Re: [anti-abuse-wg] Is the LoA DoA for Routing? - article at FIRST blog
In message , Carlos Friaças via anti-abuse-wg writes >Great for you and the networks you manage, unfortunately (in the ~75k >networks/autonomous systems) there is still people around the world that >accept >and rely on simple signed papers by someone. Even if who signs it can't hold >what they claim with the RIRs' trust anchors... ;-) A key point that the article misses is that yes, LOAs can (and have been) forged. However forging them is a criminal act (in the US it will be charged under "wirefraud" statutes) -- and numerous of the criminal proceedings which have been undertaken for theft of IP resources have used the wirefraud statutes. Yes, stealing a private key (or guessing a password to it) and then creating cryptographic signed objects is also likely to be criminal but it may be somewhat harder for courts to understand (and for the matter for prosecutors to identify suitable caselaw that makes the current case somewhat more open and shut). [[ Also, I have been told that some forgeries are laughably inept, whereas laughably weak passwords are a little harder to spot ]] -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , denis walker writes >On Mon, 6 Jun 2022 at 17:57, Suresh Ramasubramanian >wrote: >> >> Always a useful thing to do if you want to block all resources held by a >single actor or set of actors. > >So are you saying that you DO use the ORGANISATION object address to >match resources held by different members at the same location? If so >there are technical ways to offer that functionality within the >database without exposing the full address of natural person members. you're about to suggest hashing ... that doesn't provide what is needed because it is far too fragile to be useful given that WHOIS entries are not canonicalised and also contain minor errors you can find countless examples of typos, old addresses etc within the RIPE data. For a contemporary example check for inconsistent use of Kiev/Kyiv for resources held by exactly the same person/organistion. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , denis walker writes >On Mon, 6 Jun 2022 at 16:15, Richard Clayton wrote: >> You appear to be under the impression that Internet security and safety >> arises out of the activities of Law Enforcement Agencies whereas in >> practice private individuals and companies do the vast majority of this >> work -- generating referrals to LEAs when it is appropriate for action >> to be taken that only they can perform >We are talking about restricting access to one piece of data, the >address of natural persons. it's several lines of data ... > I accept that a lot of abuse may come from >address space held by natural people. I understand that a lot of >investigation work is done by companies and individuals. How much of >an impact would it be on your activities to not know the private >address of these natural people? what matters is the matching of data, so that it becomes possible to link otherwise disparate activity together -- and also to proactively deal with the risk of further abuse >From the country attribute in their >ORGANISATION object (accurately maintained by the RIPE NCC) you know >the country that they are legally operating from. You don't know the >street or city they work out of. exactly -- now for bad people, this data is often inaccurate and incomplete, but nevertheless patterns (and consistent inconsistencies!) are often apparent >I can only think of three reasons why >you would need the full address. You intend to visit them (unlikely), >you want to serve legal papers on them or you attempt some kind of >heuristics with the free text search in the database to match up >resources with the same address. the last of these three is what matters -- the other two activities are generally the purview of Law Enforcement and they will be working off rather more information than WHOIS (correspondence with RIPE, payment information etc). -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , denis walker writes >They were very clear that the address of resource holders is also very >important to LEAs in their investigations. So I am going to make a >controversial suggestion here. Currently we have two categories of >registry data, Private and Public. The Public data is available to >LEAs and their use of it is covered by agreed purposes of the RIPE >Database defined in the Terms & Conditions. For Private data they need >to get a court order, which is an expensive and time consuming >process. Suppose we add a middle category Restricted data. This could >be data like the address of natural persons who hold resources. Data >that is now public but we are proposing to take out of the public >domain. We could allow LEAs (and maybe other recognised public safety >agencies) to continue to have access to this Restricted data without a >court order. (There are technical ways of doing this which are out of >scope for this discussion.) You appear to be under the impression that Internet security and safety arises out of the activities of Law Enforcement Agencies whereas in practice private individuals and companies do the vast majority of this work -- generating referrals to LEAs when it is appropriate for action to be taken that only they can perform Moving to a situation where only LEAs can see what is currently available in RIPE whois data would be a very retrograde step and would seriously impact the security and stability of the Internet. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] False positive CSAM blocking attributed to RIPE
>I am writing about a case that has been referred to my organization involving >global blocking (packet dropping, apparently) of IP addresses that have been >reported as hosting CSAM by the Canadian Center for Child Protection (C3P). lose one point everyone who didn't read that this is a watchdog not the site owner -- and if you Google their name, one whose activities and focus has attracted some controversy >However, in the case that was reported to me, rather than allowing the hosting >provider to take down the offending image, the takedown notice was followed by >global packet dropping of the hosting IP address, which took down the entire >server and other websites along with it: there's no such thing as "global packet dropping" but if the website is offline then either traffic is being blocked near to the site itself by a hosting company or upstream provider, or some national level blocking is being applied (though often this takes the form of arranging that the website name does not resolve in DNS rather than packet dropping per se) > the hosting provider has attributed >this censorship to RIPE, RIPE NCC operates a directory service -- maintaining lists of which organisations have been assigned which IP addresses (along with 4 other Regional Internet Registries) >although I cannot verify whether or not this is true. it is untrue, you should interrogate the hosting provider directly because their statement (whatever it was) has clearly been severely garbled before you reported it here >If I am able to obtain more details from RIPE staff, I will follow up with >them. that would be a waste of their time -- you need to backtrack to the hosting provider and, if you can obtain some technical help, ascertain the actual nature of the blocking (assuming it is still in place) or at least review what technical evidence there is about the impact (assuming that's the aspect you care about -- rather than what you describe as an error of categorisation by C3P) >I'm writing to find out if anyone has more information that they >can share about how this might have happened, and how it can be >prevented from happening in the future. there is considerable information to be found online about how blocking works, the mechanisms used and how it regularly goes wrong. Entering this arena without attempting to do your homework is counterproductive. -- Dr Richard Clayton Cambridge Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 signature.asc Description: PGP signature
Re: [anti-abuse-wg] What is YAHOONET?
