1. Introduction
This Anti-Abuse Policy defines RegPEX’s approach to detecting, classifying, and responding to abuse of its infrastructure and services. RegPEX is committed to maintaining a secure and reliable peering environment for all members.
2. Definitions of Abuse
2.1 Network-Based Abuse
| Abuse Type | Description | Severity |
|---|---|---|
| DDoS | Distributed denial-of-service attacks originating from or transiting the IX | Critical |
| BGP Hijacking | Unauthorised announcement of prefixes belonging to other networks | Critical |
| BGP Route Leak | Accidental or intentional propagation of routes beyond intended scope | High |
| IP Spoofing | Use of source IP addresses not legitimately assigned to the sender | High |
| ARP/NDP Spoofing | Manipulation of Layer 2/3 address resolution to divert traffic | High |
| MAC Flooding | Excessive MAC announcements to overload switch forwarding tables | Medium |
| Broadcast Storm | Excessive broadcast or multicast traffic affecting the LAN | Medium |
| Port Scanning | Scanning of other members’ infrastructure from the IX | Medium |
| Spam Relay | Use of the IX infrastructure to relay spam or malicious email | Medium |
2.2 Operational Abuse
| Abuse Type | Description | Severity |
|---|---|---|
| False Information | Providing materially false or misleading membership or technical data | High |
| Unauthorised Access | Accessing RegPEX or member systems without authorisation | Critical |
| Policy Violation | Significant or repeated breach of RegPEX policies | Medium–High |
| Payment Evasion | Deliberate non-payment or evasion of fees in bad faith | Medium |
3. Detection
3.1 Automatic Detection
- sFlow/NetFlow analysis: Traffic anomaly and DDoS detection
- BGP monitoring: RPKI and IRRDB validation; hijacking and route leak detection
- ARP monitoring: Detection of ARP/NDP spoofing and MAC flooding
- Traffic anomaly detection: Statistical deviation from baseline
- Max-prefix alarms: Notification of prefix limit violations
3.2 Manual Detection
- Member reports: Complaints and incident reports from members
- NOC review: Operational monitoring and incident investigation
- External sources: CERTs, ISPs, other IXPs, and trusted third parties
4. Response Levels
| Level | Action | Typical Duration |
|---|---|---|
| 1 – Notification | Notify member; request fix within 24 hours; log warning | Until resolved |
| 2 – Restriction | Apply rate limiting or prefix filtering; require fix within 4 hours | Until resolved |
| 3 – Suspension | Disable port; close route server sessions | Until resolved |
| 4 – Termination | Permanent revocation of membership; contract termination; PeeringDB updated | Permanent |
4.1 Emergency Response Rights
For active DDoS, active BGP hijacking, or imminent infrastructure threats, RegPEX may take immediate restrictive action without prior notice to protect the IX and other members.
5. Response Timeline
| Severity | Initial Notification | Assessment | Remediation Target |
|---|---|---|---|
| Critical | 5 minutes | 15 minutes | Immediate |
| High | 15 minutes | 1 hour | 4 hours |
| Medium | 1 hour | 4 hours | 24 hours |
6. Member Obligations
Members are expected to:
- BCP-38/BCP-84: Implement anti-spoofing (ingress filtering) on all prefixes
- RPKI ROA: Maintain valid Route Origin Authorisations for announced prefixes
- IRRDB maintenance: Keep AS-SET and route objects accurate and up to date
- Max-prefix: Configure appropriate BGP max-prefix limits
- Bogon filtering: Filter invalid and reserved address space
- Incident reporting: Report abuse originating from or targeting their infrastructure
- Cooperation: Cooperate with RegPEX and other members during abuse investigations
7. MANRS IXP Programme Compliance
RegPEX supports the Mutually Agreed Norms for Routing Security (MANRS) IXP Programme. Member obligations align with MANRS requirements, including:
- Filtering: Implementation of prefix filtering (RPKI, IRRDB)
- Anti-spoofing: Prevention of source address spoofing
- Coordination: Participation in coordination and incident response
- Global validation: Support for RPKI and route validation globally
8. Reporting Abuse
Report to: abuse@regpex.net
Reports should include, where available:
- Date and time (UTC) of the incident
- Source IP addresses and related identifiers
- Attack or abuse type
- Logs or other evidence
- Impact description
9. Record Keeping and Reporting
- Abuse incidents are logged for investigation and potential escalation
- RegPEX publishes quarterly anonymous abuse reports summarising incident types and trends without identifying individual members
10. Policy Updates
RegPEX may update this policy as threats and best practices evolve. Material changes will be communicated to members with reasonable notice.