anti-abuse-wg

Download

anti-abuse-wg@ripe.net

June 2009

1 participants
2 discussions

RIPE 409/BCP Document Update
by Brian Nisbet 08 Jun '09

08 Jun '09

Colleagues, As we mentioned at the recent meeting in Amsterdam we would very much like to work towards updating RIPE 409 to acknowledge both the changed focus of the WG and the changing nature of network abuse. I'm hoping that a relatively small group can be formed to work on this and some of you have already been kind enough to express your interest. If there is anyone else would would like to participate in this work then it would be great if you could let me know over the course of this week. The aim would be, at the very least, to present a draft document at RIPE 59 in Lisbon. Regards, Brian. -- Brian Nisbet HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +35316609040 fax: +35316603666 web: http://www.heanet.ie/

1 0

RIPE 58 Draft Minutes
by Brian Nisbet 02 Jun '09

02 Jun '09

Colleagues, These are the Draft minutes from the working group session at RIPE 58. I would appreciate if you could let us know of any inaccuracies or other issues. Thanks, Brian. ******************************* Anti-Abuse Working Minutes RIPE 58 - Status DRAFT Thursday, 7 May 2009, 14:00 - Krasnapolsky Hotel, Amsterdam, the Netherlands Co-Chairs: Brian Nisbet, Richard Cox Scribe: Fergal Cunningham Jabber: Timothy Lowe A. Administrative Matters Co-Chair Brian Nisbet opened the meeting at 14:01, welcomed the attendees and introduced Co-Chair Richard Cox. Brian explained the microphone etiquette. He then asked if there were any comments on the minutes from RIPE 57. There were none so he said they were now approved. Brian said there were no additions to the posted agenda but the presentation from Dr. Robert Bruen would now come before the rest of the agenda items. He then invited Dr. Bruen to give his presentation. B1. How to Use Policy Enforcement to Stop Abuse - Dr. Robert Bruen, KnujOn Dr. Bruen gave his presentation, which is available at: http://www.ripe.net/ripe/meetings/ripe-58/content/presentations/knuj0n-aawg… Dr. Bruen finished his presentation and asked for questions. Malcolm Hutty (LINX) said the Dr. Bruen did not care about individuals in relation to privacy, but he pointed out that this was an important concern under EU law. Dr. Bruen responded that he was not looking to get into the privacy issue. Malcolm said, on the Chinese characters issue, that a billion people do not use Mandarin just to annoy the presenter and that if he wanted to read their addresses, he should learn their script. He added that there was no reason why they should accept having to use a Latin or ASCII script to register a domain. Dr. Bruen said the rules say they have to. Malcolm said he has spent a lot of time in the regulatory area dealing with these issues and although he rarely is on the same side as governments but here you just have to deal with it. Dr. Bruen said they were hiding who they were and Malcolm said only the spammers were hiding. Malcolm added than anything that was inconvenient to Dr. Bruen was not evidence of evil doing. Malcolm asked if the principle of reciprocity applied in relation the online pharmacies. He asked if Dr. Bruen was saying that an American online business without prescription should have domain name removed if they posted Tylenol to Dubai because it was banned there. Dr. Bruen said this was just enforceable on US soil. Malcolm said if others can’t sell to then US then the opposite should apply. Dr. Bruen said he agreed with that but he couldn’t tell Dubai what to do. He also gave the analogy that the under Dr. Bruen’s proposals the New York Times would stand to lose its domain name because some of it’s content is not acceptable in other countries. Dr. Bruen said if the domain name is given out through a registrar and through Verisign in the US then they can’t take it away. Peter Koch (DENIC) asked Dr. Bruen if he considered the .com top-level domain to be a US national top-level domain. He further asked if this meant all .com registrations are subject to US local laws only. Dr. Bruen said the New York Times is in the US and got its domain through a US-based registry. Peter asked if he was saying that applies to all .com domains and all .com registrations are subject to US local laws. Dr. Bruen responded that if they were selling things in the US, then yes. Peter asked how a domain could sell. He asked Dr. Bruen if he was advocating national boundaries here. Dr. Bruen said it was all about jurisdictional issues – if you sell illegal stuff in the US then you are subject to US laws. Peter said the positioning of the server and the domain name are two completely different issues. Co-Chair Richard Cox said it was an interesting presentation. He said the list of registrars was not a surprise and he added that he was interested that the list was not split into registrars engaged in illegal and anti-social activities. He added that soliciting mails were legal but were also unacceptable. He asked Dr. Bruen if he had done any analysis based on this split. Dr. Bruen responded that he had not so far due to lack of resources. Richard mentioned the ICANN accreditation agreement, which he thought was good to look at. He said Dr. Bruen didn’t mention 3.7.7.2, which provides you with a takedown in 14 days for bad Whois. He said it also provides for an instant takedown where the bad Whois is willful. Dr. Bruen made the point that there are rules saying you can’t have a felon running a registrar and you can’t knowingly engage in illegal activities or allow the domain to engage in illegal behaviour. Richard said on the specific issue of Whois accuracy, most spammers don’t expect their domain to last 14 days anyway. He said it is worth looking at the clause that says there can be instant takedown where there is