In message <8dfb9cd5-8088-02af-2245-0eaf3f96f...@tana.it>, Alessandro Vesely writes >However, IP addresses for mail seem to use ARIN networks, such as: >A-YAHOO-US2 66.163.160.0-66.163.191.255, >A-YAHOO-US3 209.191.64.0-209.191.127.255, >... >A-YAHOO-US8 67.195.0.0-67.195.255.255, >A-YAHOO-US9 98.136.0.0-98.139.255.255, >... it depends where in the world you are tryhttps://postmaster.verizonmedia.com/ which has links to (a) a complete list of relevant IPs and(b) a working link to an abuse reporting form. >RIPE's YAHOONET, 77.238.177.0-77.238.177.255, seems to be an abandoned object. it's maintained by YAHOO-MNT so hardly "abandoned" Also you will note that the email address in NA4112-RIPE is now updated -- richard writing to inform and not as company policy "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM signature.asc Description: PGP signature
Re: [anti-abuse-wg] BREAKING: AFRINIC IPv4 address skulduggery FINAL REPORT - Just released
In message , Ostap Efremov writes >However, in the report and it's PDF, it does not say that it was >revoked, which happened 4 days ago. the report text was finalised just before Christmas (see the Disclaimer in Section 2) so events from 2021 are not discussed -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , Alessandro Vesely writes >> These blocks appear to be mostly or entirely very old "legacy" block, >> primarily from the ARIN region. > > >Only a few of them are listed on https://www.spamhaus.org/drop/ Spamhaus have built that table from what they know of previous hijacking events (because they observed that there was some repetition in the prefixes that the hijackers chose). So announcing a prefix that is on that list is not a good sign (indeed far from it) -- but don't expect a "new" hijacker to only choose from that list or indeed to pick any prefixes from that list at all. -- Dr Richard Clayton Director, Cambridge Cybercrime Centremobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
>In message <20b290b5003cafb91745b7db6d31c...@fos-vpn.org>, info@fos- >vpn.org writes [various message about abuse issues around VPNs without logging] In message , Richard Clayton writes >I can understand the attractions to you of that business model. List readers may be interested in what I found when I decided to have a look at the "fos-vpn" website (I find that it is invariably interesting to see what people actually publish in T etc) http://www.fos-vpn.org redirects to torservers.net (where there is lots to read, so anyone interested can have a look). However https://www.fos-vpn.org does not redirect to the same website! (easy mistake to make) instead it serves up the website codevest.sh (which appears also to be known as codevest.to). There's not a whole lot on the codevest website to explain what it is about, however some Googling will reveal that it is a licensing system widely advertised on HackForums (a well-known gathering place for all sorts of hackers, both good and bad ... you may have heard of it as the place where the Mirai source code was first published). I leave it to the reader to explore HackForums, but to save you a bit of time the PaloAltoNetworks Unit42 people had this to say about codevest in October 2019, in their review (if that's the right word) of "Blackremote" an expensive RAT (remote access trojan) being sold by a Swedish actor: Blackremote utilizes the third-party "CodeVEST" licensing system, also peddled on underground forums. The licensing system validates by connecting to codevest[.]sh. "CodeVEST" seems to take the place of "Netseal" as a registration service used by commodity malware. The author of "Netseal", Taylor Huddleston, was charged in 2017 for that operation together with the sale of his own commodity malware, "Nanocore RAT." The same person who offers the "Codevest" licensing service, also profits from a crypting service "Cyber Seal". This highlights the role in the commodity malware ecosystem of not only the malware sellers, but also service providers such as the licensing services they use, and the crypting services they purchase to avoid detection of the malware that they build. I found that fascinating, but cannot vouch for its accuracy except to say that I have a high regard for Unit42. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
In message <20b290b5003cafb91745b7db6d31c...@fos-vpn.org>, info@fos- vpn.org writes >To answer your last question: If we receive a valid abuse report i.e. >from a CERT we temporarily close the regarding Port on the particular >IP. For clarity (and I appreciate that English is probably not your first language...) do you mean "i.e." (the only abuse reports you consider to be valid are from CERTs) or did you actually mean "e.g." (an example of the sort of entity that sends valid abuse reports). Also .. by "close the regarding Port" do I take it that you mean that you block outgoing traffic (of a particular type) to a particular IP or do you mean you block all outgoing traffic (for example, all tcp/25) ? >If the customer then starts to complain we send him a copy of the report >and point out that another violation of our ToS will result in a >termination of the account without a prior warning and without the >option of a refund. Since, as I understand it, you keep no record of what customers do, you are effectively describing a system for preventing complaints from customers (viz: a customer who reports to you on two occasions that their activity has been the subject of a valid abuse complaint will be terminated). I can understand the attractions to you of that business model. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")
In message , Elad Cohen writes >if I will have the honor of being >elected to the Ripe Board I will [...] >At the source BGP router, for any ip packet with a source address >that is from the network of the source BGP router (lets call it >original ip packet) - the source BGP router will create a new ip >packet (lets call it tracking ip packet) with a new transport layer >protocol and with the same source address and with the same >destination address and with the same IP-ID such as the original ip >packet. etc this appears to be a technically inferior adaptation of a 20 year old proposal from Steve Bellovin https://academiccommons.columbia.edu/doi/10.7916/D8FF406R it got zero traction then because it treats the issue as technical rather a complex security economics issue. Nothing, in my view, has changed in twenty years. >Automatic prventation of IoT botnet infections: > >- IoT botnets are based on default credentials, only some of them -- many exploit unpatched insecure protocol implementations >Automatic prventation of botnet C ip addresses: > >- Botnets C are also a problem in the internet. >- This problem can be overcome using the following technical >addition: the 5 RIR's will operate end-users honeypots machines all >over the world you should keep up with my academic work on detecting honeypots (we found around 3000)... yes they are valuable, no they are not a panacea (and they are mainly poorly deployed... and we also found that many were not patched up-to-date [shoemaker's children?]) >Very soon I will post a single solution to all the following >problems: (implementation is fast and easy and I'll be very happy >to manage the implementation in case I will be elected to the Ripe >Board) >* Spoofed ip traffic >* Spoofed amplification ddos attacks >* BGP hijacking >* IoT botnet infections >* Botnet C I'm disappointed that you aren't solving the spam problem as well -- Dr Richard Clayton Director, Cambridge Cybercrime Centremobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")
In message , Elad Cohen writes [of RIPE NCC operating a centralised abuse reporting system] >To my opinion, this kind of anti-abuse system expense will be low and much >more >needed than many other expenses in the ~30M euros yearly expenses of Ripe. Since there is already an (to a large extent comparable) existing centralised system for handling abuse complaints it seems worthwhile to examine how well it actually works before suggesting that RIPE move into that business as well. Would you care to compare and contrast the effectiveness of the ICANN centralised system for handling some types of complaint relating to domain name usage with reporting directly to registries or registrars. Extra points for quantitative data. I've generally found the ICANN system to be useful only as a last resort and for it to be very slow and almost (albeit not entirely) useless. Also ... you might usefully seek out data from some of the large hosting organisations that choose to centralise their abuse reporting functions rather than generating very large numbers of whois entries (sometimes down to a /32) in the hope of deflecting complaints away from themselves (and of course with the laudible aim of ensuring that the complaints actually go to the organisation that actually knows which of their IPs corresponds to which physical device and has root access...) ie: you should show some evidence from existing systems that they work and bring benefits. I don't think you can ... but I keep an open mind. >There will be an API for the system with an option for email notifications >just >like abuse complaints are received in email messages now, so there will be no >overhead to your staff. Regarding the reporters - this overhead can protect >from >flood of automatic tools abuse complaints - if the reporter cannot fill a form >and solve a captcha then the abuse complaint is not important enough to him. I don't think you quite understand the scale at which many abuse detection systems identify activity which needs to be dealt with (and indeed will be dealt with in an extremely timely manner once a report has been made). Solving CAPTCHAs gets old very quickly. >Regarding the little to no value that you wrote, through this system there >will >be no spam of abuse, no spam to the abuse publicly visible email address, >there >will be an API to LIR's internal systems for them to better track and to >better >handle abuse complaints, there will be tracking if abuse complaints were >handled >and public visibility of the percentage (of unhandled abuse complaints) of >each >LIR, in Ripe website. This paragraph make me think that you have never been the receiver of email which has been generated as a result of filling in a web form... spam (and indeed abuse such as mail-bombing) is remarkably common. It is also extremely common for genuine reporters to fill in incorrect or incomplete information and making forms robust against this issue is extremely complex. viz: this type of system really does not work as well as you suggest. About the only plus to your idea is that it would generate a reliable source of stats -- otherwise, IMO, it has nothing to recommend it. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <1609071e-bf44-4e1d-9c81-98616f11b...@consulintel.es>, JORDI
PALET MARTINEZ via anti-abuse-wg writes
>El 16/1/20 21:37, "anti-abuse-wg en nombre de Richard Clayton" boun...@ripe.net en nombre de rich...@highwayman.com> escribió:
>
>In message , JORDI
>PALET MARTINEZ via anti-abuse-wg writes
>
>> I'm sure if the
>>service provider tries to avoid being "informed" by not looking at
>notifications
>>(email, postal, fax, etc.), they will also be liable in front of courts.
>
>correct, but that's a "Hosting" aspect and that's not necessarily the
>issue when considering spam (which is certainly some of what is being
>considered under the generic "abuse" label)
>
>I'm not sure to understand what do you mean. In my opinion, if the hosting
>provider is the resource-holder of the addresses being used for any abuse
>(including spam), he is the responsible against the law and he is consequently
>liable of possible damages.
The ECommerce Directive gives a free pass to companies that just pass
packets around ("Mere Conduit") ... so if you complain to AS that
there is a spammer using their network and they do nothing then suing
them is unlikely to be productive.
You need, in such a matter, to take proceedings against the spammer (and
the Court may assist you in compelling the network provider to reveal
what they know about the spammer).
The ECommerce Directive also gives a free pass to a hosting company in
respect of material they publish such as (where this thread started) a
website claiming the people operating AS are pondscum and regularly
rape their mothers ... but once the hosting company has "actual
knowledge" of this defamatory material then they must act to remove it.
