Archives
Anti‑Abuse Working Group
Thursday, 19 November, 2015, at 11 a.m.:
BRIAN NISBET: Hello. How are we all this morning? Unusual situation of not being directly after lunch when everybody is digesting. Welcome to the Anti‑Abuse Working Group session at RIPE 71 in lovely, lovely Bucharest. Apparently we all need to have sort of subtitles now so I figure this is the edgeiest Working Group. I am Brian Nisbet, unfortunately Tobias can't make it here, very last minute, but unfortunately he is not able to make it. But we will talk about him again now in a moment.
So, I have done the welcome bit. I would like to extend thanks to both the NCC staff and our wonderful stenographers as well. This support structure is there so that I can slack a lot, and not have to take lots of notes but it's wonderful and thank you all for that.
If you are speaking microphone, please say your name and where you are from. You can make up whatever fun title doesn't actually involve your real job, there is probably ‑‑ there has got to be a prize ‑‑ got to get NCC a rise for most interestingly title at the microphone. Internet citizen is so pass say at this point in time. Minutes of RIPE 70, we had some minutes, they were discussed, we made an amendment I think and there were, we passed it from there. Unless there is anybody else in the room who wishes to make a comment on the minutes? Then we shall consider them formally approved.
The agenda, I have made a couple of minor changes to things but the order of things, then the published agenda, not actually the content. Is there anything else that anybody feels the need to talk about or raise that we have to add at this point in time? No. Excellent. Compliance.
Finally, and this is a point we were discussing earlier in the week, at the intro ‑‑ at this opening, Hans Petter mentioned the RIPE code of conduct that we now have, and I think it is worthwhile mentioning it again from a Working Group point of view, it doesn't just apply to the plenary, it is for the meeting, for the community, so if you haven't already looked at the code of conduct text, which is really, essentially about being decent human beings to each other, then ‑‑ but it's a bit more than that and that is why it doesn't just say be excellent to each other, I would encourage to you please take a look and I think that it's particularly important when we discuss not being nice to each other on the Internet, that we reference the code of conduct here.
So, let us move swiftly on. There are seats Jan. So, Working Group Chair matters. We did a thing, we have a procedure, this procedure is important. I am not going to spend a huge amount of time on it because, as discussed, the two senior Working Group Chairs, for want of a better word, put them ‑‑ both put ourselves up for reappointment, myself at RIPE 70 and Tobias now. Tobias is sad he can't make it, I am hoping he is watching and possibly even on RC, I am not sure, but he certainly wishes to remain as the Working Group Chair ‑‑ co‑chair. Nobody else put their hands up, so unless somebody wishes to violently object right now, we will consider this done and continue on.
OK. Silence indicates consent. Great, so cool, we will ‑‑ oh ‑‑
AUDIENCE SPEAKER: Tim RIPE NCC, on chat monitor I wanted to confirm that Tobias is on chat.
BRIAN NISBET: He is watching you. So yes, grand, cool, excellent. We will continue on on that basis, in that case.
So, recent mailing list discussion. There has been a bit of it. Quite often, this particular section is quite short and boring. Not quite this time, and I should have loaded this up before I stood up here, this text file before I stood up here. We have had a lot of discussion on the mailing list. Since the last meeting, there have been 326 e‑mails on the mailing list, which is, some. I think what gets more interesting is the fact that since August, that has been 280 of them since August, which suggests there have been certain reasons for the more talking. And indeed, since October, it's been ‑‑ over 250 of those have happened since October. So, it's a very clustered, shall we say.
One thing I will say before discussing this more is just a brief reminder to all of you who are active on the mailing list, is to be nice to each other. There is lots and lots of scope for robust discussion without getting involved in attacks or otherwise, generally speaking it's very good and polite, there was a couple of incidents of it really and I would prefer there to be no incidents at all.
Let us assume that everyone is here for good and decent purposes and work on that basis.
A couple of things I want to talk about, after each one if people have any comments they wish to make about that, then we can. One of the things is and one of the reasons why a lot of these conversations started was on the reporting of people spamming other people. This is important, you know, spam is network abuse. But in a lot of cases it's not ‑‑ the anti‑abuse mailing list is not the right place to have these discussions because it's not the most useful place to have these discussions. That said, some of the discussions we have seen, there has been useful exchanges of information about networks and technical information. I am not for one moment saying do not go and talk about this but just be aware of the fact that the anti‑abuse mailing list is not some silver bullet which can solve all of your spam problems, I wish it was, I wish we could disband the Working Group tomorrow. Sadly, that is not going to happen. Equally it's important to point out because this was raised, at no point has anyone been told not to send particular mails to the list. This is very important and needs to be made very clear. However, again, it's around how useful they happen to be.
So, foreign undelegated route objects, we have a bit of a discussion about that later spoiler, there is a policy in database, is what that really boils down to, one of the things has come out of it is, there is a policy now being discussed in the database Working Group with the mails being could beied to anti‑abuse, around thousand deal with some of the foreign objects in the database with the undelegated objects in the database.
There will be, and Peter can nod on this, there is potentially time for discussion in database about this afternoon. He hopes so. The discussion should be on the mailing list anyway. I think we are ‑‑ anti‑abuse was a lot more pro, I think, this, than database. Database are discussing it in depth, which is a good thing. So data verification and abuse‑c contact methods. So a lot of this came down to when we really kind of got down to the nub of the problem, a lot of it was around verifying the data of people, especially when they first apply. Has this person who claims to be from this company with this phone number actually applied for these resources? I am explicitly making no assumptions about particular AS numbers which may have been widely discussed nor will you see them on these slides but there is certainly some good questions raised about both initial verification and potentially continued verification of data, both in the database explicitly in regards to abuse‑c. What I had said a few times is what we need here is a proposal. I think that there was a recent mail from Ronald who actually had some fairly concrete suggestions in there in regards to what we could potentially put as a proposal either in anti‑abuse or in database, because I like making more work for database, in regards to that process.
