Hi, the whole problem arises from the fact that you replace the term IP address with end user site. These are two different terms with different meanings. Yes, notification for each IP(v4,v6) address will generated unwanted noise. You can hit whois AUP limits just by programming error and end user will see this and can take corresponding action. I was talking about "escallations" - situations where someone deliberately tries to break through the AUP limits with the aim of scraping the database. A situation where the blocking of not individual addresses is attempted, but the entire subnet (end user site) is blocked. In this case I think infrastructure administrator should also be aware. In this case, the problem is unlikely to correct itself. - Daniel On 8/5/24 11:53 AM, Edward Shryane wrote:
Hi Gert, Daniel,
On 4 Aug 2024, at 15:00, Gert Doering <gert@space.net> wrote:
Hi,
On Sun, Aug 04, 2024 at 01:46:07PM +0200, Daniel Suchy wrote:
In my case, I also missed any notification about "malicious" activity to registered abuse contact. I think this should be part of process in case at least when subnet (more than single host) is blocked. Automatically generated notification is sufficient here. I think is good to know about such issues from network-operator perspective. Even if it will be an opt-in (but I think good operator takes care about similar events in its network).
Indeed, that sounds like an idea to spend some thoughts on - if the RIPE DB blocks "something" for AUP violation, send "suitable" notifications.
Is there any action for the abuse contact to take in this situation? I think it is more about educating the end user about why they have been blocked.
We already inform the user in the query response why their request has been blocked, and explain in our documentation: https://apps.db.ripe.net/docs/FAQ/#why-did-i-receive-an-error-201-access-den...
Very few end users will repeatedly exceed the query limit (i.e. we temporarily block 100's of IPs daily, but permanently block 10-20 IPs, out of millions of source IPs daily).
If users can resolve the situation themselves, is there a need to also notify the abuse contact?
Regards Ed Shryane RIPE NCC