If they do not do so then you can take legal proceedings against them
for continuing to publish the libel.
You may have some opinion of your own as to whether this is right (and
this, as covered earlier, is not the same in the USA) ...
... but until you explain exactly the legal basis on which you intend to
proceed against a resource holder and exactly the sort of harm which
they are facilitating (not all abuse is the same in law) then it's
impossible to say whether some special situation applies (and your
opinion about liability is correct) or whether the overarching
provisions of the ECommerce Directive (which override laws that appear
to say something else) mean that you cannot proceed against a network
provider at all or a hosting company that does not have actual
knowledge.
IANAL, jurisdictions differ (but Directives bind all EU Member States)
--
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , JORDI PALET MARTINEZ via anti-abuse-wg writes >So, if I'm reading it correctly (not being a lawyer), a service provider not >acting against abuse when it has been informed of so, is liable. don't get confused between the "Hosting" and "Mere Conduit" provisions > I'm sure if the >service provider tries to avoid being "informed" by not looking at >notifications >(email, postal, fax, etc.), they will also be liable in front of courts. correct, but that's a "Hosting" aspect and that's not necessarily the issue when considering spam (which is certainly some of what is being considered under the generic "abuse" label) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <49348.1579123...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >I reiterate and slightly rehprase my question: > >Do you people in within the RIPE region see, or not see critical reviews >on, for example, eBay, TripAdvisor, etc? we do, but we do not see material which is likely to be libellous (words have to chosen carefully in explaining this sort of thing because in this space material can be defamatory but veracity means that it is most unlikely to be adjudged a libel) >>note that companies that operate solely in the USA can take some solace >>from the USA SPEECH Act... > >The notion of "operating solely in the USA" is not one which lacks >ambiguity, at least when it comes to Internet-based services, as I am >sure you are all too aware. by operate I meant that all employees and legal entities are within the USA, not that the company restricts access to websites etc Though it is interesting that a number of US newspaper sites have chosen to block all EU IPs so as to avoid incurring any data protection liability under the GDPR when serving up adverts ... but they may have foreign correspondents so they may be making my point after all bottom line is that if you want to run a reputation site and not be under an obligation to remove libellous material (not fair comment) you would be unwise to do it outside the USA -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso- 8859-1?Q?S=E9rgio_Rocha?= writes >Maybe we can change the approach. >If RIPE website had a platform to post abuse report, that send the email for >the abuse contact, it will be possible to evaluate the responsiveness of the >abuse contact. Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ... ... sometimes because they do not wish their names to be known, sometimes because they do not wish their techniques for (and speed at) detecting abuse to become known. So making it compulsory would be completely counterproductive. Making use of such a website voluntary would also be unwise because the people who do not wish their reports to be public are probably in the majority (I speculate) so that reputation system would fail to include the majority of reports that are made (and I again speculate) the overwhelming majority of reports that are acted upon. Producing non-biased reputation systems is very hard ... >This way anyone that report an abuse could assess not only the response but >also the effectiveness of the actions taken by the network owner. After some >time with this evaluations we would easy to realize who manages the reports >and even who does not respond at all. ... I think also there is a risk of total confusion by conflating many different types of abuse and many different types of reporter into a single system. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <44130.1579053...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >That comment, and that concern, certainly does not seem to apply in any >country in which either eBay or TripAdvisor operate. > >Do you folks on your side of the pond not receive eBay? Are you not able to >view Tripadvisor.Com? > >Here in this country (U.S.) there are actually -three- separate and clearly >discrenable legal protections that would cover and that do cover circumstances >like this. In no particular order, they are: > > (*) The First Amendment. that constrains the US Government as to what laws they pass ... it does not constrain corporate policy (so a bit of a red herring) of course there are constitutions in many countries in the RIPE region, but none (AFAIK) are quite as sweeping in this area > (*) 47 USC 230(c)(1) > > (*) 47 USC 230(c)(2)(B) these (which are the most interesting parts of the Communications Decency Act that did not get invalidated by the application of the First Amendment which swept away much of it) provide a safe harbour for the people operating platforms regarding what the users of those platforms say ... so yes this is very much on point within the EU (and the RIPE region is far bigger than that) there is NOT an equivalent regime -- there is a safe harbour (under the ECommerce Directive) for hosting companies but ONLY up to the point at which they have "actual knowledge" that material is problematic (eg that it is defamatory) after that they are on the hook if they fail to act appropriately companies such as EBay and TripAdvisor are well aware of this and operate their platforms accordingly -- so this means that problematic material will not be visible within the EU (and doubtless in other RIPE region countries) ... whether they remove it entirely (so that US residents miss out) I could not say, you'd need to ask each company individually as to how they configure their systems note that companies that operate solely in the USA can take some solace from the USA SPEECH Act (which addresses the issue of enforcing "foreign" libel judgments in the USA) but of course eBay etc operate in Europe as well --- and of course RIPE NCC is based in The Netherlands viz: failure to remove libels would be costly >The middle one is actually the first-order go-to provision for situations >like this, and provides for quick dismissal for any silly cases brought >against *me* for something that *you* have said on some discussion or >review web site that I just happen to provide electricity, connectivity, >and CPU cycles for. since I understand you to be in the USA, you're correct >One would hope that european law might have some counterpart for that, >but I confess that I really have no idea about that, one way or the other. basically not -- at least once there is "actual knowledge" please note IANAL, but I do follow these issues so the above is mainly correct :) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from RIPE 79
In message <93666.1576523...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >Due to my general ignorance of these matters, I would very much like to >be shown some real-world and current examples of each of the above three >alleged problems, i.e.: > >*) faked origin ASes > >*) AS paths that are not technically valid > >*) ROAs for ASNs that should not show up for public routing. > >I hope that Ruediger is on this list, and that he will provide me with at >least one or two examples of each of the above. You might find it useful to read this IMC paper Taejoong Chung, Emile Aben, Tim Bruijnzeels, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Roland van Rijswijk-Deij, John Rula, and Nick Sullivan. 2019. RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins. In Proceedings of the Internet Measurement Conference (IMC '19). ACM, New York, NY, USA, 406-419. DOI: https://doi.org/10.1145/3355369.3355596 There's a number of other academic researchers mining the RIPE data (and other repositories) looking for "interesting" announcements ... and then writing papers about what they have found. However if you are looking for spam related wickedness you may need to go rather further than just looking at public data Note also that "faked" and "should not show up" are generally judgement calls based on opinion (sometimes very well informed opinion) or on assertions by the beneficial users of address blocks as to the announcements that can be considered valid. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)
In message , Carlos Friaças writes >> ... also (on a brighter note), although law enforcement does move slowly >> in this space, it does indeed move. >> >> https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees- >> hijacked-ip-addresses-for-spamming/ > >This is from ARIN-land. >Do you see any chance of something similar within the RIPE NCC service >region reaching a court of law? yes ... albeit it is likely to involve extradition -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)
In message <3a2ff2cd-b3fb-72f3-a43c-01f66bdbc...@foobar.org>, Nick Hilliard writes >Marco Schmidt wrote on 05/09/2019 14:23: >> The RIPE NCC has prepared an impact analysis on this latest proposal >> version to support the community’s discussion. You can find the full >> proposal and impact analysis at: >> https://www.ripe.net/participate/policies/proposals/2019-03 > >that is as damning an impact analysis as I've ever seen, and it sends a >clear signal that the proposal would not solve the root problem while >simultaneously being very harmful to the RIPE NCC. > >I'd like to suggest to the chairs that this proposal be formally >dropped. It's taken up a good deal of working group time at this point >and there is an obvious lack of consensus that the proposal should be >adopted as a policy. It will take me a while to set out all the detail as to the technical difficulties the experts would face if this was ever to become a policy, so in the interests of not having to put the effort into doing that I fully endorse this approach (though I hope that the proposers will read the list and save the chairs from having to make the decision). (( You will all have read my previous emails -- there will not be much new in my detailed analysis, but it will doubtless be of some use to collect it all together if this deeply flawed proposal is to stagger on yet longer )) BTW: it should be noted that the ARIN Board of Trustees threw out the same proposal when it was made there... https://www.arin.net/about/welcome/board/meetings/2019_0620/ ... also (on a brighter note), although law enforcement does move slowly in this space, it does indeed move. https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees- hijacked-ip-addresses-for-spamming/ (and there a couple more cases in the pipeline). -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] [Misc] Research project on blacklists
