[arin-ppml] Policy Proposal 2003-1: Required Performance of Abuse Contact
Roman Tatarnikov
roman at intlos.org
Fri Aug 29 11:07:51 EDT 2025
> I'm not sure who Matt is
I'm pretty confident it this was Matt's email that was referenced here:
Date: Thu, 28 Aug 2025 13:00:54 -0700
From: Matthew Petach via ARIN-PPML <arin-ppml at arin.net>
And while I agree with that email, I also have to ask, how does sending abuse
reports protects you while those reports are being handled?
Ok, the IP got reported to an abuse@ email. Until the resource holder handles
this report, that IP will still send traffic that you consider dangerous. The
resource holder needs to investigate your claim, get in touch with the owner
of said IP, investigate if they are malicious or not, check if it's an
end-user (their server got breached), ensure that action against said IP
doesn't violate resource holder's (that end-user uses that IP and it's
critical for their operation - can't take it down and their cybersec people
are fixing the breach), etc. Also, what if that end-user files an appeal?
And what if that IP is was spoofed in the first place (hello lack of RPKI)?
And all of that just to handle the claim. While all of this is done, you will
still see traffic from said IP. Even if your suggestion will be adopted as a
policy, it still won't resolve the issue.
Hence why configuring WAF and/or other blocking methods is the best approach
to this. Just operationally, it will protect you and your resources better.
Rather than waiting (and hoping) for someone somewhere take some kind of
action.
--
Roman V Tatarnikov | https://linkedin.com/in/rtatarnikov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20250829/7d686992/attachment.sig>
More information about the ARIN-PPML
mailing list