So, what I propose to do is, I will sit down and work with him on turning that mail into the first draft of a proposal, because there is going to be ‑‑ any of those proposals would involve significant work for the NCC, so we need to put it through that and get their impact, analysis on that work and get the estimates of time but I think we might actually be at a point where we have something we can concretely discuss.
Any other comments on that? Are people generally happy with that? OK.
Other bits: LIR contract discussions, I am not a lawyer, most of you aren't lawyers, most of the people on the mailing list aren't lawyers so we have asked a lawyer. The basic problem ear is there was a question raised in a very sensible and intelligent way about whether the current contract might imply that in fact the NCC is a party to that contract which they are very much claiming they are not a party to. Many different opinions have been expressed but what I have actually asked the NCC to do is to look at the thread and come back in a reasonable time frame with some more information, preferably something which says this has been tested somewhere, but certainly more information on that rather than what is essentially speculation that we are discussing on the mailing list.
So are there any other comments on that piece? No. OK.
And finally, the sources of abuse contact info document. We sent this, Mirjam wanted feedback. We now have feedback. So thank you very much for that, thank you very much for engauging. It is one of those things that you send this for a final last call before republish and suddenly all the feedback appears but that is human nature and it's better to have it now than it is to publish the document with problems, so, we will leave it until the ‑‑ I think the end of the week to see if there is any more information on that and come back with a revised document. There is no intention for this to be an endless cyclical cycle of things.
If you have comments, and I am not going to, to make any judgements here, but I suspect not all the comments that have been made will end up with specific amendments or otherwise. The general feeling is that the document is very good, has a few things which could be improved, so our intent would still be to publish it then as a RIPE document after the short revision, no intention of spending a lot of time going forward and back and forward and back on this because really, getting out there is quite important at this point in time. But thank you for your feedback; it is a good and useful thing.
So, that's that. Any other comments on recent list discussion? Anything that people want to talk about that you feel I have glossed over or otherwise? Analysis of the 326 mails sent? No, no, that is fine, grand.
Policies. We move swiftly along. Again we have spoiled this one, there is a policy discussion ongoing in database, copied to anti‑abuse. Please join that discussion, if you have opinions, that is the long and the short of it. That is how we do stuff around here. Open discussion on the mailing list, which is where things are decided. So, please, please do go and talk about that.
Now, this is where this gets ‑‑ yes, OK. So, this is where I am going to change things slightly.
In the agenda we have the NCC up next but very briefly, I just want to talk about something ‑‑ we often talk about our law enforcement engagement and this is ‑‑ this Working Group is the place where we hope that law enforcement will interact with the RIPE community. This has been a little quiescence of late, not quite as active as we would have liked, but we are entering some sort of glorious brand new day, hopefully, with this. The NCC has contracted Richard Leaning, ex of various law enforcement things, to work on this and to act in in this area and Dick has a fantastic knowledge of both the people, the situation and the experiences that are there, and so we have already had a quick chat about this; we are going to have more chats about this, about how to reinvigorate and re‑engage with those communities, because as I have said many times from this stage at this group, we need to engage; we cannot sit there and say my network, my rules and ignore until the heavy knock comes on the door, I think there are much better ways of doing it. I have sort of a ‑‑ I mean, it's the notion of community Internet policing and there have been some very useful conversations especially around some of them in the UK with hosting providers there and some of their local law enforcement, about much softer forms of engagement and that is something that I would very much look forward to more of. Dick, I don't know if you want to very briefly introduce yourself? One minute.
Dick leaning: Richard leaning from now, working with the RIPE NCC but previously from Europoll, European Cybercrimes Centre, National Crime Centre Agency of the UK, ICANN and RIPE and the IGF and everyone else. I had a chat with Brian yesterday. I used to come here as a law enforcement officer and I haven't been for a couple of years because we have been paying more attention in ICANN and the gTLDs, that was a big issue, we are trying to do is get law enforcement back engaged, not just law enforcement but the governments as well and have a proper community discussion and working together and law enforcement are keen to do that. I have already got ‑ I won't embarrass her, but Francesca is from European Cybercrime Centre, and there is someone from BG ‑‑ she is not here. So, they are already engaging so that is very brief, so tomorrow afternoon and please contact me and I will be speaking to Brian and participating in the mailing list and we will see where we can go between now and Copenhagen. Thank you.
BRIAN NISBET: Thank you very much. So, I think that sort of ‑‑ it's very distracting the clock on this display is out by 12 minutes, which is kind of throwing me, but we will cope. I believe this time source a lot, well this time source or the time source in the air or something. Moving on to the first of our kind of presentations, conversations, which is an update on the RIPE NCC security outreach activities. Please.
MIRJAM KUEHNE: Thanks, Brian. This will be quick. And you might have expected an LEA up at a time at this point but we kind of figured we are going to do alternating cycle and one RIPE meeting we update you a bit more on our security, outreach activities and in the spring meeting we will have more information about LEA‑related activities we are doing. But I will also mention that a bit more later.
So a few years ago we actually started to increase our activities in the security area a bit more and obviously this is an important topic, but at the time we thought, you know, what our goals and what is the scope so I just want to remind awe little bit of these goals. They are threefold, we want to increase the visibility of the RIPE NCC and RIPE community in the security area a bit more. They have moved a bit apart over the last few years, the security community with lots of different pockets in itself, in the LEAs and the hackers and other security conferences and there is the RIPE community with the Anti‑Abuse Working Group and we are trying to cross pollinate them a little bit more and act a bit as a bridge in between those communities and also increase awareness about what the RIPE NCC is doing, and tools we have been developing that could be useful for the security community as well.
On the other hand, we are also going out there and trying to understand the issues a bit more that security people have and see possibly how we can help them and work together and this document that Brian just mentioned is one outcome of this but I will come to that later.