In message , Anushah Hossain writes >>surprisingly, I haven't seen the request on any other lists that >are (a) >relevant and (b) open -- perhaps they and their project team are >not >especially well connected in this space :( > >This is true. We were advised to share to RIPE and regional NOG >mailing lists. Are there others you would have recommended? ask the APWG to circulate the request to their members, and you might do the same with M3AAWG >> as John Levine already noted, the questionnaire seems somewhat >confused >as to whether it cares about routing issues (bogon lists, the >Spamhaus >DROP list etc) or spam filtering (bad domains, phishing feeds, >botnet >IPs etc etc) > >Hm, I think we are interested in quite the range of blacklists. The issues will vary considerably between different types of list >Here is a table of what my colleagues are monitoring: > >image.png > >>it also asked if internally generated lists were used, but seemed >curiously uninterested in anything other than if the answer to that >was >yes or no -- a missed opportunity I thought. > >What would you have recommended probing here? you could have asked an open ended question which asked what they did, how they were built, why they were built in house and how significant they were. >I have been conducting interviews with those >working in abuse prevention (even at some of the companies that >have been mentioned upthread) to collect more specific anecdotes >about how dynamic addressing has lowered the accuracy of certain >feeds, we've had DHCP for decades (and everyone knows the issues) ... are you sure they weren't discussing Carrier Grade NAT ? >for example, or how errors in geo-IP feeds affected them. my own impression of these is that you get what you pay for ... but unless you are buying proxies I'm sceptical that large scale abuse filtering systems use this type of info as more than a one indicator amongst many. if you buying a proxy you may care a lot more ! Zachary Weinberg, Shinyoung Cho, Nicolas Christin, Vyas Sekar, and Phillipa Gill. How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation. In Proceedings of the 2018 ACM Internet Measurement Conference (IMC'18). Boston, MA. October 2018. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] [Misc] Research project on blacklists
In message , ac writes >Mostly, what makes me very angry is the audacity this does seem a reasonable list to ask for assistance on ... but being around to answer questions promptly would be appropriately polite surprisingly, I haven't seen the request on any other lists that are (a) relevant and (b) open -- perhaps they and their project team are not especially well connected in this space :( though there is a recent "anonymous" survey request about router configurations on the NANOG list >and then the >"anonymous" the Qualtrics platform is available over Tor (unlike some online survey platforms) so if you declined to answer the questions about which AS and company you were associated with then there is a substantial amount of anonymity available to you should you wish to use it... >and I can already see the "findings" of this research... >based on random anonymous, hidden and secret inputs that is a concern -- this type of questionnaire pretty much never leads to high quality research directly (since there are significant biases in who might choose to give replies and there is scope for multiple responses from a single person, bots filling it in etc) nevertheless as a starting point for qualitative research (rather than quantitative) it can be very useful in allowing a researcher to identify general trends in the answers and -- importantly -- to help the researcher frame good research questions that are capable of being investigated in more detail as John Levine already noted, the questionnaire seems somewhat confused as to whether it cares about routing issues (bogon lists, the Spamhaus DROP list etc) or spam filtering (bad domains, phishing feeds, botnet IPs etc etc) it also asked if internally generated lists were used, but seemed curiously uninterested in anything other than if the answer to that was yes or no -- a missed opportunity I thought. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Email Spam & Spam Abuse Definitions
In message , ac writes
>
>Okay, so I am assuming then that my definitions of spam are accurate.
They are out of date ... on the big platforms (where perhaps 90% of the
world's mailboxes are now to be found) spam detection is entirely an
automated process ("machine learning" systems, with some guidance from
skilled humans as to what they should definitely reject)
These machine learning systems do the learning part by observing how the
users (the people whose mailboxes the systems are protecting) deal with
their incoming email. If the email is rapidly deleted or "marked as
spam" then the systems learn that the email was in fact spam. If the
email is automatically placed into a "spam folder" but the user
interacts with it and marks it "not spam" or moves it into their inbox
so that they can reply then the system learns that it has made an error
and that more email of a similar type should not be treated as spam
As a result of this the working definition of spam for 90% of all
mailboxes is "email that is not wanted in the inbox just at the moment"
This definition is not directly based on "permission" or "bulk" or any
statutory definition -- though emails that are sent with permission or
that are not sent in bulk are less likely in practice to be classified
as spam.
>My point is that even "verify your email address" could be Spam Abuse.
Yes I agree (and if enough of the people who receive such messages agree
as well then such email will end up in the spam folder or will be
rejected).
Now of course the skilled humans may seek to override what the machine
learning system decides (typically for example, emails from airlines
containing boarding passes are deemed never to be spam) but this
overriding depends entirely on the senders cooperating (an airline that
sends marketing email from the same machines and with the same crypto
identifiers as their boarding passes is going to rapidly find that their
"deliverability" quickly declines.
>Recently I received around 14 "verify your email address" emails in the
>same 15 minutes...
There are systems, used by criminals, who will deliver hundreds or even
thousands of these within a short time period. They are used to flood
mailboxes so as to hide account takeover and other wickedness.
A short time spent with a search engine will find these :(
>I would say that sending so many "verify" emails, in such a short time,
>is Spam Abuse
I would say that it was a pretty small attack ... but I could not say
why it happened to you. If it happened to me I would look very carefully
at the rest of my email that day.
>Is anyone willing to venture a number and time period for what would be
>considered 'fair' in terms of sending verification emails?
Systems that fail to ensure that such emails cannot be automatically
generated (by adding CAPTCHAs for example) need to be updated. This will
benefit the system owner by ensuring that all signups are genuine.
You might also usefully read ...
https://www.m3aawg.org/rel-WebFormHeader
... though in practice take-up of the proposed header has been limited
and if you are going to update your systems to generate it you might as
well update the relevant web pages to add CAPTCHAs, randomise field
names or whatever else you think will prevent automated list bombing.
--
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
signature.asc
Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message , Carlos Friaças writes > >On Thu, 18 Apr 2019, Richard Clayton wrote: > >> ... I am aware of peer pressure (literally), action by IXPs, action by >> organisations providing reputation scores and even action by hosting >> companies. > >Yes, i'm aware of that too. Sometimes it fixes specific hijacks, but does >it stop or in anyway cause a delay for hijackers to hop onto the next >hijack...??? All of examples I gave come from my experience in putting a stop to various actors hijacking address space. Now it may be that the same actors have come back and found another completely different hosting company to carry their hijacks -- but getting them to start again from scratch has always looked like a win to me. In particular there is nothing like being thrown off an IXP for putting a crimp in your operations. There's real money involved. I advised you before to give up on getting RIPE to develop a completely new approach to tackling abuse (especially since it really is not going all that well) -- and instead to put your effort into getting IXPs to develop robust policies in this space. After all IXPs and routing are a far better fit that an RIR and routing. >> hijacks are reported in numerous places, the NANOG mailing list springs >> immediately to mind -- and posting there is certainly easy > >Yes i'm aware about it, but is that the (globally?) de-facto place for >raising anyone's attention to an hijack or an hijacker operation? it's not ideal from a global perspective, but it is certainly the de- facto place at the moment -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
In message <44806.1555289...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >Here is what I am hoping some actual expert can explain to me: > >https://bgp.he.net/AS65000#_asinfo >https://bgp.he.net/AS65000#_prefixes >https://bgp.he.net/AS65000#_prefixes6 >https://bgp.he.net/AS65000#_peers >https://bgp.he.net/AS65000#_peers6 > >I will save all further comment until someone offers me some kind of an >explanation of this apparently strange stuff. For now, I will only add >that whereas bgp.he.net is showing there as being a total of 66 IPv4 >prefixes announced by this (reserved) ASN Hurricane Electric is seeing announcements from other ASs some of which have AS65000 declared to be origin of the prefix Which may sound the same as what you said, but isn't >I am unable to fathom how and why a reserved ASN should be >announcing -anything- at -any- place or point where anybody on the outside >can see it. Best practice is to remove internal use AS's from announcements -- not much bad happens if you don't (well, you might not get as much reachability if other folk are also using that reserved AS within their networks...) >The only other thing I feel compelled to say, or ask right now, is just >this: Who should I be notifying if there is an issue with this ASN? the NOC for the people making the incorrect announcement -- if there is a question as to how valid the rest of the path might be, then that may take you a little while to establish (and you may get lied to when you make enquiries) BTW: great though HE's portal is, you really should be picking apart the mass of data held by RIPE if you want to form a view as to might be doing bad things (that's not the only place you need to look, but it's a good start and in this case the number of detectors seeing this origin and the timeline puts it rather more in perspective) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Astroturfing?
