RIPE NCC Abuse Complaints, Audits and Reports
Dear colleagues, Following discussions and comments on the mailing list, we would like to inform you about the current status of audits and handling abuse complaints, and on plans to improve the way we deal with these. Currently, abuse complaints come in via abuse@ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR. Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies. Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors’ instructions - 2010: 447 audits, seven PI assignments were deregistered - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit. Reports on audits will take place during the update from the RIPE NCC at the RIPE NCC Services Working Group at every RIPE Meeting. We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna. Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure. Kind regards, Athina Fragkouli RIPE NCC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 17/08/2011 14:29, Athina Fragkouli wrote:
- 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing
For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit.
I think that there needs to be a balance between the privacy and transparency in the process. In another community I participate in, when a member doesn't meet the requirements for membership and is formally investigated for that failure - a concise and factual e-mail is sent to the rest of the community so that we understand why they have left. The statements are never defamatory - usually something like 'Following a complaint about y, Foo failed to meet requirement x, and since they did not respond to our concerns or correct this issue within the time given, they have been removed.' I've noticed that a LIR and PI assignment I complained about earlier in the year have disappeared. I can't be sure that it's one of those, but I'm assuming that it is. The LIR seemed to exist only to provide a single PI assignment to a company that didn't exist, and the allocation was being used for abuse.
Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure.
If I can confirm with you that my report was related to one of these cases, would it be useful for me to give an account of my experience here? Regards, James - -- James Davis 0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk5LzicACgkQjsS2Y6D6yLzROAEAm6AIdhM0mma2VHYcPVnGRiwF eI4pbsrqAjajlowSsU8A/1MMhwkcN8EHyjZPlRJlpjkMsWD4vE96BAtFPV+MF9F4 =x1NE -----END PGP SIGNATURE----- JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
On 17.08.2011 16:20, James Davis wrote:
On 17/08/2011 14:29, Athina Fragkouli wrote:
For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit.
I think that there needs to be a balance between the privacy and transparency in the process.
I've noticed that a LIR and PI assignment I complained about earlier in the year have disappeared. I can't be sure that it's one of those, but I'm assuming that it is.
Some feedback --e.g. "thanks, your complaint was useful: we closed that LIR", or "your complaint was useless, please avoid sending x in the future"-- might educate complainants and thus optimize the time spent on these issues by abuse teams at both RIPE's and complainants'. Of course, the more restricted the senders base, the higher the percent-wise effect of educating a single one of them. Should abuse@RIPE only be used by LIRs? In this case, users at deeper branches of the delegation tree would send to abuse@LIR and so forth, provided that valid abuse teams are available at those levels. (This approach is consistent with the currently advised hierarchical procedure for locating an abuse-mailbox for a given IP address.)
Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure.
Thanks.
Athina Thanks for sharing this information - it's useful Regards Michele On 17 Aug 2011, at 14:29, Athina Fragkouli wrote:
Dear colleagues,
Following discussions and comments on the mailing list, we would like to inform you about the current status of audits and handling abuse complaints, and on plans to improve the way we deal with these.
Currently, abuse complaints come in via abuse@ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR.
Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies.
Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors’ instructions - 2010: 447 audits, seven PI assignments were deregistered - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing
For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit.
Reports on audits will take place during the update from the RIPE NCC at the RIPE NCC Services Working Group at every RIPE Meeting.
We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna.
Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure.
Kind regards, Athina Fragkouli RIPE NCC
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Thank you Athina Is it possible to share the total amount of IP space reclaimed? eg: so many /16s, etc. Aggregate stats like that shouldn't violate confidentiality clauses in your audit, I think thanks suresh On Wed, Aug 17, 2011 at 6:59 PM, Athina Fragkouli <athina.fragkouli@ripe.net> wrote:
Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors’ instructions - 2010: 447 audits, seven PI assignments were deregistered - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Hello Athina, many thanks for this report.
Currently, abuse complaints come in via abuse@ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR.
This, read in isolation, could support misunderstandings, at least I'm about to be confused. What nature of "complaints" would initiate an audit? I'm confident that "valid" above means that the complaint has significant indication that either the LIR as such has issues with its existence or legal status or the object maintained by the LIR or the respective assignee has such issues or raises serious doubts, failure to clear which would raise a process violation by the LIR. I'd not read this as "a customer of LIR x sent me spam and therefore the LIR is now undergoing an audit. Thanks, Peter
On 08/17/2011 08:08 PM, Peter Koch wrote: As Peter mentioned, I think we need to hear and understand what exactly is "a valid complaint" that can initiate a LIR audit. This also should be in an open published document that describes the entire "abuse handling" procedure of RIPE NCC. As Athina said, we should expect a relevant presentation at RIPE 63. Regards, Kostas
Athina Fragkouli wrote:
Dear colleagues,
Following discussions and comments on the mailing list, we would like to inform you about the current status of audits and handling abuse complaints, and on plans to improve the way we deal with these.
Thanks for the numbers!
Currently, abuse complaints come in via abuse@ripe.net.
Just wondering.... On the sender's end, an address of "abuse@something.tld" usually, raises some semantic expectations, in some environments. I am not proposing to abandon or to replace "abuse@ripe.net", because it probably does serve a valid purpose, within the fremawork of the assumed semantics (as Peter has pointed out already!), but rather to create a sort of formal complaints process against an LIR. This process of course SHOULD include some serious safeguards (<quote>When this is a valid complaint</quote>), to avoid beeing misused for DoS attacks on the administrative plane ;-) Wilfried.
When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR.
Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies.
Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors’ instructions - 2010: 447 audits, seven PI assignments were deregistered - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing
For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit.
Reports on audits will take place during the update from the RIPE NCC at the RIPE NCC Services Working Group at every RIPE Meeting.
We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna.
Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure.
Kind regards, Athina Fragkouli RIPE NCC
I'd actually support a form (and maybe also a word / rtf doc with questions, for those who reach out over email) with a detailed questionnaire that helps you ask the most important questions you need to determine whether an audit should be carried out. --srs On Wed, Aug 17, 2011 at 11:29 PM, Wilfried Woeber, UniVie/ACOnet <Woeber@cc.univie.ac.at> wrote:
I am not proposing to abandon or to replace "abuse@ripe.net", because it probably does serve a valid purpose, within the fremawork of the assumed semantics (as Peter has pointed out already!), but rather to create a sort of formal complaints process against an LIR.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Thanks Athina, this information is very much appreciated. And it of course raises a few questions, some of which have already been mentioned by others in this thread. I do have a few of my own though.
Currently, abuse complaints come in via abuse@ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR.
As mentioned by others: what is a 'valid complaint'?
Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies.
What are these 'inconsistencies' and how do you come to notice these?
Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors' instructions
Just wondering: no audits have been done before 2009? Does RIPE have an 'audit team'? Of how many people? Are they located (and thus bound by law in) the Netherlands?
We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna.
Great. Sounds like a reason to be there :) Thanks again Athina. +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
Vissers, Pepijn wrote: [...]
Just wondering: no audits have been done before 2009?
Oh, definitely yes! Just have a look at this document http://www.ripe.net/ripe/docs/ripe-423 dated "Nov 2007", which already was a sort of iteration to "properly" describe what the usual approach for, and framework of, an audit was. I'll leave the rest of your questions to be answered by the NCC :-)
Does RIPE have an 'audit team'? Of how many people? Are they located (and thus bound by law in) the Netherlands?
We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna.
Great. Sounds like a reason to be there :)
Thanks again Athina. +++++++++++++++++++++++++++++++++++++++++++++
Vissers, Pepijn wrote:
As mentioned by others: what is a 'valid complaint'?
Just wondering, if we really want to tell those members, that are misusing RIPEs resources on effort, how to prevent audits and how to hide even better ... Maybe RIPE should keep the whole procedure secret. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
participants (10)
-
Alessandro Vesely -
Athina Fragkouli -
Frank Gadegast -
James Davis -
Kostas Zorbadelos -
Michele Neylon :: Blacknight -
Peter Koch -
Suresh Ramasubramanian -
Vissers, Pepijn -
Wilfried Woeber, UniVie/ACOnet