obvious “intent” to put a willful false Whois. He said leaving most of the fields in a Whois entry empty or putting in meaningless words is willful data inaccuracy. He added that under these circumstances this could lead to instant takedown, but if bad Whois data could lead to instant takedown then you could be sure the entry would suddenly become very credible-looking. He said this is not progress and when pursuing Whois data people need to be aware of that. Dr. Bruen said it was a war of escalation. Uwe Rasmussen (Microsoft) said he supported what Richard said and added that it was better to have the entire accounts of spammers closed down in case they are using one domain at a time when they have thousands. Dr. Bruen said four years ago he spent nine months with Microsoft gathering evidence on a Russian spam gang in America and they were bailed out and went straight back to Russia. He said he understood the problem and was looking at ways to improve and appreciates and help he can get. Uwe said it was a sensitive subject because some people wanted to register domains and use them with friends but not necessarily the whole world. He said EU legislation had privacy rules for businesses as well as individuals so their details could not always be divulged. He said this makes the whole issue of Whois information and privacy a very difficult area of debate. Dr. Bruen said he has yet to find a legitimate use for this privacy protection legislation. Aaron Kaplan (CERT) said it was an escalation issue and with the financial flow the tipping point was not in Dr. Bruen’s favour. He added that a greater number of solutions to the problem would be efficient, such as following the money trail. Dr. Bruen said one has shut down as much spam as they have. Brian thanked Dr. Bruen for his presentation and asked to move on with the agenda. B2. Botnets and Badguys - Community Response Co-Chair Richard Cox explained that he was unable to attend the last two RIPE Meetings but said he was in regular contact with his Co-Chair. He then gave a talk on botnets and bad guys on behalf of Spamhaus. He explained that he considered “bad guys” not to be just the criminals but also those who flood in-boxes with junk email, which can be legal if you do certain things. He explained the snowshoe technique that is currently being used, whereby spammers spread their activity across a wide area of the Internet. The technique sees a /23 or /24 rotated at numerous hosting providers across the US and more recently in Europe. Customers of ISPs may say they had a spammer on their block but it is the customer who is the spammer. The block will go quiet and when attention falls off they will use it again. He said at the end of the day the ISPs have the IP addresses so it is the ISPs that will ultimately suffer. Richard then moved on to botnets, noting that a lot of them were doing spam and worse, which is why there was now an Anti-Abuse Working Group instead of an Anti-Spam Working Group. He spoke about the high-profile Conficker botnet, explaining versions A and B before moving on to the version C. He said Conficker C has domains in all the well-known top-level domains. He said the obvious solution is to get the registrar to refuse registration of those domains. He said this has been fairly successful in top-level domains but it is more difficult with country code domains. He said Conficker D would probably carry the main payloads. He sees their plan as to examine Conficker C to see which registrars and top-level domains will block registration, so as a community we need to share with each other in order to protect against this type of activity. He said Conficker was a major threat to the usability of the Internet. He went on to talk about the latest problem being encountered, particularly for the RIPE community, of hosting by means of a fake entity, setting up an ASN and asking for IP ranges while using completely bogus information. He said the entity that checks the information is the LIR, which may be located in the same country and subjected to local pressures. He also said the bogus entity can be an LIR, which brings them into contact with the RIPE NCC. He said RIPE is exposing itself as a friend to bad guys by not having central validation of the holders of ASNs and IP address space. He said APNIC and ARIN have central validation so they know exactly who the space is going to, but RIPE does not have this. Richard concluded and opened the floor for questions. Richard Barnes (BBN) said it was a good idea for the RIPE NCC and the other RIRs to have contact with these bad guys, but he asked if there was a scalable approach to doing this. Richard Cox said scalability was always an issue and the bad guys will always find countermeasures for whatever we do. He said we should be aware of the problem and there should at least be a physical mail flow between an RIR and an entity that uses its services. Aaron Kaplan said that the updates from Conficker B to C happened without domain names. He added that with a smart botnet like Conficker uses multiple approaches and the domain route is just one way it can communicate so all options should be considered. Richard agreed that this was a key point. Dr. Bruen mentioned sending mail through the post to a network that was deaccredited by ICANN. He said the fact that there was no postal address was useful in building evidence so sending mail through the post to these people can be quite helpful in that regard. Richard agreed that it was helpful in a country where you could rely on the postal service. Dmitry Kohmanyuk (.ua) agreed that if you send mail to the Ukraine there may be problems, and he added that it is just as easy to fake a postal address as an email address. He said on the Conficker front they blocked all the Conficker B domains on the registry