In message <6faf5417-dc6d-4c95-ba14-fcc1b22f6...@blacknight.com>, Michele Neylon - Blacknight writes >I've absolutely zero issue with new people engaging, but lots of one line "+1" >or almost identical emails isn't meaningful engagement. it's also somewhat of a problem for the proposers of the document since they have said that they intend to revise it in the light of the comments made on the list -- but there's all these people apparently saying that they think it is just fine as is so it seems that quite a lot of people are going to be disappointed -- I hope they chip in after the changes are made and explain in some detail why they preferred the initial version ! -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message <83185.1554061...@segfault.tristatelogic.com>, Ronald F. Guilmette writes > >In message , >Richard Clayton wrote: > >>However, it is not necessarily clear at all and writing a policy which >>assumes that it will always be clear is in my view unwise. >> >>Assuming that experts will always be able to determine who is at fault >>(along with deciding whether an event they know little of is accidental >>or deliberate) is to live in a world that I do not recognise. > >I disagree completely. The world would be one that you most certainly >*would* recognize. > >Your argument basically boils down to the following unsustainable >assertion: We cannot assume that we will always, and in 100% of all >cases, be able to accurately recognize "crime" when we see it. Therefore >we should have -no- criminal laws. I don't agree ... what I am saying is that it can be very hard for real experts to agree. These are people who consider all possible reasons for events to occur and then offer their opinion as which reasons can be completely ruled out and which are unlikely to be actual explanation in the particular case. As a result we seldom operate justice by using experts (whether they agree or not) as the ultimate arbiters of how cases are decided. Instead, experts are used by those who are charged with dispensing justice as a means of understanding what is likely to have gone on, and these people then weigh the various opinions of the experts (or indeed their unanimity) in coming to their decision. >>If the policy stopped at the statement that unauthorised BGP hijacking >>was unacceptable behaviour then I would be happy with it. > >I have no idea what country you live in the United Kingdom (it's fairly easy to work that out BTW) >, but would you likewise find it >equally acceptable if your local national legislature also and likewise >passed a resolution calling for murder to be entirely decriminalized, >while adding that it is the sense of the legislature that murder shall >nontheless, and henceforth, be deemed "unacceptable behaviour" deserving >of public derision and scorn, but no further penalties whatsoever? As it happens (it's tricky when appealing to completely irrelevant matters isn't it?) the UK does not have a statute that makes murder a crime -- so it might be quite complicated to decriminalise it ! People are instead charged under the common law -- the court then decides whether or not they are guilty (often having considered the evidence of experts whose duty is explicitly defined as being to assist the court, albeit they are paid by either the prosecution or the defence). However if the accused is found guilty then the sentence is specified by statute (which, because it gives no leeway to the court, leads to numerous unfair outcomes which I will not elaborate here). So a policy which said that unauthorised BGP hijacking was unacceptable behaviour and charged RIPE NCC with addressing the problem if it was caused by anyone who used RIPE resources would I think be helpful. Telling RIPE NCC exactly how to recognise and deal with BGP hijacking (and specifying exactly how experts and no one else will determine what has occurred) is I think unhelpful and attempts to move forward this way are likely to be counterproductive. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message <74227.1553972...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >In message , >Richard Clayton wrote: > >>It is NOT possible (for experts or almost anyone else) to accurately >>evaluate who is performing BGP hijacks... > >I did not intend to participate any further in this discussion, above and >beyond what I already have done, but I fell compelled to at least point out >the intellectual dishonesty of the above assertion. It is, I agree, badly phrased. I apologise. I meant that the experts cannot ever be absolutely certain that their evaluation is correct -- though of course they can be correct in their nuanced assessment. >In the summer of last year, 2018, I took steps to point out, in a very public >way, on the NANOG mailing list, two notable hijacking situations that came >to my attention *and* also to identify, by name, the actors that were quite >apparently behind each of those. In neither of those instances was there >ever even any serious attempt, by either of the relevant parties, to refute >-any- of my very public allegations. If they had refuted the allegations then it would have become rather complicated and it would have come down to one entities word against another and perhaps the examination of documentary evidence of what arrangements had been authorised (and then perhaps forensic assessment of the authenticity of those documents). Some BGP hijacking cases have been prosecuted on the basis of the forging of documents rather than on the hijack per se. I agree that it can be pretty clear what has gone on and the accused then helpfully acts in such a way as to make it clear to everyone that they were "guilty" (or individual peers assess the situation from their own standpoint and decide that they do not have an obligation to carry the traffic). However, it is not necessarily clear at all and writing a policy which assumes that it will always be clear is in my view unwise. Assuming that experts will always be able to determine who is at fault (along with deciding whether an event they know little of is accidental or deliberate) is to live in a world that I do not recognise. If the policy stopped at the statement that unauthorised BGP hijacking was unacceptable behaviour then I would be happy with it. Adding all the procedural stuff about how BGP hijacking will be (easily of course) detected and exotic details about experts and report forms and time periods is (a) irrelevant to establishing the principle and (b) cluttered with false assumptions and unhelpful caveats and (c) way too formalised to survive dealing with some real examples. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message <94320.1553230...@segfault.tristatelogic.com>, Ronald F. Guilmette writes > >In message , >Richard Clayton wrote: > >>Yes hijacks can be simple to understand -- but they can be very complex >>and perfectly legitimate activity can look like a hijack until a lot of >>detail has been considered. > >I'm a simple minded man, and I guess I'm perplexed by this. > >Isn't the whole point of route registries generally and RIPE's in particular >supposed to be to make it easy for pretty much any arbitrary outsider to >look at a given block and a given route to that block and conclude that >the two -do- in fact properly go together, or conversely, that they do not? not everything is in a route registry --- and you may recall some previous work that I did showing that the mere presence of entries in a route registry is no guarantee that it reflects an actual peering arrangement: <https://www.lightbluetouchpaper.org/2015/11/02/ongoing-badness-in-the- ripe-database/> note of course that some changes have been made since then which improve the situation as regards out-of-area space -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message , Jacob Slater writes
>> First, I'm not sure I either understand or am even aware of these alleged
>> "forms of permission for announcement {that} are not documented". So
>> perhaps
>> Mr. Slater could elaborate upon that, for my benefit, and perhaps also for
>> that of others who may also be similarly in the dark about what he's
>> talking
>> about here.
>>
>
>Route objects are not always required. While route objects are generally
>preferred and should be used, letters of authorization are still in use
>today. You certainly wouldn't see them in a public database (though you
>might see objects which claim to be tied to them). Even if you do, they may
>well be stale and no longer accurate.
I doubt that all (perhaps any?) anti-DDoS arrangements (which often
involve apparent hijacks of blocks of address space) are documented with
route objects
... although perhaps more so in Europe where I believe that some
providers build filtering systems from route objects ?
