[arin-ppml] Policy Proposal 2003-1: Required Performance of Abuse Contact

[Shawn Bakhtiar]

> On Aug 29, 2025, at 8:07 AM, Roman Tatarnikov <roman at intlos.org> wrote:
> 
>> I'm not sure who Matt is
> 
> I'm pretty confident it this was Matt's email that was referenced here:
> 
> 	Date: Thu, 28 Aug 2025 13:00:54 -0700
> 	From: Matthew Petach via ARIN-PPML <arin-ppml at arin.net>
> 
> And while I agree with that email, I also have to ask, how does sending abuse
> reports protects you while those reports are being handled?

You are correct. It does not. 

I have over the years deployed meany tactics. Currently my favorite is OSSEC (amongst others) and I do indeed ban these IP addresses for 24 hours, after no more than a dozen 404s (usually within seconds). It use to be a 24 hour ban was enough, it no longer is as I have had the same IP address show up on multiple end points, for well over a month with no response from the abuse POC.

I've read more books on security than I care to count, and in no way am I suggesting this policy as a substitute for proper server hardening, maintaining, or monitoring. This is not in place of existing good practices, it is (I pray) in addition to.

> 
> Ok, the IP got reported to an abuse@ email. Until the resource holder handles
> this report, that IP will still send traffic that you consider dangerous. The
> resource holder needs to investigate your claim, get in touch with the owner
> of said IP, investigate if they are malicious or not, check if it's an
> end-user (their server got breached), ensure that action against said IP
> doesn't violate resource holder's (that end-user uses that IP and it's
> critical for their operation - can't take it down and their cybersec people
> are fixing the breach), etc. Also, what if that end-user files an appeal?
> And what if that IP is was spoofed in the first place (hello lack of RPKI)?

I have not only generated these requests, I have also fielded them. Why do you think I am frustrated? 

CRMs are notorious for getting compromised without their system admins even knowing (not all sysadmins are built the same), which is actually a perfect example of how, by NOT implementing this policy, ARIN is contradicting its own statement that it "supports the operation and growth of the Internet." If the expectation/understanding is that every systadmin out there is also a security guru, then we've lost the narrative. 

Yes, I have received cease and desist emails from providers who do actually take the abuse issue seriously, having complied, I thanked them for identifying the issue, as any reasonable system administrator would. 

Again, and more importantly, it is quite obvious, and I have the email chain to prove it, that those providers that do follow this policy on their own behalf, take down IP addresses with in 24-48 hours (if indeed the behavior is nefarious). The ones that don't, as I mentioned before, have IP addresses continue to pounding (God only knows how many other) servers for months on end, with no care by the provider. How many of those endpoints have been compromised and turned into bots in this month while that IP address stays up? Who knows, but I'm sure they have managed a few more while the provider sits on their hands.

So how far do I take it. Month ban? Year ban? How big of an ACL do I need to have for my server, before someone says enough is enough?

There is a huge difference between those that do and those that don't, and I have the OSSEC logs and emails to prove it. The ones that respond and take action, rarely show up beyond my current OSSEC cooldown. The ones that don't, repeatedly show up. Again, I have at least one IP addresses that has been at it for months, and any and all attempt to reach the provider through the abuse POC have failed. 



> 
> And all of that just to handle the claim. While all of this is done, you will
> still see traffic from said IP. Even if your suggestion will be adopted as a
> policy, it still won't resolve the issue.
> 
> Hence why configuring WAF and/or other blocking methods is the best approach
> to this. Just operationally, it will protect you and your resources better.
> Rather than waiting (and hoping) for someone somewhere take some kind of
> action.

Even if we assume WAF is a good thing, your argument here still makes little sense as it proposes this to be an either OR option. This is an AND option. Using WAF et al and other security measures does not negate the need for ARIN to govern in the space it has been given to govern. We are not children, we don't just sweep things under the rug and forget them, which, in essence, is the only argument I have heard so far.

> 
> -- 
> Roman V Tatarnikov | https://linkedin.com/in/rtatarnikov