And lastly, or thirdly, we also of course, as RIPE NCC want to lead by example, make sure we use the ‑‑ all the equipment and follow all the best practices and also provide the community with interesting executed related information, for instance, on RIPE Labs.
So just that, to set the scene, why we are doing all this. What have we been doing over the last six, eight months or so? We have done a number of ‑‑ we have attended a lot of events and presented at the number of events, for instance, at MAAWG. Brian and and I we gave a little dance on the stage there, of three of us, to explain to the MAAWG community ‑‑ what does it stand for again? The mail and? mail messaging ‑‑
BRIAN NISBET: Mail messaging and another M that I keep on forgetting.
MIRJAM KUEHNE: Working Group. And they are own little community and they are doing a lot of work in the mailing message area so it's a bit specific there, but we felt that they could benefit more from ‑‑ also ask us to present there and explain a bit more what the RIPE NCC does but also what the RIPE community does.
So Brian and we got together and gave this presentation there at the last MAAWG meeting, which I think was very well received, we got a couple of questions about some of our activities.
Then also we participated in CARIS workshop, IAB and ISOC organised together on data sharing and I moderated a panel on incident data sharing with a bunch of other RIR people and also DNS people, so it was interesting to get a different people together in one room that usually don't ‑‑ not necessarily talk to each other. I was also invited to an event that was organised by ACOnet, in Austria, they celebrated their 25th anniversary and had a really nice programme and one panel was very much related to security and Internet of things, what privacy and security issues related to that and how ‑‑ is there a need for regulation, and LEA so it was very much in topic also to what Dick and Brian just mentioned.
Phil was on the panel and a few other interesting people so that was exciting.
And we have also been involved in the CSIRT community quite a bit moreover the last few years, we are now a member of the task force, the CSIRT task force, the European, which is the European first, if you will, and we have been participating there over the last two or three years, and presented also on various topics like RPKI, we also talked about our responsible disclosure policy and what experiences we have made with that over the last few months. Last time we also talked about Russian privacy law and how that could affect the RIPE NCC's operations in the future, and also out that have community sprung that data sources document that Brian mentioned.
And then last week in Amsterdam Daniel Karrenberg was participating in the panel on DNS exploits and together with Benno and Paul, so trying to be various events and we attended a lot of other events in our service region where we necessarily ‑‑ we didn't ‑‑ we participated, we didn't necessarily present there, that kind of falls more into the second goal, trying to keep our ears and eyes open and see what people are talking about and what their needs are and what the RIPE NCC can do to help.
And this slide in here because I wasn't sure if you were going to talk about the Dick and the LEA outreach so obviously we are continuing to do this. Our main focus in that is what Dick just explained, to engage LEAs more and to the RIPE community and also explain on the other hand, our tools so that is one of the RIPE NCC's main activity I think, is to explain to governments and to LEAs how they can use RIPE Stat and Atlas and measurements in the database information and make use of that. It's all public data so we will continue to do that and basically just work together and see what we can ‑‑ what they need, how we can work together on various topics and IPv6 and security, of course.
And lastly, I just have one slide which kind of falls in the third category, in the third goal that I had on the first slide, is lead by example and make sure we are kind of, have our things in order and our operations. That ‑‑ maybe I will skip that first one. So we have the responsible disclosure policy in place now for a year, I think, and it really actually helped us to streamline reports and to have a bit better idea where people find out there and also helped us to fix things that people find.
And we also now have an A rating on the SSL labs which was a goal we wanted to achieve on most of our main web sites. We have just published before the meeting a lapse article on how we implemented DANE on our websites now, so you can read a bit more about that, it's been written by our security officer together with web people. We started to do a bunch of security audits for our services, we have done security audit for the database, we have I think still in the middle of doing security audit for RIPE Atlas and we are going to talk a bit ‑‑ maybe at the next RIPE meeting it would be a good opportunity, either here in NCC Services Working Group, I don't know, to talk a bit about the results and what we have learned from that and no major things came out but of course there are always some small things that can be improved so I think it would be good maybe to report from that next time.
And then lastly, at that first bullet‑point there, I just want to give a background, I have sent this document to a the list a few times over the last year or so and it came out of ‑‑ I suppose an initiative or, it came out of the our involvement with the CIRT community. And we went to the CIRT meetings and had the kneeling all these different data sources and databases and most of them are publically available and slightly different data and issues, and everybody is using something else and there is of course the RIPE database and RIPE Stats and it has a nice API so we worked with a number of S.I. R T people together to basically document what is out there, and that was the main reason for this document. And again, I want to thank you for the feedback that we got so far, I think most of it we can incorporate and some valuable speed back. I spoke to a number of people outside in the hallway, and I think it would be good if we had more CSIRT also participating in the Anti‑Abuse Working Group and maybe also in the mailing list because I think maybe we are missing that expertise a little bit in here and I realised from the discussion we had on the list, maybe abuse handler ‑‑ some terminologies we are using in the document, it might not be clear and we need to clarify that. So, we will work on that a bit more, and come out with a next version after the RIPE meeting as Brian said and hopefully publish it as a RIPE document. And somebody mentioned, Marcus I think said it would be more as an informational document. I think we have a number of categories for RIPE documents, I am not sure exactly if information is part of it, I get the point, that is the idea of that document, to have it out there as an information document so we will see how we can best communicate that.
I think that is it. Are there any questions?
BRIAN NISBET: Thank you. Yes.
AUDIENCE SPEAKER: Seán Turner, I am putting my time amongst multiple companies so Internet NERD. In my spare time I got bored and read the minutes from the public safety Working Group in ICANN and there is some information about working with the RIRs for IP and Whois accuracy and due diligence. Has that kind of process started yet where they have reached out to you guys, I mean it only happened last week.
MIRJAM KUEHNE: Can I pass this on to Marco or Dick, you might know a bit more about that?
MARCO HOGEWONING: Can you repeat that?