--
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
signature.asc
Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message , Jacob Slater writes >While the idea of an a complaint form (with teeth) sounds appealing, I do >not believe submission should be open to everyone. Only the party holding >rights (as registered in a RIR) should be able to file a report regarding >their own IP space. there are two practical problems with that: first: historically anyway, large Chinese providers have not seemed to take much notice if their prefixes are hijacked... this may be because they are not using the IP space, or that they consider the class of user for that space to have no business accessing resources outside of China (the latter seems a bit unlikely, but the "Great Firewall of China" is a complex set of devices so there may be a lot of proxying going on) second: many hijackers have used space (and AS numbers) that was allocated to entities that almost certainly don't exist any more. Determining who holds the rights to this space (a question for the liquidators of the companies involved I expect) is almost certainly impossible to establish which taken together mean that quite a number of the hijackers I have chased down over the years would not be affected by this proposal :( Also of course the proposed policy does cover unallocated space (large chunks of which are currently announced as I pointed out earlier, which still doesn't seem to be worrying many people). Would you expect IANA or the RIRs to lodge complaints here ? > If everyone is allowed to do so, we run several risks, >namely that individuals with no knowledge of the situation (beyond that >viewed in the public routing table) will file erroneous reports based on >what they believe to be the situation (which may not be accurate, as some >forms of permission for announcement are not documented in a way they could >feasibly see). I entirely agree -- this just adds to the list of practical complexities that I (and a few others) have been pointing out. Yes hijacks can be simple to understand -- but they can be very complex and perfectly legitimate activity can look like a hijack until a lot of detail has been considered. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message <5b88d40a-efa2-41ed-831e-b9fd14f36...@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg writes >I've the feeling that if you're attacked, you will have some forensic info >about >that, That may not be the case -- I saw a number of hijacks last summer of US university address space where the university was entirely unaware of the issue until I told them, and even when I did there was no data that they could usefully gather about the event from their own systems. Might I ask how many BGP hijacks of your own prefixes have you (a) identified or (b) investigated ? >In fact, if you haven't realized it and still under attack, this kind of >policy >will help you to: >1) Know that your network is being misused by others >2) Engage with the community about that >3) Take the opportunity to learn about how to avoid it I don't think any of those three things are true :-( >I also believe that when what you describe happens, it will happen to several >folks (not neccesarily at the same time), so experts will consider it. You >don't >think so? For some types of hijack yes, for others no. >Remember that in the extreme case (this is just life, we like it or not), if >you >are responsible for a network and is being missused "because you did your job >incorrectly", you are still reponsible for the harm caused and even legal >consecuences and damages to third parties. If it was a vulnerabilty from the >vendor, you can sue him as well. An aspect of this which has not been discussed is how the policy should be worded so as to make clear that one-off fat-finger events, however newsworthy (and they often are) are not going to be treated in the same way as deliberate hijacks of address space by actors who know exactly what they are doing and why. Or should fat-fingering now cause you to put into the RIPE dock ? The more I think about this proposal, the less I think that the RIR is the place to enforce it -- a similar (but far better thought through) initiative in the IXP space would I think be far more useful; and indeed we have seen a number of bad actors dealt with by IXPs over the past years and this has put a significant dent into their operations. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message <842fcfc4-b8e0-49ca-829a-4a5cdf44c...@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg writes >This has been seen many times, even chain situations like > > - AS X > \ > AS 3 - AS 2 - AS 1 > / > - AS Y by the way, when I see AS 2 or 3 at the end of path I immediately assume that someone has been confused by the syntax of their router and meant to generate 64496 64496 64496 but instead generated 64496 3 the opposite error tends to create very long (but non-hijacking) AS paths which occasionally cause operational problems. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message ,
Carlos Friaças via anti-abuse-wg writes
>What you described
Which was (tedious this top posting approach isn't it!) that in any AS
path you cannot determine externally which of a pair of adjacent AS's is
being wicked [that would change in a world with BGPSEC, but that is not
the world in which we live]
>also crossed my mind, but as you said "it won't be too
>hard to figure out".
Yes it will -- the left hand AS will say that the right hand AS
announced the path to them. The right hand AS will deny it.
Both will produce logs from routers and (if the non-genuine log is
expertly forged) the experts will have to guess which AS is being bad
>And when everything is made clear, if a report is filed against AS1, AS1's
>holder might have a problem, so i see a strong reason for not even trying
>:-)
In the real world at present, we deduce which AS is wicked from either a
pattern of wickedness (we assume that multiple AS's are not ganging on
someone to frame them) or by assessing the probity of the two ASs from
personal knowledge of their staff, or their business.
I write this (and my earlier remarks about AS numbers) from the
perspective of someone who has spent some considerable time over the
past few years dealing with BGP hijacks[*]. It is generally simple to
work out who the bad guy is sufficiently to put pressure on them to
reform... but it is often the case that you have to say that on balance
it is more likely to be this AS rather than that one.
[*] people may have heard me talk about this at LINX and there is
another opportunity to listen at FIRST in June. I hope to be able to
make the material I have more generally available, but there are
{DAYJOB} constraints on that at present. For clarity (and such vote
counting as may occur) I am very much in favour or a policy that says
that theft of resources is seen as unacceptable by the RIPE community
(it's also illegal, so this is perhaps somewhat unnecessary!) but I am
concerned that people think that assessing what is going on will be a
trivial process and that is very far from the truth.
--
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
signature.asc
Description: PGP signature
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message , Carlos Friaças writes >The misuse of AS numbers was not seen (maybe until now...) as a frequent >event (and thus a priority), Then you have not been looking at various announcements of Chinese address space and asking yourself whether or not you think that it is plausible or not that a large Chinese ISP would be buying transit for a small subset of their space from this small out-of-region hosting company :-( >but if someone is (mis)using an AS number >that belongs to a third party, then it should also be stated in writing >that this practice is a violation of RIPE policy -- and of course, allow a >path for the affected party to issue a report about that. AIUI the current discussion is intended to allow the proposer to refine what they are proposing... ... in a world where RPKI is gaining some traction, the misuse of AS numbers (to tag onto hijacked prefixes) is going to become more common. I can see no reason to separate out this wickedness. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
In message , Marco Schmidt writes >The goal of this proposal is to define that BGP hijacking is not accepted as >normal practice within the RIPE NCC service region. > >You can find the full proposal at: >https://www.ripe.net/participate/policies/proposals/2019-03 The announcement of unallocated address space to third parties is also considered a policy violation and is evaluated according to the same parameters. This is going to be somewhat challenging ... since there are a substantial number of well-known (and generally non-abusive entities) who are announcing unallocated address space, and in many cases they have been doing so for years on end. I understand there is a mixture of long term disputes about allocations; failures to keep contact addresses up-to-date (so that allocations are withdrawn) and doubtless also intentional usage of resources that have not been allocated. Geoff Huston publishes a list on a daily basis: http://www.cidr-report.org/as2.0/#Bogons For the avoidance of doubt, I think it is most undesirable that any prefix appears on the list -- but I am pragmatic enough to accept that there are significant difficulties in dealing with the complexities which are behind those announcements. BTW: Geoff Huston's data gathering exercise also identifies the usage of AS numbers that are not currently allocated. Again, much of this usage is very long standing and failure to "grandfather it in" in some manner is likely to cause a substantial workload and the deeming of many legitimate companies to be in breach of RIPE norms -- which is going to tend to make the impact of the policy rather less than might be hoped. That all said -- why does the proposed policy not address the misuse of AS numbers as well as the misuse of prefixes ? -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] [db-wg] [exec-board] The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top
