Colleagues,
Here are the draft minutes from the AA-WG meeting at RIPE69. Could you
please take a look and come back to me with any corrections on your part?
Thanks,
Brian
---------
Anti-Abuse Working Group Draft Minutes - RIPE 69
Date: 5 November 2015, 14:00-15:30
Working Group Co-Chairs: Brian Nisbet, Tobias Knecht
Scribe: Marco Hogewoning
Status: Draft
Brian Nisbet, WG co-chair, welcomed the attendees and apologised on
behalf of Tobias Knecht who due to illness could not attend the session.
A. Administrative Matters
Brian apologised for the minutes of RIPE 68 being sent out late and
asked the audience if there where any comments or additions.
Alexander Isavin, NetLine, mentioned that the section on law enforcement
agencies is missing from the minutes. Brian says he remembers the
discussion and will look into the matter.
He asked the working group to approve the session's agenda, which they
did without further comments.
B. Update - Brian Nisbet, AA Working Group Co-Chair
Brian mentioned the charter was discussed in Warsaw and some follow up
discussion took place in June. The new charter has been published on the
website and Brian closed this action point.
Brian introduced the procedure to select working group chairs and gave
the working group some background on why this is needed. A draft text
was sent to the mailing list and a version with some minor changes in
wording was published on Tuesday evening. Brian highlighted the main
elements of the proposal that the chairs will have a term, there will be
no limit on the number of terms and each term will last for three years.
There will be two or a maximum of three chairs for the working group and
the decision on who will become chair preferably is made by consensus or
alternatively by a secret ballot.
Brian asked if there were any further comments and deferred the
discussion back to the mailing list to come to a conclusion about this topic
Sander Steffann raised his thumb.
Brian pointed to a discussion the mailing list about AS Numbers and said
that due to the recent number of emails he was not able to catch up.He
suggested to leave the discussion on the mailing list as more people are
likely to be behind on this topic. Brain mentioned that the RIPE NCC was
already looking into some of the questions raised in the list and was
expected to reply.
He clarified the discussion has to do with the credentials supplied when
an AS Number is requested and any allocations that have been revoked.
C. Policies
Brian mentioned that due to Tobias' illness they haven’t looked into the
issue and mentioned that a conference call with the RIPE NCC has been
planned in December to talk about this.
D2: RIPE NCC anti-abuse outreach activities
Mirjam Keuhne and Ivo Dijkhuis from the RIPE NCC presented about their
outreach activity. A copy of the presentation is available at
https://ripe69.ripe.net/presentations/116-SecurityUpdate4RIPE69.pdf
Brian reminded Mirjam about an open action point for the RIPE NCC from
Warsaw to send some more information to the list, which hadn’t happened yet.
D3. RIPE NCC Governemnt/LEA Interactions Update
Marco Hogewoning, RIPE NCC, gave a short update on the interactions with
law enforcement and governments.
An archived copy of Marco’s presentation is available at
https://ripe69.ripe.net/archives/video/10140/
Coming back to Alexander Isavin’s earlier question about the minutes,
Marco mentioned there is an open action point to provide more
information about the LEA meetings. As there haven’t been any LEA
meetings yet, this information was not published.
Heather Schiller, ARIN, asked if the RIPE NCC published a report about
the number of LEA enquiries they receive.
Marco mentioned the RIPE NCC in 2012 and 2013 published a transparency
report which is available on the website.
Ruediger Volk, Deutsche Telekom, pointed out that the report does not
list the level of access given to law enforcement agencies.
Marco explains the information contained in the report and said that it
not only provides the number of enquiries but also gives some
information on where the are coming from and provides an overview of the
nature and reason of declined requests.
E2. Tor censorship countermeasures and how you can help
Jurre van Bergen, Greenhost, presented about countermeasures to Tor
censorship.