AUDIENCE SPEAKER: The public safety Working Group I suppose at the last ICANN meeting there is some stuff in the minutes about trying to get IP and Whois accuracy data, and I just curious to see if that outreach has happened yet because they were trying to work with the different RIRs, has it started yet?
MARCO HOGEWONING: Yeah, well, we are engaged with the people who make up the PSWG, so we are engaged with them and explaining the process and getting more background on what exactly the concerns are that triggered that line in the communique that you are referring to.
So yes, we are talking to them and they are a part of this community, so that is the engagement we have for it.
AUDIENCE SPEAKER: Thank you.
HANS PETTER HOLEN: Wanted to comment on the same, not on this specifically but a lot of those suggestions that come up in ICANN meetings for collaborations with the RIRs is more often due to not understanding what is already in place in the RIR communities so I would say that we probably have better mechanismses to make sure we have accurate Whois data addresses than they have for domain names. So I would almost assume a they think we have a bigger problem with IP addresses than they have with domain names. I would argue that it's actually the other way around.
MARCO HOGEWONING: I forgot to introduce myself, Marco Hogewoning, RIPE NCC, that is also a lot of our capacity building and outreach to explain the actual fundamental differences between the way IP addresses are assigned in blocks and domain addresses are assigned basically to individual users. And I think that is part of people still being a bit confused that these systems, in that sense, diverge a bit. So we are trying to educate them and we do our best every time we can.
MIRJAM KUEHNE: I think that falls into that first point here on the slides, that we are trying to explain the data that is out there and it's publically available, what the use of it is and how to use the tools. So it was certainly engaged in that area as well.
BRIAN NISBET: I do want to say, though, just the MAAWG meeting was surprisingly good, and I don't mean to be in any way not nice to the MAAWG people who are lovely. But I think I certainly went along kind of thinking we are going to say some stuff and nobody is going to be interested and they are going to know ‑‑ either know it or not care about it. And I think the reaction we got was very, very different, some very positive interactions with people at the meeting and hopefully that will filter through to here as well. And I think also, they were amazed by our openness. We were the session where we explicitly told people they were allowed to tweet and tell their friends about it afterwards, as opposed to have to claim they were actually on a farm for the week rather than in a hotel in Dublin. So, I think it was very positive and very good and I think it's something we are going ‑‑ obviously it was engagement which reinvigorated in Warsaw and we are going to try on doing that.
MIRJAM KUEHNE: But it also shows, if I remember correctly ‑‑ there really is a need for more collaboration between the two communities, because I remember a couple of presentations they asked for some operational network operational changes and there really was a bit out there and I sat there and was hoping that more of you guys were there to respond to the proposals that were made there and I think Brian got up and said something but I think it's really ‑‑ it would be good to collaborate it with more between network operations and the community as well.
PETER KOCH: The two sentences that you Mirjam and you, Brian, just voiced in like 30 seconds distance were bringing me to microphone which is that you admired their admiration of our openness and you, Mirjam, said you hoped more of us would be there, if I am not completely mistaken, there is no RACI protocol openness in that case which makes the education cooperation probably a bit more difficult than any of us would like to.
BRIAN NISBET: Yeah, no, MAAWG it is a very different kind of meeting and it is more complicated to get there than it is to get to here, so we have to figure out the way of doing that.
AUDIENCE SPEAKER: Maybe I can help with this. There is still an outstanding invitation from the MAAWG organisation to RIPE members to participate. You just send an e‑mail to the Chair, president, secretary, I can't remember, and you will get an invite. So, it's just as easy.
AUDIENCE SPEAKER: That is not really what I meant and ‑‑ Peter Koch again ‑‑ I have lots of people offering me invites, but that is slightly different from openness, especially from the openness that is practiced here.
AUDIENCE SPEAKER: Yes, MAAWG has very strong focus on operational security, I understand your point, but they ‑‑ there are reasons for that.
BRIAN NISBET: Yes. I think we are aware there is a difference and there is a need to engage in particular ways with that. So ‑‑
MIRJAM KUEHNE: It we can help to bridge that, that is exactly the point also of this presentation, if we can help to bridge that, the RIPE, RIPE NCC and other communities in the security area, then we are happy to do that and continue to do that.
BRIAN NISBET: Thank you very much.
(Applause)
So, next up. The next slides if you would, please.
This is Erik pretending to be from Abuse IO. Unfortunately, THE Abuse IO folks couldn't make it to the meeting, so Erik has kindly agreed to present on their behalf.
ERIK BAIS: I am doing this presentation by proxy. We actually had a very interesting day in ‑‑ I am looking at August or ‑‑ when was the NLNOG? September, right, thanks. We had a very interesting day in the Netherlands with the NLNOG and they were presenting this particular piece of software. And we asked both myself and Vesna asked, well this is an interesting piece of software, can you actually do this at the RIPE meeting and that was basically their options, sorry but I can't, we have other things and my employer doesn't let me. So, as I am here anyway this week, I volunteered to do the presentation.
So, forgive me if I do not have all the answers. How the software has been set up, specifically, but there is a very, very good IRC channel and support from the community for this but we will try to address wherever.
BRIAN NISBET: Just to say that Bart is on RC and said will keep him busy and try and answer any questions.
ERIK BAIS: Thanks, I was hoping he was there.
So, during the presentation, I will give a bit of history about how AbuseIO can start, specifically why AbuseIO, what the features are, I can tell a bit about the implementation we did at our company and you will see some slides about the workflow, how the process works and then we will go to the questions, if you still have any.