In message , Anne-vivien Paris writes >I think it will be a good idea if we can have a better understanding of >what's going on with these route objects registered under MNT-SERVERSGET. They're placed there so that entities that automatically build filters to block bad BGP announcements will not block these prefixes -- which means that they could be put into use at any time >That can perhaps allows us to clarify what's the condition of the "dubious" >3/4 of IP addresses. This is perhaps a way to deal with hijacking. The automatically built filters contribute to reducing hijacking, which is why it matters that the entries in the database are legitimate. A while back I did some work looking at people who were adding route objects for unallocated IPv4 address space. You'll find a longer explanation in the articles I wrote at the time: https://www.lightbluetouchpaper.org/2015/10/02/badness-in-the-ripe- database/ https://www.lightbluetouchpaper.org/2015/11/02/ongoing-badness-in-the- ripe-database/ -- richard Richard Clayton Those who would give up essential Liberty, to purchase aBenjamin little temporary Safety, deserve neither Liberty nor Safety.Franklin signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac writes >On Wed, 18 Jul 2018 12:45:35 +0100 >Richard Clayton wrote: >> In message <3c775da1-20ae-441e-b30e-38243f420...@blacknight.com>, >> Michele Neylon - Blacknight writes >> >> >What's any of this got to do with RIPE and this WG? >> >> the issue of mail bombing ... people getting 20K+ emails in their >> mailbox, each of which is individually quite acceptable is something >> which the industry has been struggling with for well over a year >> > >and so this still begs the question - what is the arbitrary number? in my experience the canonical arbitrary number is 42 >It seems as if both Richard and Michele agree and do not think that the >arbitrary number of 5 verification emails in ten minutes to a victim email >address, is abuse or abusive behavior. Michele did not express such an opinion and neither did I. >Still it would be interesting to know if this is actually the case. If >nothing under 20 000 "verify your email address" emails per day from >the same IP number / resource is not abuse - Then it would be good to >know that the members of this abuse WG think that I am silly with my >daily limit of three. You appear to have misunderstood the mail bombing attack which is widely distributed. The 2 emails I suggested (as an indicative figure, your attack may vary) come from up to 2 different sources -- so very small numbers from each source, thereby avoiding any rate limitation systems. There is usually just one originating server that automates the filling in of forms on the various websites that send the verification emails -- though there appear to be multiple criminals offering the mail bombing service. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
In message <3c775da1-20ae-441e-b30e-38243f420...@blacknight.com>, Michele Neylon - Blacknight writes >What's any of this got to do with RIPE and this WG? the issue of mail bombing ... people getting 20K+ emails in their mailbox, each of which is individually quite acceptable is something which the industry has been struggling with for well over a year >Is there a policy proposal or something else forthcoming? an obvious mitigation is CAPTCHAs on sign-up forms ... so it would be an appropriate Best Practice to document -- but whether RIPE is a suitable forum for such a document (or whether there is somewhere which is far more focused on hosting providers) I could not say. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac writes >ESP and email relay services should verify recipient email addresses >prior to sending bulk emails to any random email address. > >ESPs that simply start dumping bulk emails on victims often end up >listed on RBLs for abusive behavior. > >But, when is verification emails themselves, spamvertising or email abuse? when people don't want them in their mailbox in a world of machine learning and email flows measured in the tens of billions, the only practical way of identifying abuse is to examine user feedback ... ... if you're not in the billions regime then you can try and write down complex rules to guide your users and your abuse teams, but even then flexibility is key because otherwise you end up arguing with an abuser who is skating just on the right side of some arbitrary value >Our own email policy defines verification abuse as "more than 3 verify >your email account" emails in the same 24 hour period and verify your >email account emails lasting longer than five 24 hour periods. > >Do you think this is reasonable? Too reasonable? More? Less? it depends on the size of the company/mailing list ... 3 new signups in a day may be a red letter day, or it may merely indicate that something broke at thirteen minutes past midnight >If you receive say 4 "verify your email account" emails in 5 minutes, >is this abuse? this question suggests that you might be seeing an outer ripple of an incident which is the modern form of mail bombing this is where users receive tens of thousands of verification emails in a hour or so ... sometimes this is just because the user is disliked, but it can be an attempt to hide other transactional email (associated with fraud or domain name theft) amongst all the noise few mail systems provide suitable tools to end users to deal with this regrettably few sign-up systems have (even weak) CAPTCHA systems to prevent automated attacks (something which an ISP providing hosting might usefully start requiring of its customers : rather more practical than trying to set some arbitrary number on emails sent) there is a proposal for assisting with automated filtering https://tools.ietf.org/html/draft-levine-mailbomb-header-01 but it's not currently getting all that much traction. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] 2017-02: what does it achieve?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message <59c9148b.6010...@foobar.org>, Nick Hilliard <n...@foobar.org> writes >So, to be clear, it would be fully policy compliant if someone: > >- registers IP address space with the RIPE NCC, with contact information >point to a PO box in Panama or BVI. >- sets up an abuse mailbox with an autoresponder, where all emails are >thrown into the bin >- ignores all attempts at contact regarding abuse queries, whether from >LEAs or not > >If this is the case, what problem is this proposal trying to solve? #1 people who set the email address to nowh...@example.com #2 people who set the email address to nowh...@unregistereddomain.com #3 people who used to own unregistereddomain.com but forgot that email addresses are using that domain in a RIPE object #4 people whose company used to use ab...@branda.com but have moved to ab...@brandb.com and now brandA.com is a black hole because the forwarding doesn't work on the new server #5 people whose mail system is just broken #6 people who host their email at Google think that Google will deliver email to an abuse desk even when that email contains bad URLs oops, I think the proposal doesn't cover #6 and should! because I see this on a regular basis Nevertheless, it's surely some improvement if RIPE detects when abuse contact details are unintentionally broken but testing once a year for that (rather than every couple of months) doesn't seem to be sufficiently often to me. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBWckjpzu8z1Kouez7EQK2aQCgn0DyOnv3jVFb6YXXMiCJWzx8SmcAnRTr l3dYTZpK9zVTunxvHgz1IXUf =3Cxl -END PGP SIGNATURE-
Re: [anti-abuse-wg] The well-behaved ISP's role in spamfight
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message <201702131743.10508.pe...@hk.ipsec.se>, peter h <pe...@hk.ipsec.se> writes >The very simplest thing to do is make sure any outbound smtp is relaye through >the ISP's >mailrelays, where spam could be detected and subsequently blocked. this is very unpopular with legitimate businesses who wish to be fully in control of their email sending destiny -- and ISPs generally do not wish to discourage the people who cause no trouble and pay their bills regularly and on time so although "port 25 blocking" is a M3AAWG Best Practice it has not been widely adopted with the main (but not only) exception being the large consumer ISPs in the US (ISPs in Europe have, for historical reasons, had a significant number of business customers mixed in with pure consumers and that has made the difference) - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBWKHoZDu8z1Kouez7EQKegACg5dQkRoa/iAJYEI4QDXu6AkDaL40AnRAO Ok9QS77z8Acf265vH5lDQf9W =eO/I -END PGP SIGNATURE-
Re: [anti-abuse-wg] Why SPAM exists in 2017
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , ox <an...@ox.co.za> writes >Famously, during 2004, Bill Gates promised the world that Spam would no >longer exist by 2006. he believed that the "Penny Black" scheme would work... he was wrong, the bad guys have more resources to hand than the good guys and so a system based on proof-of-work could not be effective some of us explained this at the time ... http://www.cl.cam.ac.uk/~rnc1/proofwork2.pdf - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBWJ7oBDu8z1Kouez7EQJJPgCfeXB+CvbraOtUzHi5FVPmio9x6XsAn2xS XzUinA/Dr9A0/PMQfqR6LFuu =hLfY -END PGP SIGNATURE-
Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , ox <an...@ox.co.za> writes >The Bind software is the dominant DNS software on the planet. > >The IETF doc, relating to RPZ - is intended for Bind ops. Not really -- it's an attempt to document what Bind does in a way that will make it easier for other platforms to do the same thing (it turns out that there's a lot of interaction with the innards of Bind and setting out the semantics in a way that is platform independent is not as simple as you might initially think). >If left unchallenged, RPZ will become a standard (RFC) Not in the short term and not in the medium term either... there is a difference between a standard and an RFC -- as Jon Postel set out two decades ago https://tools.ietf.org/html/rfc1796 >Which will legitimize it. As it happens, I agree with that view (since I think that many people completely erroneously conflate RFCs with standards). >What I am objecting to, is that non ethical software and systems are >being legitimized. As it happens, I agree that there are serious ethical issues with RPZ And I said so in an academic paper about ethics (as applied to research into online criminality) several years back http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf I've recently re-expressed my opinion on the relevant IETF list, that the document should not be adopted by the Working Group. Essentially I believe documenting RPZ in a platform independent way will lead to some Governments taking the view that they can censor the web by compelling the consumption of an Officially Endorsed RPZ feed -- at present, the fact that many platforms do not implement RPZ at all (or in what is probably an inconsistent manner) gives them some pause. I think we remove that (admittedly small for some regimes around the world) roadbump at our peril. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO QmGUXnqCk56ANjr9wLoXHvxn =A6Jd -END PGP SIGNATURE-
Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , ox <an...@ox.co.za> writes >== >Definition of Internet abuse >== > >"The non sanctioned use of a resource to infringe upon the usage rights >of another resource" > > >Terminology used in the above definition > > >(1) Resource >Any Internet Resource that's a recursive definition -- which doesn't assist much >(4) Sanctioned >An action, event or situation originating from the authoritative holder >of rights to a resource that gives permission, or permission is granted >by direct implication, which authorises that situation, event or >action. excellent, the negation has disappeared - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBV85dRTu8z1Kouez7EQIoUQCg9cCnxxLn3wXaSW8kMwSsFt21/AUAn1ry iMsqK26QCzGXAPGFJTffH5Wc =tqgd -END PGP SIGNATURE-
Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , ox <an...@ox.co.za> writes >Dealing with your first point, I do agree and you are imho, quite >correct about the abuse from legacy resources. no -- I was concerned about abuse OF legacy resources :( >However, the current definition of Internet abuse is: --> use of a >resource to infringe upon the usage rights of another resource > >So, this caters exactly for ALL resources, including legacy resources... > >Thank you for your feedback about, sanctioned, but it exists only to >reflect you've missed my point you define abuse as "non sanctioned" activity... that is, activity for which permission has not been granted. Fair enough (so far as it goes) you then define "sanctioned" as being infringement :-( rather than setting out a definition which has something to do with the complexity of what permission means. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBV84s9Du8z1Kouez7EQI4KACgvPCyK4SimvypTL/bmW79vlB5MPMAnRjx bzv3dryAeKzfhnlmOdXK1UL2 =9ogY -END PGP SIGNATURE-
Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , ox <an...@ox.co.za> writes >== >Definition of Internet abuse >== > >"The non sanctioned use of a resource to infringe upon the usage rights >of another resource" > > >Terminology used in the above definition > >(5) Sanctioned >Infringement upon the use of a resource by the assignor or >administrative holder of rights to a resource that definition of "sanctioned" is backwards from what you intend to say (not that I think it's a useful thing to say in such continuing isolation, but you might as well make it coherent) BTW: a considerable chunk of the problem, in practice, relates to abuse of "legacy" resources. The assignor is dead and the argument is made that there can be no administration of them ... - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBV8xLSDu8z1Kouez7EQLpHgCeOuXOQ5JwXj2SnU1uXQsLnXMP0PQAoM38 HdckXLXGBM/+ckz6oEWgExNW =Lkz3 -END PGP SIGNATURE-
Re: [anti-abuse-wg] Abusive behavior by Google Inc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , an...@ox.co.za writes >Incase anyone receives weird NON RFC bounces, from @gmail.com customers >saying: > >Technical details of permanent failure: >read error: generic::failed_precondition: read error (0): error > >What this means is: > >Google Inc does REPLACE the "Blocked for abuse / spam /scams / phish / >virus / spyware messages from the various filters > >and sens a cryptic non RFC message to their users implying that the >receivers email server is broken in some way > >This is truly EVIL of Google to do... > >As they, Google are the ones sending PHISH / VIRUS/ SCAMS / SPAM! > >Example: @209.85.218.43 > >http://www.scammed.by/scam.php?id=185816 This is a complex example involving an email delivered to a gmail account and forwarded from there to Yahoo I cannot see "failed_precondition" anywhere on that page at all :-( - -- richard Richard Clayton Those who would give up essential Liberty, to purchase aBenjamin little temporary Safety, deserve neither Liberty nor Safety.Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBVw+uJju8z1Kouez7EQLTHQCg/Pmx1aoc8dggv+u24arozup8p7MAnjw0 R0+PztMI5ooo3trIcOro7Ecv =yK7e -END PGP SIGNATURE-
Re: [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message <201511181701.30630.markus.debr...@bsi.bund.de>, de =?utf- 8?q?Br=C3=BCn?=, Markus <markus.debr...@bsi.bund.de> writes >A few remarks: >Sources like TI or FIRST are useful if you are looking for national CERT >contacts. If you want to report an issue to network operators or hosting >providers directly, you have to use Whois information. nope ... you could use their websites Many hosting providers have webforms, which if used result in rapid takedown. Indeed for many hosting companies this is pretty much the only way of achieving rapid takedown. I understand that the purpose of the document is to explain the issues around "let's get hold of the abuse@ folk" but it would be considerably more valuable if it either indicated that this was just one strategy for dealing with abuse or at least pointed at other material that set out the context. The document provides the example such as "Incident reporter finds a hacked webpage" and says "Naturally, she will try to contact the domain owner (name-based resource lookup) - the admin-c and possibly also the tech-c." in practice people do indeed contact all three of these, and that can cause significant delay as each assumes someone else has dealt with it; and as above it may well be better to just type www.hostingcompany.tld and click on the "report abuse" link. My suggestion for the document would be to entirely remove what material there is on why one might be searching for an abuse contact (since it is inadequate and unhelpful) and leave just the substantive information (these are the databases, this is what they contain, this is how they are maintained). Bottom line for me is that the problem statement says Given the domain www.example.com, what is the best contact for sending IT security incident notifications to? and nothing in the rest of the document tackles the notion of "best" So I'd commend removing sections 4 and 5 altogether. - -- Dr Richard Clayton <richard.clay...@cl.cam.ac.uk> Director, Cambridge Cloud Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBVk29jOINNVchEYfiEQLL9ACfQIhpmr8Doa2YUVAvf+kIT2pK8IAAoPFM OEwLI5XKS2mU+CDpjABG0FWY =fpnQ -END PGP SIGNATURE-
Re: [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message <5649f74a.70...@heanet.ie>, Brian Nisbet <brian.nis...@heanet.ie> writes >At this point we would like to invite any final comments from the WG (a >last call of sorts) before it is published. Ideally these comments would >be great before the WG Session at 11:00 EET on Thursday 19th November, >but definitely before the end of this week. I am concerned about the section on Geolocation -- not least because Geolocation doesn't work all that well, especially when abuse is occurring and the bad guys are seeking to confuse. The section starts: As discussed in the section "General remarks on abuse contact lookups", some incident reports should simply go to the national CERT. For this task, it is important to find the country code of an IP address or a domain. There is no further discussion of domains ... many of which don't have a "country code" and indeed many country codes are not operated by the relevant country (albeit if such a country had a CERT I expect they'd be happy to take the report and would have good contacts with the relevant people who could actually take action). So why mention domains at all ? Mapping IP addresses to a country and an AS works well most of the time, but the lack of any security in BGP means that the data one obtains from the RIRs or indeed from the "global routing table" [why is Team Cymru mentioned and not stat.ripe.net ??] requires careful interpretation. The suggestion of running your own copy of Quagga is a wise one, not least because an important way of dealing with abuse when an abuse contact cannot be found or does not respond is to deal with the company that is providing connectivity to the dubious block of IPs -- the routing table gives an indication (often, but not invariably, a correct indication) who that might be ... but now we're straying into advice as to how to deal with abuse rather than information about datasets... the change required to the document is a "known issues" statement about Geolocation (perhaps shorter than this): Maxmind -- deductions are made from other datasets and assumptions are made that delegating a block of address space to a company in country X means that the address space is in use in country X Team Cymru -- this is also derived data. For country it is assumes entire blocks are in a single country. For ASs it reports the BGP data that Team Cymru is aware of. Quagga -- data can require careful interpretation because of the lack of security in BGP generally - -- Dr Richard Clayton <richard.clay...@cl.cam.ac.uk> Director, Cambridge Cloud Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBVk3Bs+INNVchEYfiEQKc3ACfT7LuERV/DOfsjszwGzTqK51xgxoAoKLh avq/5iqVytoYHxzei2/8b9tg =qysj -END PGP SIGNATURE-