A copy of the presentation is available at
https://ripe69.ripe.net/presentations/112-tor-ripe69.pdf
Erik Bais, A2B Networks, asked if he understood correctly that Jurre had
set up a foundation for this and what kind of work was involved in
running an exit node.
Jurre clarified that the foundation was set up to maintain a dialogue
with the law enforcement community and to actively assist them with
warrants and subpoenas. He said they are happy to provide operators with
training and help them to set up and suggested to take the discussion
private.
Brian Nisbet mentioned that research networks have two issues with
running tor exit nodes. One being the acceptable use policy prohibiting
^a third party from using these networks for this purpose. The other
being that the misconceptions about the Tor project might lead to
questions from the governments who fund the research network.
Jurre pointed out that majority of funding for the Tor project comes
from governments. He explained they are using an IP block from a Dutch
research institute, but as it was re-purposed they are not really using
the research network.
Sacha van Geffen, Greenhost, asked if the foundation was busy creating
and publishing any best current practices.
Jurre answered this is done and gave an example on controlling which
ports can be used on a Tor exit node to limit certain services.
Brian suggested to Jurre to share some of this information with the
mailing list, especially the ones on abuse policy as they relate to the
working group.
E1. Impact of rom-0 vulnerability in SOHO routers
Tomas Hlavacek, NIC.CZ, presented on the ROM vulnerability in routers,
an archived copy of his presentation is available at
https://ripe69.ripe.net/presentations/61-rom0-vuln.pdf
Erik Bais, A2B Internet, asked if the holders of the IP addresses found
in the research were notified about the issue. Tomas explained this was
not done because people were not interested and the team chose to use
mass media to create awareness. Erik suggested to have a chat about this
as he had experience with cleaning up botnets and mailing owners might help.
Elvis Valea, V4Escrow, asked if there was a list with vulnerable modems
available. Tomas answered it is usually the cheaper brands but they
would not disclose names as the manufacturers don’t like that.
Elvis asked Tomas if they scanned the whole Internet. Tomas confirmed.
Heather Schiller, Google, mentioned there are other groups looking into
CPE vulnerabilities and it might help to share the data with them.
Bruce van Nice, Nominum, asked if any work was done in profiling the
resolvers to see which sites were abused. Tomas answered they found one
doing Google and Facebook phishing.
Marco Hogewoning, RIPE NCC, asked how many abuse reports came in after
scanning the entire Internet. Tomas said he received three complaints.
E3. DDoS as a service
Jair Santanna, Universiteit Twente, presented on Booters: the DDoS as a
Service phenomenon. An archived copy of his presentation can be found at
https://ripe69.ripe.net/presentations/115-20141105_RIPE69_jjsantanna.pdf
A member of the audience mentioned they did some investigation to
Booters themselves and find out these often use commercial anti-DDoS
protection services as Booters sites tend to attack themselves. He
suggested to work with these companies to take the front-end offline.
Jair said it is hard to find the evidence, but when they do these sites
get taken offline by their providers.
X. AOB
Brian asked for any other business. Erik Bais mentioned he had noticed
that after an IP transfer abuse reports get sent to the old IP address
holder and that is a clear indication that people are not using the RIR
whois databases and fail to update their own information in time. He
said it also takes quite an effort to de-list transferred resources with
blacklist operators.
Brian asked for suggestions on how the working group can help to improve
this. Erik responded that more information about transfers to the abuse
community could help and offers to explain how a transfer is actually
done. Another suggestion is to make it easier to prove a transfer is
legitimate.
Ruediger Volk suggested looking into the data flow from the RIPE NCC who
administers the transfers to the parties who collect and distribute
anti-abuse information.
Elvis Valea mentions that they observed BGP hijacks taking place in the
brief period a transfer takes place and the RIPE Database objects get
deleted. Brian responded that they haven’t discussed BGP hijacks but
this is worth looking into as it might require a policy change or change
the way transfers are done.
Brian Nisbet thanked the attendees for their participation and closed
the session.
