is nigh impossible to state with certainty exactly where (ie and in what jurisdiction) the cited offence occurred. > Those who need to impose that responsibility (IANA/ICANN) refuse to, > and few (no, AFAIK) RIRs are sufficiently ethical to assume it on > their own. So in a pragmatic sense, it is nobody's responsibility. ARIN, to my personal knowledge, has done a lot more than the other RIRs but I'm not at liberty to share any details. However RIRs are limited in what they can do - simply because they have no effective sanctions. There are two situations to consider: (a) where the resource-user is criminal in intent, and (b) where the resource-user provides resources to criminals but ignores complaints and allows the crime to continue. The only sanction an RIR would have (talking theoretically) is either to withdraw the users' resources, or refuse to allocate them new resources. But in case (a) no lack of resources would stop the criminals announcing their own unauthorised IP ranges through ASNs they control (whether or not that control is authorised), and in case (b) the action would only harm the other innocent users of that provider, and that's something that responsible people try to avoid doing. Here I am talking about RIRs as registries, which makes it a separate issue from what the COMMUNITY might choose to do, and that community is in my view where the responsibility for real Internet Governance should lie. The effective control on all forms of abuse is sourced from the ability of an upstream - in the ultimate - to remove connectivity. So in theory if the backbone providers become aware of crime or unmitigated abuse, they can and should block the IP ranges involved. And many of them do. I raise a glass to Telia, Level3, and Cogent, who recently did exactly that and stopped a considerable amount of criminal activity on the net which was originating in Turkey. Turkish law apparently does NOT allow providers there to disconnect customers for abuse unless Turkish law is broken: and Turkish law to deal with Cybercrime is close-to-nonexistent. I think we should all raise a glass to Hurricane Electric and the other USA upstreams that shut down McColo and Intercage: and now the trend has reached Hong Kong where Pacnet shut down the criminal-hoster "Hostfresh". (Hostfresh had previously got a lot of hosting from Intercage/Cernel Inc) So what is now needed is that other backbones/upstreams, who have so far operated a highly-diluted abuse policy, get with the program. Abovenet, Reach, VerizonBusiness (in the USA), RelianceGlobal, to name but a few. Identifying which they are, and persuading them to "upgrade" their abuse policies, is a task to which we can all contribute. But don't forget the impact of "Neutral Exchange Points" such as LINX, AMSIX etc: which by their own choices have NO Acceptable Use Policies. It's far more difficult to block criminal and harmful traffic when it is routed through such an Exchange, and the communities running those Exchanges really should review whether their policies are relevant to today's level criminal and abusive online activities. > the abuses have grown to the point where email connectivity to the > net has about equal positive and negative value. A large part of the _email_ abuse is caused by the failure of the US government to make the spamming of private persons illegal, just as it is in most civilised countries (and particularly Europe). But email abuse is now a very small part of the abuse on the Internet (think of botnets, malware, DNS changing, and so on) and that is why the name of this group was changed recently to reflect that trend. -- Richard Cox