[LACNIC/Seguridad] Abuse contact of gvt.com.br not functioning

Arturo Servin aservin en lacnic.net
Mar Oct 16 07:29:57 BRT 2012

	Then we are talking not about "how an isp should response in it abuse
contacts" but "Whois accuracy data".

	For the later we (LACNIC), do all that is possible to do (according to
our policies) to maintain accurate data in the whois. Every time we have
contact with our members (new request of resources, billing, events,
support ticket, etc.) we request them to review (and change if
necessary) their contact information. However if they never request new
resources it is very little that we can do.

	If you have a proposal on how to improve the whois data we would like
to hear about it. As all the RIRs we are bound to our policies, so if
you have an idea it may be good to make a formal proposal.



On 15/10/2012 22:28, U.Mutlu wrote:
> LACNIC Policy Manual (v1.10 - 13/08/2012)
> http://lacnic.net/en/politicas/manual4.html says
> "
> LACNIC's WHOIS system allows representing up to three different points
> of contact, namely:
> -owner−c, which represents the administrative contact of the
> organization to which the ASN was assigned;
> -routing−c, contact who, by means of the IP and ASN administration
> system, may register the routing policies adopted by the Autonomous System;
> -abuse−c, security contact (Abuse Contact).
> "
> The question is: what if these contacts are inoperational or fake?
> If the WHOIS maintainer, ie. RIR, gets evidence about such a case
> then it is implicitly its own duty to fix the record to fulfill its
> mandate!
> Arturo Servin wrote, On 10/16/2012 01:15 AM:
>> On 15/10/2012 20:04, U.Mutlu wrote:
>>> Dear Sir from LACNIC!
>>> your suggestions are impractical, you seem never have been
>>> an administrator, and you seem not to know your own mandate!
>>     I don't get it, be explicit. I think I have very clear my role and
>> what
>> I can and cannot do.
>>> There must be a working abuse contact in the WHOIS db,
>>> and that contact must process the Abuse Reports caused by its clients,
>>> and cut off those clients who are evidently doing cyber crimes
>>> like attempting to hack other systems.
>>     Yes, the abuse contact should do that. But they are not in the
>> obligation to do it unless a request from a judge.
>>> If that contact evidently does not do its duty, then it is
>>> the job of the RIR to make them obey the rules.
>>     No, the RIRs are no the Internet police. You are clearly confused.
>>     I let you with this URL to clarify for you the role of an RIR:
>> http://www.ietf.org/rfc/rfc2050.txt
>>> FYI: here over in Europe (RIPE) "abuse-c" in the WHOIS has become a
>>> _mandatory_ entry
>>> --> https://www.ripe.net/ripe/policies/proposals/2011-06
>>> and it works in about all EU countries.
>>     We also have that contact, but it is for informational purposes so
>> all
>> entities can coordinate actions in case of abuse. It depends of the good
>> will of all parties to make it work.
>>> Problematic countries are CN, IN, ID, BR, RU, UA etc.
>>> One wonders why...
>>> I think because of lack of law & rules, education, and moral values.
>>     Now I think you are crossing the line and being impolite.
>>     With that kind of attitude you are going no where.
>> Regards,
>> as
>>> Arturo Servin wrote, On 10/15/2012 06:32 PM:
>>>>      So, why not just block the IP(s)?
>>>>      Any fw can do that, I do not see why you need to block the whole
>>>> cctld.
>>>>      Also you can change the ssh port or/and to allow just some IP
>>>> address
>>>> to login to your server.
>>>>      Finally, what do you expect for the IP address holder to do?
>>>>      IMHO and IANAL if you want them to do something you need to
>>>> execute
>>>> legal action, not just an email to abuse.
>>>> Regards,
>>>> as
>>>> On 15/10/2012 14:11, U.Mutlu wrote:
>>>>> Arturo Servin wrote, On 10/15/2012 05:48 PM:
>>>>>>       What do you mean it is not possible?
>>>>>>       What is your problem? Do you get SPAM or DDoS from gvt.com.br?
>>>>>>       It would be difficult to give an advise without knowing the
>>>>>> problem.
>>>>>> But certainly blocking the whole .cc is not a clean/optimal/advisable
>>>>>> solution to say the least no matter the problem.
>>>>> Especially unauthorized login attempts, ie. hacker activities, just
>>>>> one
>>>>> example:
>>>>> "
>>>>> Subject: [MIT-s5-BR3S083182EHL] Net Abuse: illegal ssh login attempt
>>>>> (hacker activity) from IP
>>>>> To: abuse en gvt.com.br (Network Abuse Desk)
>>>>> Date: Sat, 13 Oct 2012 11:27:37 +0200
>>>>> "
>>>>> This was the 3rd Abuse Report that IP had caused on that server of
>>>>> ours.
>>>>> And we wait 2+ days before sending another AR if the attack/attempt
>>>>> repeats.
>>>>> Ie. that company has not reacted to any of the 3 Abuse Reports for
>>>>> that IP,
>>>>> and unfortunately there are way too many such cases...
>>>>>> On 15/10/2012 13:42, U.Mutlu wrote:
>>>>>>> Carlos Martinez wrote, On 10/14/2012 06:05 PM:
>>>>>>>> I don't really understand your logic. You  blocked a CC of 170M
>>>>>>>> people
>>>>>>>> for a single domain.
>>>>>>>> A more fine grained acl can be created I'm sure.
>>>>>>> I admit it's not the best method, I too would prefer blocking
>>>>>>> on a company/domain basis (or abuse-address basis), but that is
>>>>>>> IMHO not possible with the standard tools we use (iptables with
>>>>>>> xtools/geoip).

Más información sobre la lista de distribución Seguridad