[LACNIC/Seguridad] Abuse contact of gvt.com.br not functioning

U.Mutlu security en mutluit.com
Lun Oct 15 21:28:33 BRT 2012


LACNIC Policy Manual (v1.10 - 13/08/2012) http://lacnic.net/en/politicas/manual4.html says
"
LACNIC's WHOIS system allows representing up to three different points of contact, namely:
-owner−c, which represents the administrative contact of the organization to which the ASN was assigned;
-routing−c, contact who, by means of the IP and ASN administration system, may register the routing policies 
adopted by the Autonomous System;
-abuse−c, security contact (Abuse Contact).
"

The question is: what if these contacts are inoperational or fake?
If the WHOIS maintainer, ie. RIR, gets evidence about such a case
then it is implicitly its own duty to fix the record to fulfill its mandate!


Arturo Servin wrote, On 10/16/2012 01:15 AM:
>
>
> On 15/10/2012 20:04, U.Mutlu wrote:
>> Dear Sir from LACNIC!
>> your suggestions are impractical, you seem never have been
>> an administrator, and you seem not to know your own mandate!
>
> 	I don't get it, be explicit. I think I have very clear my role and what
> I can and cannot do.
>
>>
>> There must be a working abuse contact in the WHOIS db,
>> and that contact must process the Abuse Reports caused by its clients,
>> and cut off those clients who are evidently doing cyber crimes
>> like attempting to hack other systems.
>
> 	Yes, the abuse contact should do that. But they are not in the
> obligation to do it unless a request from a judge.
>
>
>
>> If that contact evidently does not do its duty, then it is
>> the job of the RIR to make them obey the rules.
>
> 	No, the RIRs are no the Internet police. You are clearly confused.
>
> 	I let you with this URL to clarify for you the role of an RIR:
>
> http://www.ietf.org/rfc/rfc2050.txt
>
>
>>
>> FYI: here over in Europe (RIPE) "abuse-c" in the WHOIS has become a
>> _mandatory_ entry
>> --> https://www.ripe.net/ripe/policies/proposals/2011-06
>> and it works in about all EU countries.
>
> 	We also have that contact, but it is for informational purposes so all
> entities can coordinate actions in case of abuse. It depends of the good
> will of all parties to make it work.
>
>> Problematic countries are CN, IN, ID, BR, RU, UA etc.
>> One wonders why...
>> I think because of lack of law & rules, education, and moral values.
>
> 	Now I think you are crossing the line and being impolite.
>
> 	With that kind of attitude you are going no where.
>
> Regards,
> as
>
>>
>>
>> Arturo Servin wrote, On 10/15/2012 06:32 PM:
>>>
>>>      So, why not just block the IP(s)?
>>>
>>>      Any fw can do that, I do not see why you need to block the whole
>>> cctld.
>>>
>>>      Also you can change the ssh port or/and to allow just some IP address
>>> to login to your server.
>>>
>>>      Finally, what do you expect for the IP address holder to do?
>>>
>>>      IMHO and IANAL if you want them to do something you need to execute
>>> legal action, not just an email to abuse.
>>>
>>> Regards,
>>> as
>>>
>>> On 15/10/2012 14:11, U.Mutlu wrote:
>>>> Arturo Servin wrote, On 10/15/2012 05:48 PM:
>>>>>
>>>>>       What do you mean it is not possible?
>>>>>
>>>>>       What is your problem? Do you get SPAM or DDoS from gvt.com.br?
>>>>>
>>>>>       It would be difficult to give an advise without knowing the
>>>>> problem.
>>>>> But certainly blocking the whole .cc is not a clean/optimal/advisable
>>>>> solution to say the least no matter the problem.
>>>>
>>>> Especially unauthorized login attempts, ie. hacker activities, just one
>>>> example:
>>>>
>>>> "
>>>> Subject: [MIT-s5-BR3S083182EHL] Net Abuse: illegal ssh login attempt
>>>> (hacker activity) from IP 187.115.202.83
>>>> To: abuse en gvt.com.br (Network Abuse Desk)
>>>> Date: Sat, 13 Oct 2012 11:27:37 +0200
>>>> "
>>>>
>>>> This was the 3rd Abuse Report that IP had caused on that server of ours.
>>>> And we wait 2+ days before sending another AR if the attack/attempt
>>>> repeats.
>>>> Ie. that company has not reacted to any of the 3 Abuse Reports for
>>>> that IP,
>>>> and unfortunately there are way too many such cases...
>>>>
>>>>
>>>>> On 15/10/2012 13:42, U.Mutlu wrote:
>>>>>> Carlos Martinez wrote, On 10/14/2012 06:05 PM:
>>>>>>> I don't really understand your logic. You  blocked a CC of 170M
>>>>>>> people
>>>>>>> for a single domain.
>>>>>>>
>>>>>>> A more fine grained acl can be created I'm sure.
>>>>>>
>>>>>> I admit it's not the best method, I too would prefer blocking
>>>>>> on a company/domain basis (or abuse-address basis), but that is
>>>>>> IMHO not possible with the standard tools we use (iptables with
>>>>>> xtools/geoip).




Más información sobre la lista de distribución Seguridad