So, the software was developed as an in‑house project at bit, bit is a Dutch Internet search provider who is providing network services hosting, data centres and Bart was basically in the ‑‑ basically creating the software in various versions, and they had the idea to basically publish this as OpenSource and started to use this further, it was basically got spun out of control and they got support from Tilla and from Tilla2 and in April they had the initial release, it was basically already a good improvement to see what was going on. One of the benefits of basically doing this and also how they moved further, is they got a fund granted by the SIDN fund and that helps in improving the software further because now they can using that funds that they got from the SIDN, they can actually have a dedicated team of developers, more developing on the software, and they will actually do the software development, it's a team in Bachni and they will actually ‑‑ in the Netherlands ‑‑ and they will actually do the whole software development, so the ‑‑ Bart will actually only have to do ‑‑ and the team will actually have to do the oversight and what they want, rates, the specific feature requests, but it will actually help in moving the software along. So that was very important and how they will actually doing this in the ‑‑ and basically that created different options for them, but also, in ‑‑ by doing that, it actually had a bit of a strain on ‑‑ you can only spend your time once and where are you going to do this, are you going to do this in the organisational set‑up or are you going to do this in actual development? So they had some additional support this year and now they are good to go and are already working for the next release. And I am really looking forward to the next version.
So AbuseIO in itself, there are some software that is already, that can do similar things. Knowing from experience in our own company, it's not always as easy to do automated processing of abuse messages and basically, the smaller ISPs they actually have, like ourselves, we were actually doing this manually, or a lot of things we were processing manually. So we were actually looking at similar features like this and that is how we actually got involved in this as well. It was ‑ one of my colleagues basically tested the software and was really, really impressed, together with our customers as well, who were seeing the self‑help URLs and get nice notifications out of it.
So, one of the things that is actually key in this software is it's not that people, and specifically smaller ISPs, they do not want to fix the problem, they don't ‑‑ it's not that they don't want to solve their abuse issues, but if they are on several feeds and doing this manually, this is really a tedious task to fix everything and basically process everything and categorise and this is definitely something that this software will support, and basically, automate out ‑ and do a lot of the lack work for them.
One of the other things that AbuseIO is also doing, specifically helpful for, in this case, the Dutch ISPs, the ‑‑ there is the Abuse Information Exchange and the Abuse Hub in the Netherlands and it ties in directly with their abuse feeds as well. That is specifically for hosters in the Netherlands that are a member to the Dutch hosting association. They also get discounted access to that information and the abuse feeds that they have. So they actually provide subscription to specific feeds.
So, on ‑‑ if we are looking at the features for AbuseIO 4.0 for that ‑‑ that is going to be the next version coming out in Q1, basically what they are planning on is it needs to be as easy as installing word press. And that is basically from what I heard from the experience from my own colleague, we had some questions, how is documentation set up or how easy is it to set up several things and we are networking guys, we were not cyst add minutes doing this on day‑to‑day basis so we had to figure out some stuff along the way but we managed to do this, and even with the current version, and with the help on IRC the guys were really helpful, so there are already quite a lot of notified feeds available and parses for it, you will see later in the workflow how that actually integrates. And basically there is integration already for your own administration so there are already hookups where you can say, well, I have, in my customer ‑‑ in my administration already I know where ‑‑ who has specific IP addresses, which customer that is, and those kind of things, so you don't have to do everything manually within your own ‑‑ within the system, but so you can already integrate with your own databases where that information is already in there. So that means that do you not have to re‑enter your IPAM information and in AbuseIO. So that really helps in moving forward and getting your customers in here and basically the system is actually start enough to get a lot of the info out of your own systems if you actually point it out where it needs to go.
So, and one of the other things that is and I want to stress, this is free software, it's free to use, and it will remain free to use. It's not that they are intending to do a subscription based model. I specifically asked because I was expecting the question later in the audience here, and I said, you know, how we are going to do this? What is the goal, what is the plan? And the plan is to actually have OpenSource software without any subscription model in there. So that is I think a real real plus, and there is no issues any more, not be using software like this or using this software.
So, as I said, for the deployment at A2 B Internet our own company, we actually have ‑‑ we are having quite some IP addresses, we are doing network stuff and basically, we were processing this manually. We had quite some time, a colleague of mine was basically, two, three hours processing every information follow‑up with customers, you need to do this and that, have a look at this and that, and by actually putting everything in AbuseIO he was able to free up two, three hours of time from his workday by basically automating everything. And I think that is really, really impressive. So, and another big plus is that we are able to reduce the reaction time on the abuse messages, so, it was not when he was actually able to process the actual notifications, but since everything is automated, you know, e‑mails get in, the parsers parse it and basically map it to a customer and basically notification goes out. So that is really, really quick on getting the stuff done and if we ‑‑ so we only have to scan the obvious things, and basically, you know, go out after the customers to make sure that they actually will fix the stuff that really needs direct attention.
It's definitely positive and we have had some very interesting feedback from customers, saying, well, the information they can provide now, where can I find this? Oh, you provide information that we have a BotNet infection in our network or somewhere in our office or whatever, how can we find this? Or how can we solve the issue? Because customers actually do want to solve the issues, at least that is what we found out.
So, the workflow, if you look at the software, it actually works very structured, there are feeds, the software itself looks at, in our case, it looks at the abuse e‑mail address and that is where basically the parsers start working, and there are also other options to use feeds, notifications, different collectors and everything basically comes into events, and every event is tied to a ticket system or ‑‑ in the software.
So, those events basically then is a new tickets, it's basically the, once the events start running, it's the information that is being kept, the original evidence, you can very easy see which owner is it, which customer is it, it does a classification of the event, and then the link goes out with the e‑mail with the information in it.
So how does this look: So this is screen shot for basically what we have in our system and you can, in the analytics, statistics page, you can select what do you have, different kind of selections. It basically sees the BotNet infections, or if you have a spam issue so it's really easy to look at. For us, as a maintainers of the system, you can actually get more information, you can update ‑‑ let me see, is there a pointer here? So here, you have the update customer buttons and here you can actually, where it actually finds the customer information typically. And then you can ‑‑ if it doesn't find the customer information directly or hasn't updated the ticket to the right customer, you can actually ‑ you know for sure that the IP addresses are actually listed in the system or are there in there correctly you can update the ticket and send out new notifications as a reminder to the customer, and with that, it actually makes it quite easy for customers to make sure that they have received the right information or if you receive information from the customer, that you needed to update his abuse e‑mail address because it was going to a mailbox that nobody is looking at. So ‑‑ because that happens. We send out notifications to customers from an e‑mail address that they signed up with in the contract, and that the information that was actually not being sent to the right team or that the customer basically says, well, you know, you are actually contacting me but for this kind of information, please send it to that mail info.
So, the outgoing reports to customers itself are basically the generated tickets, and it can be a new notification or updated notification, and it basically, it works and breaks with having accurate information from IP addresses with the actual ‑‑ or domain information and once that info is correct in the system, it sends out the ‑‑ that needs to be accurate and once that is there, you can basically put it in and send out the actual tickets.
How does that look? So, the customer receives an e‑mail and this is what ‑‑ there is a URL in the e‑mail that pacically provides more information. And so here you can see how that might look. The ash tickets are basically providing information, you have a BotNet infection, how do we get this information, where is the original information coming from? You can see if ‑‑ different kinds of feeds depending on how good the feed is, what kind of information you are giving to the customer, is it informational or really an issue, that kind of stuff? The customer can ask questions, reply on the ticket, close the ticket, notify us, well, this is ‑‑ this is solved, so this is basically what the customers are being provided, and you can actually update the actual information for the various classifications as well.
Any questions?
BRIAN NISBET: We have a question.
AUDIENCE SPEAKER: The shadow server notifications are quite recognisable but does the system also process ARF and also the legacy e‑mail feedback loop sources?
ERIK BAIS: So like Spamhaus reports, those kind of things, yes, ARF is, I believe, supported as well and you can also write your own parses for it if you want to. But a lot of them is already standard support.
AUDIENCE SPEAKER: Ben, Residence. I am just wondering when you implemented this was it easy to get your own customer database inside this or did you have to do something?
ERIK BAIS: So we opted for this version with the manual retyping in of the information in the system and ‑‑ but there is an option in the configuration to basically load and do lookups in your own administrative environment. So it's not required to do everything manually as we opted in for this time, but it is an option to actually do the integration with your back‑end systems, and basically if it doesn't find the IP address or domain name, it can do a lookup in your administrative back‑ends, yes.
AUDIENCE SPEAKER: Jabber. And it says in response to the previous questions yes mostly everyone is using their own ARF implementations so we need to teach the system a little about it. One more comment: IPA yes and 4.0 support for ‑‑ I am and php ‑‑ and another comment was the previous comment, did that come across? Thinks I must repeat them both.
TIM: So in response to the previous question, from AbuseIO said, yes, mostly however everyone is using their own ARF implementations so we needed to teach the system a little about it. And at IP A yes and 4.0 support for IPAM and php ‑‑ both commonly used IPs, hence the built in support.
ERIK BAIS: So it's not only the administrative connectivity in back end but also IPAM support, that is what is saying.
BRIAN NISBET: Any other questions? No.
ERIK BAIS: I would like to close off with have a look at the website and join on RFC, have a chat with Bart yourself and do a test run, if not for this version, definitely check out the next version. Thank you.
(Applause)
BRIAN NISBET: OK. So, this slide will magically change. So our second presentation piece or third actually is Florian MA U R Y: The traffic amplifier's great hunt. Florian: I work for French network and information agency. That is work I have done with my colleague, so I want to credit him. So, basically, back in 2013 we were asking ourselves what more could we to to help the French network operators to face the increasing threat of the DDoS attack using traffic amplifications and we thought that at the time that we could help them by actually having them not being part of the problem, so we reached out to scanning projects and parsed the data that they were willing to give us and analyse it, grade it and build up reports had a we sent to the relevant operators and we monitored the number of DDoS sources both on worldwide and national scale to assess the effectiveness of our work. So, a quick slide about our organisation because it is actually relevant to this presentation.
ANSII is National Authority for the Defence and Security of Information System in France and we have a transversal role including governmental ones but critical operators including some network operators and the general public.
Our mission include providing guidance on network securitying topics, including DNS, link will point you to video where I presented our best practices guide on DNS, if you want it to be translated, please tell me. We have also already translated BGP guide, best practices guide with configuration examples, so pick up, hello. And we have also DDoS prevention guide and that will be translated shortly. We do also academic research and in a previous RIPE meeting the Internet Resilience Observatory in France has been presented to better assess the connectivity and the resilience of network in France.
And finally we have also a work with operational side of our work with our CERT.
So I will skim the slides, about the reminder about the DDoS attacks it seems everybody is knowledgeable about that. UDP based protocols that do not make up for it. Most protocols that are exploitable are actually authenticated but authenticated with well‑known credentials, SNMP public community, the protocols for the attacker to be capable of better spreading his attack and be capable of, well ‑‑ the victim will have a hard time filtering the traffic if the attack is spread on several amplifiers and finally some protocols are better than others from the point of the view of the attacker because can be pre loaded by the attacker to artificially increase the size of the ANSIIs that are sent to the victim.
How do you identify, as sent a packet to a host and if you get a reply and your reply is larger than the query, you have spoilt amplifier.
So, we recently got our first allocated newly announced /22 prefix so we monitored the incoming traffic and received about 700 megabytes of traffic per week ‑‑ of unsolicited traffic per week so we analysed it and we have found that many people are searching for this kind of hosts, for these kind of amplifiers. And several scanning projects that are listed on the slide. We reached out for the open star project and we like to call it, that is actually four projects that are all powered by John M... of NTT. He performs a weekly scan of the internet space and is willing to provide a ‑‑ and I would like to thank him for that because that is what enabled this study.
So, we requested access to the OpenStar projects raw results and analysed data and we parsed them sometimes with our own parser and we used the Internet observatory to filter the results through only focus on the French ASs, we summarise the data and send them to the French network operators and monitored the development, that will be presented in the next slides.
