Updating your abuse contact information – Incident Response Team

In March 2010, the APNIC community reached consensus on prop-079: Abuse contact information, which amends the APNIC Whois Database by directing abuse reports to specialized mandatory IRT contacts. Incident Response Teams (IRTs) are specialized teams that specifically resolve computer security incidents.

In November 2010, APNIC implemented mandatory IRT references in the APNIC Whois Database. The IRT object reference is mandatory when any inetnum, inet6um and aut-num objects are updated or created in the whois. Together with this policy implementation, the abuse-mailbox attribute was removed from ‘role’ objects in early 2011.

See the IRT object template for more information.

On 30 June 2019, APNIC implemented prop-125: Validation of “abuse-mailbox” and other IRT emails. This policy requires all contacts registered in IRT objects to be validated every six months, to ensure the abuse mailbox is monitored and responsive to legitimate abuse reports. Failure to validate IRT contacts is a breach of policy, will result in objects being marked as ‘Invalid’, and access to MyAPNIC will be limited.

APNIC recommends you alert responsible staff and ask them to monitor their IRT contacts. We also suggest that you review and update your IRT contacts now in MyAPNIC for a smoother validation process.

APNIC will also now be publishing an ‘abuse-c’ attribute for resource records in the APNIC Whois Database. The ‘abuse-c’ attribute will reference to a ‘role’ object, which will contain the same contact information currently visible in the Member’s IRT object. Any changes to the abuse-c information will need to be done in the IRT object as the abuse-c attribute is generated automatically from the IRT object.

Learn how to manage your IRT object with this guide.

The importance of updating your abuse contact information

Dedicated contacts or teams that specifically resolve computer security incidents
Stops the tech-c and admin-c from getting reports of abuse
Efficient and accurate response
Shared response to address abuse

“Ensuring that there is a dedicated contact or department that specifically resolves security issues will limit potential damage and enhance recovery.”

More and more IRTs are also working together to share response strategies, to more quickly allow networks to identify and prevent abuse and other security problems.

What you need to do

Become familiar with the changes to the following policies
Become familiar with the requirements of prop-125 and the IRT object template
Ensure your IRT contacts are up-to-date and contactable
Regularly monitor the abuse mailbox and act on abuse reports, where appropriate
Find an upstream ISP willing to be the contact for abuse reports related to your network

Incident Response Teams

IRTs or Computer Security Incident Response Teams (CSIRTs) specifically respond to computer security incident reports and activity.

They are dedicated abuse handling teams, (as distinct from network operational departments) which review and respond to abuse reports resulting in efficient and accurate resolution of security incidents and activity.

CSIRTs and CERTS

For more information on IRTs and CSIRTS, see:

CERT/CC, Action List for Developing a CSIRT
ENISA, Step-By-Step Approach on How to Set Up a CSIRT
M³AAWG, Abuse Desk Common Practices
M³AAWG, Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers