ARIN-PPML Message

[ppml] Policy Proposal 2003-2: Network Abuse

ARIN welcomes feedback and discussion about the following policy 
proposal in the weeks leading to the ARIN Public Policy Meeting 
in Memphis, Tennessee, scheduled for April 7-8, 2003. All feedback 
received on the mailing list about this policy proposal will be 
included in the discussions that will take place at the upcoming 
Public Policy Meeting. 

This policy proposal discussion will take place on the ARIN Public 
Policy Mailing List (ppml at arin.net). Subscription information is 
available at http://www.arin.net/mailing_lists/index.html 

Richard Jimmerson 
Director of Operations 
American Registry for Internet Numbers (ARIN) 

### * ### 

Policy Proposal 2003-2: Network Abuse

Proposal for a world wide IP Range Policy for fighting 
Network Abuse.

1. All networks should have valid owner name or Company name with 
a valid mailing address and phone number. Phone number and address 
doesn't need to be visible through the WHOIS Database, but the 
Regional Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC] 
should have that information.

2. All networks should [regardless of geographical location] provide 
a valid e-mail contact for network [NOC@] and abuse [Abuse@] contact. 
Make it standard.

3. Regional Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC] 
should set up a simple auto system that would periodically send an 
auto e-mail every quarter to all networks using their services to 
check reliability of contact information to help regulate 
distribution of IP Ranges and network security. Those networks would 
be responsible to reply back to the system within a set time period 
to confirm network contact. It could all be done with little or no 
staffing once set-up.

4. If an IP Range / Network or Dial-Up is found to have invalid 
contact information, address, phone #, e-mail address etc, Regional 
Internet Registries [APNIC, ARIN, LACNIC, and RIPE NCC] should try 
to contact then via e-mail first [which is already being done]. At 
that time if contact is not established via e-mail and returned 
Failure/Undeliverable, they should be contacted via phone or mail 
with the understanding that if they do not reply with in say 30 days 
their IP range will be terminated and no connections will be allowed 
in or out of their network until they comply to the terms of service.

5. All large networks and Dial-ups should have some type of security 
system or team that regulate the network to some level or extent. 
Whether it's a few people, a team of people or some type of software. 
Most do but not all.

6. All Network administrators responsible for reviewing network abuse 
reports sent about their end users, accused of malicious activity 
should be judge on the level of severity by the reported service used, 
not the number of access attempts to a network or end user. I say this 
because I have time and time again got replies back from networks 
stating, it was only one or two access attempts, we will warn them, 
regardless of what service they used to try to access, and then that 
same individual is right back at you. A Sub7 Trojan Horse is not a 
friendly thing, nor is it a mistake etc. I believe that the service 
greatly shows their intent, if your venerable it only takes one try 
regardless of service. If you break down someone's door on their home, 
it only takes once, the police don't tell the home owner, well he only 
broke your door down once, we will warn him, let us know if he breaks 
your door down again.

7. There should be some type of database that all IPS's / Dial-Ups use 
and could reference to check new users real names to determine whether 
new subscribers have a past history of network abuse and hacking. This 
database could be managed and updated, all ISP would add new names of 
users that we're found to be guilty of or had had their account 
terminated due to network abuse complaints etc. The dial-up provider 
could at that time at least be alerted to a possible situation. This 
would also make it difficult for hackers to jump from ISP to ISP.