So for the DNS, at the beginning of study of our study in April 2013 there were 33 million hosts that were usable to DDoS attacks in the world and tend of our study in June 2015 there was about 22 million hosts available, so that is a drop about third. But it is very important to keep in mind that very large data have only used hundreds of thousands of nodes so since there is still millions out there that means that the open DNS resolvers are still a significant threat, and that people should look up into that.
In France we were about having 300,000 nodes at the beginning of study and we have our currently about 60,000 nodes, so that is a drop about 80%. It was possible to have this kind of results because there was 70% of the nodes that were under one ASs so we were worked very hard with this AS to ‑‑ the AS worked very hard to bring down these DDoS sources and it took a lot of time and expenses because actually, it was CPE devices and he had to contact the customers to replace devices to get back the device and have the ‑‑ new one sent to the customer so takes a lot of time.
Interestingly, having open resolvers in your network also bring additional risk or at least it makes some attacks easier to perform, for instance random QNAME attack. One operator did not suffer ‑‑ or participated in DDoS attack but he got affected by the random QNAME attack because it had already set up in very ‑‑ measure, he simply dropped the traffic. He rolled it out during the incident and that actually thwarted the random QNAME attack in a few hours. And there was almost no client complaints, so that is interesting to know, that when there is this kind of attack you sometimes can just drop the traffic without too much impact on the clients.
Concerning the NTP there is actually two mode of ‑‑ can be used to perform this kind of traffic amplification attacks, the mode 7 that is specific to NTPD and that is actually a private extension of the protocol, and since operators were already knowledgeable about this kind of attacks, we can observe a very quick response at the beginning of 2014, and the quick response also originate from the fact that it is quite simple to actually fix the problem, simply up I had grade the version to the latest which has default values and for those that cannot update the software they can trick the configuration and provide templates that you can use and sometimes it's even ‑‑ you can simply drop the traffic because you probably don't want to provide NTP to the whole Internet instead, maybe in some cases.
In France we have similar results, I will skip them.
Concerning mod 6, most people are still vulnerable, 4 million nodes usable in the world. The amplification factor is less for the 7 but that is still a very real problem and people seem not to be aware it is not only NCTP issue but only issues. In France, we haven't handled very well this issue either, one of our ‑‑ responsible for almost half of the amp fires and dropped about ‑‑ the number dropped about a third in June 2014 but actually two of our also rolled out amp fires in 2015 and handling the problem.
Concerning SNMP, there is no significant decrease of the number of devices that are actually usable to this kind ‑‑ from this kind of attacks, so there are still millions of them out there and that is a problem as well for ‑‑ from a DDoS perspective but also from a sensitive information perspective because you are sending information about the node that is used to perform the attack.
So, in France we contacted the operators and we have reduced by about 60% the number of devices, so it's interesting to note this time it was not CPE devices but core network devices that were usable.
Continuing and SSDP there are about 10 million nodes that are usable for denial of service attacks and only 20,000 nodes that are in France so we haven't observed any significant decrease and actually we haven't warned the operators about that because the numbers of the SSDP projects were kind of difficult ‑‑ not stable and difficult to read, so ‑‑ yeah, in France the number of nodes is relatively small.
So what were the mitigating challenges and the effective counter measures that we found with the operators:
Well, by far, the main challenge is the wide variety of traffic amplifiers, each country seems to have different profile of devices, in France it was mostly CPEs and mostly CPE that were no longer supported or some of the things that were partially out cutted so it required the support to clients and it took a lot of time and money for the operators. Sometimes it's also users that are installing software without having a clue how to configure it and it takes a lot of time to educate that and when you do that you only bring do you know handful of devices that are usable and sometimes are not well connected either, so well it takes a lot of time to reduce sometimes the number, and finally we were kind of confused about the number of devices that were actual devices that were administrated by professionals and that were usable on the Internet such as PE devices or video conferences devices and stuff: That is unfortunate.
The effective counter measures. Well they are common sense counter measures, but if a security updates were applied, the NTP problem wouldn't have been present at all because the latest version safety values. It's important to stick to configuration best practices, not having administrative services that are listening on the Internet facing interface, strange to have to remember that ‑‑ to state that. And sometimes you can just rate limit the traffic, not without impairing the ‑‑ don't have to impair your operational traffic, the day‑to‑day traffic of your users; you can simply set a very high threshold and that will thwart, partially thwart the attack and still, well, be useful. But sometimes you can simply drop the traffic completely, for SSDP protocol does not have any use over the Internet, it's supposed to be ‑‑ blocking the port can be an actual ‑‑ what are the take aways of this presentation: Amp fires are still a very real problem, still millions of them out there and people should do something about that. New protocols regularly discovered vulnerable. And some are specified every day so it's important for networking genius to think about that. Some scanning protocols are willing to provide results of their study, please contact them, they are willing to help and are good guys. Tipping the balance can be done with the help of few operators, for instance in France with the DNS issue, one operators was responsible for 70% of the issues so working with them can have significant impact. And finally, we have observed that sometimes bringing these things down takes a lot of time and effort and money, so the sooner the better. And finally, and that is really core of my presentation. Certs and governmental agencies can help by providing documents, guidance, reports. I know the BSI will be presented in a few minutes for countries, something can do on the worldwide scale and I would like to encourage that. Thank you very much.
(Applause)
BRIAN NISBET: So I think ‑‑ yes, questions.
AUDIENCE SPEAKER: Steve Nash from Arbor Networks. Thank you. I think there is another thing in your last item 6 there that government agencies etc., can do, which is to facilitate it problem number 5 in elevating visibility into management levels in organisations so that the money becomes available for the techies to fix the problem.
AUDIENCE SPEAKER: Erik Bais. The information you received out of the scans that you have been doing, that you ‑‑ did you make those available?
Florian: We haven't performed scan, we used existing data from open something projects, the data sources are already available and the tools are also published on our GitHub accounts format least the passwords. And the other thing is research ‑‑
BRIAN NISBET: Anything else? No. OK. Thank you. And Marcus, do you want to...
This is one of the very short version of the same kind of thing.
Marcus: And I am with the German version of ANSII, and when Florian uploaded his presentation, I thought that we might have some similar data and there you go. We did use a different data source, we contacted Shadow Server which do also scan the Internet, similar to the thing that Javad does, and I think it's pretty much similar results as you see in France. We also have documents on what ‑‑ what can you do to fix open servers, how should you configure them to not be part of reflection attacks and, yeah, numbers are going down as well similar as in France. And I think that's it.
BRIAN NISBET: OK. Cool. Thank you.
(Applause)
One question I would have for one or both of you or otherwise, I think it's a slightly obvious question, but looking at both sets of graphs, the long tail is ‑‑ can be very long, I think. Is there any feeling for ‑‑ I suppose there is two parts to the question: One of them is, is there any feeling for when you would no longer consider it to be a suitably large problem to worry about, or do you have any hope at any point that it will reduce to zero or close to zero?
MARCUS: I think the goal should be to get as far as down as possible, but this is going to take a long time.
Florian: Actually, yeah, that is true, reaching zero will be probably very hard so there is several sides to that, probably bringing down the number of available nodes is an immediate thing that we can do, but on ‑‑ longer term, maybe working on anti‑spoofing technologies and also ‑‑ and that is very important, probably also update the protocols that are used for these kind of attacks because that can be effective in the long‑term while ‑‑ well, with the sort of users and the people that have no clue what they are doing in general, convincing them will be very hard and having them bring town will be very long. Yeah.
BRIAN NESBITT: This is one of the things the IETF can spend all that money they are going to get on.
MARCO HOGEWONING: RIPE NCC external relations. What do you think would be ‑‑ because we obviously always see people taking action after incidents, that ‑‑ is that the effective way of outreach, basically waiting for an incident or to you recognise then a normal outreach efforts would also make this line go down? What triggered those ISPs in blocking them, was that basically you telling them or was that an incident?
Marcus: I think it's ‑‑ so this has been going on for quite a while and as you see, at the beginning there was a huge drop so this was basically when ISPs that were not aware of the situation and then I think after that, it's a continuous effort just keep repeating it so if ‑‑ if you repeat it a lot, then people will do something just to make you stop.
Martin Ceci: I am wondering I am seeing those charts, for the DNS there is a drop, it's double sequence, by the people people might apply some protection and for the abusers it's higher bar for them go for anti‑PS N do you believe that ‑‑ and by the way, for DNS there is topic which is DNS over TLS do you believe maybe some day we would have everything through TLS and SMP if we don't find practical and solution for anti‑spoofing, do you have any idea about that?
MARCUS: No, not really.
FLORIAN: Not really relevant in that case. It's not TLS that will solve the problem but more the IP confirmation ‑‑ for instance, TCP protocols are not TCP in itself but protocols are protected by the CPE protocol in itself from IP spoofing. Having over TLS or whatever will probably help but that is a side effect because that is not the reason why it is done currently.
AUDIENCE SPEAKER: Will from IP MAX. I have got a comment that is going a bit to the previous one you did. I would be totally happy to get more notification than other certs are one of my country, Switzerland, I do get some notification about misconfigured device, you mostly do that for France, but I would be happy to get something from Germany or France or whatever even though I am not from that country, and that might be helpful. And also I know that some of the people that do receive those notification might just like forward those to Devenel which is kind of stupid because we are not understanding what is going on. So there is a lot of information to be done there. And that is also probably our part to go and educate the people ‑‑ well, some of them. That is my comment.
Marcus: Yes, so we cannot give you data because we, from Java server we get from Germany they use geolocation and I was told it's pretty accurate but I can talk to the French colleagues and maybe they will start something like this as well.
Florian: We got the data from worldwide scale so if you provide the list of prefixes that you are interested in, maybe there is something to do. We won't necessarily give you all the tools, but you can ask them to help you in that front ‑‑ actually, we cannot send this kind of reports to all your operators for ‑‑ because ‑‑ provide correct reports, it is required to have a knowledge about how the ecosystem is working in a country and sometimes, well, the types of devices that are usable is very different, for instance in France and in Germany, that is very different kind of devices that are used.
BRIAN NISBET: We are just running a little bit tight on time. Absolutely and I am going to let you, what I wanted to say was, let's all remember and I know this is something we talked about at the Internet observatory, talking about the French Internet and there were questions raised about that. The Internet has no borders, the more we can do here to share information, and I have a deep and abiding distrust of geolocation, it's a lot better than it was but still far from there.
AUDIENCE SPEAKER: So you can actually go to the Shadow Server Foundation ‑‑ Chris Baker, general Internet guy ‑‑ go to the shadow serve foundation and sign up to get reports for anything that exists in your AS and give you report on open reports, malware that exists there as well as any reflectors. So anybody can get all those reports, please sign up for them, it would be great if people acted upon them.
BRIAN NISBET: Cool. Thank you. Right. So, AOB. Is there any? I do not see people leaping to the microphones. So, what I will do, just briefly, under AOB is mention, as my ‑‑ the Chair of the PC, I will swap hats very previously, the Chair of the PC has reminded people there are still a few small minutes left if you want to submit a lightning talk for the sessions tomorrow and while you can't do this in anti‑abuse yet but we will look at this, certainly for the plenary things if you haven't already, please rate the talks because it gives us on the PC more information with which to pick the programme for next year.
Other than that, speaking of agendas ‑‑ well, indeed, next year in Copenhagen, if do you have any topics you wish to raise, please talk to me about the agenda for the next meeting. And other than that, thank you all very much, and hopefully see all of you in Copenhagen in May. Have a good day.
(Applause)