level. He said the switch to Conficker C leaves no way to prepopulate the registry because the names are no longer known in advance. He said in relation to RIPE registering AS for unknown parties, when an LIR does too many of these bad registrations, say more than 3 percent, the LIR should be removed. Max Tulyev (NetAssist) said mandatory postal mail would delay the registration process and give no real opportunity to detect the spammers. Richard said APNIC and ARIN don’t use LIRs because they know the risks in this. He gave the example of Nominet in the UK sending a capture code by mail. He said there are problems with this but if a crime has been committed then law enforcement can go to the address the mail was posted to, so this provides some sort of audit trail. Brian mentioned that the subject of postal mail was discussed sufficiently and the Working Group was aware of the issue. He suggested moving on with the discussion. Uwe Rasmussen if we needed to exercise more control on the people that obtain ASNs or IP address space or if the dynamics of it should be changed. He suggested an approach whereby the IPs obtained by ghost or phantom ISPs or bulletproof ISP can be closed so quickly that it is not interesting for them any more. He said it would take them a week to receive the IP addresses but they could be shut down in 24 hours if they were used for illegal activity. Richard said this was a very reasonable suggestion but there is also the issue of how far one can intrude to protect the integrity of the Internet. He added that the current situation is unacceptable and we should look to put more pressure on the bad guys while trying not to interfere with the good guys. Matt Ford (ISOC) complimented Richard’s presentation and said it was imperative that the community act to implement measures as soon as possible because the threat posed by a degraded network and the incentives for other parties to step in and tell the community how to run the network were too great to do otherwise. Richard thanked Matt and asked to take what he said here to use in another presentation he would give. He said it was impossible to get everything perfect but the community can do better through greater communication and through sharing ideas and working together. Filiz Yilmaz (RIPE NCC Policy Development Manager) made a clarification on the effect of having different mechanisms among the RIRs and whether they had LIR structures or not. She said the RIPE NCC membership might understand some terms differently from people in other RIR regions. She said the assignment window mechanism in the RIPE NCC service region allowed LIRs some freedom to make assignments without RIPE NCC approval. She said this means the RIPE NCC doesn’t see those requests as approval requests. She said AfriNIC has an LIR system but not that assignment window. Richard thanked Filiz and made the point that AfriNIC assigned a /20to an entity that does not exist and it has not revoked the block even though they have been informed. He said APNIC had previously had problems with Whois accuracy but he does not see any problems there now. He said the only RIRs where he saw problems were the RIPE NCC and LACNIC. Brian thanked Richard for sharing a vast amount of knowledge. C. Documents • C1. Updates to ripe-409 • C2. Creation of New Documentation? Brian said the rest of the agenda items would all be rolled into one item from here. Brian said there have been requests recently and discussions on the mailing list asking why more things are not being done to stop these bad guys, but in order for something to be done there needs to be a policy formed that the rest of the community can give its feedback on. He said that both he and Richard were looking to see in cooperation with other working groups whether a policy could be put in place to improve the situation. He said there is often discussion on the mailing list but whenever there is a call to form a policy, things go quiet. He said the co-chairs along with the RIPE NCC staff were available to help formulate a policy proposal document around anyone’s thoughts and wishes and this could then be put to the community for feedback. He said that part of all this is the intention to update the ripe 409 document, which is a BCP document on how to deal with spamming, and changing it into a document that deals with a much wider amount of network abuse. He said if there is anyone out there who wishes to help with this then they should please let himself or Richard know. Kostas Zorbadelos (OTE SA) said on the subject of BCP documents it would be great to one that describes specific technical measures that ISPs can use to help their situation. He said ripe 409 was a bit too high level for this and he would like an arsenal of measures available to him that he can use to attack the problems. Brian said the minutes of this working group session would be published to the list as soon as possible. He said they would also work with the community to put in place a high level BCP document, a more technical BCP document and work to see if there were specific policies that could be proposed. He said himself and his co-chair would not be in a position to do all this by themselves so there would also be a request for help on the list. He said they would endeavour to get as much work done in this regard by RIPE 59. Richard said they would also need help from community members such as Kostas to determine what the laws were in individual countries in the RIPE region because a proposed measure might not be legal under the laws of some countries. He asked the community to let the co-chairs know about these laws so then they can go to governments and let them know their laws are causing problems. X. A.O.B. There was no other business and Brian adjourned the working group session at 15:35.

1 0