Dear Kauto, all, In response to your email, here is some general information on abuse handling at the RIPE NCC. The RIPE NCC has a procedure for handling abuse complaints. Anyone can send a complaint to the email address abuse@ripe.net. All complaints are replied to in an appropriate manner. The timeline for the handling of a complaint varies depending on the type of abuse reported and the investigation/actions needed from our side. This procedure is currently not published. The RIPE NCC has realised the need for a publicly available procedural document in which all aspects of this procedure will be described in detail. The drafting of this document is in progress. To reply to your last question, there are some RIPE Database queries that will provide the information you require. Registration of an AS Number also requires this reference. The command: whois -r -Tinetnum,inet6num,aut-num -i org <LIRs organisation object> will give a list of all allocations and AS numbers for this LIR. It may also return assignments where the "org:" object is referenced. Using the command: whois -rM -Tinetnum,inet6num <allocation> for each allocation will give a list of all the assignments below the allocation. Please bear in mind, this may be a very long list and such a query may take time. These queries can be carried out from our web interfaces. But you might not get a full list as some of our web services have limits on the number of objects returned. Information about the sponsoring LIR is not publicly available. However, this issue has been raised by the RIPE community and a RIPE Task Force will be organised to discuss this and other relevant issues. Please see: http://www.ripe.net/ripe/policies/proposals/2010-10.html http://www.ripe.net/ripe/maillists/archives/db-wg/2011/msg00032.html Kind regards, Athina Fragkouli RIPE NCC -------- Original Message -------- Subject: Re: [anti-abuse-wg] Re: Interaction between the RIPE and anti-abuse communities Date: Wed, 02 Feb 2011 12:25:16 +0200 From: Kauto Huopio <kauto.huopio@ficora.fi> To: anti-abuse-wg@ripe.net Greetings all, I am a relative newcomer within RIPE community - but been working for some 10 years with CERT-FI, the national CERT team in Finland. During this period I have got a feeling (no statistics - yet) that the majority of cases where the validity of ipv4 / AS resource registration details can be questioned are within RIPE service area. APNIC, AFRINIC, LACNIC, ARIN -provided resources with this suspicion are quite rare on my radar. I have a couple of questions on my mind: 1) What is the current procedure to initiate an investigation with RIPE NCC on resource registration data consistency? 2) Are there any spesific requirements to be filled to trigger investiation procedures - what proof of suspicious registration data is needed? 3) Where I can find the current RIPE policies applied on this type of investigation request? 4) What kind of reply time one could expect from RIPE NCC for this type of request? 5) What methods I could use to extract -sponsoring LIR data of a inetnum / autnum object -all inetnum/autnum objects delegated by a spesified LIR from RIPE NCC WHOIS database? (personally I think there is no need to hide this information - all customer networks of an ISP can be easily extracted from BGP routing data, business protection needs IMHO do not warrant blocking this information) I have a couple of examples that could perhaps warrant a concentrated look. First is a recent and public one, documented here: http://www.abuse.ch/?p=3130 Could regisgtry consistency procedures be initiated on the suspicious resources mentioned in the blog post? A second case I would like to work with appropriate RIPE NCC staff directly. --Kauto -- Kauto Huopio - kauto.huopio@ficora.fi Senior information security adviser Finnish Communications Regulatory Authority / CERT-FI tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131 CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi