Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet
Hi, As far as "taking down" bulletproof hosting, that is very hard to do as they often operate on jurisdictions that are easier for them to run their business. RIPE NCC only allocates blocks of IP addresses to LIRs, which in turn LIRs allocate to end users. There have been cases where the LIR itself are cybercriminals that exploit this to get addresses for their activities. There are other entities that do flag these blocks in an attempt to make the internet safer by flagging these IP blocks and even entire ASNs. I think the most important thing to note, is that at the end of the day no one "controls" the internet. And RIPE's job is to coordinate these blocks of IPs assigned to LIRs/ISPs and maintain an up to date database of all these allocations. RIPE is not in any way an ISP, they don't have insights on the traffic of the internet including the IPs they assign (RIPE does operate RIS but it's out scope for this topic). One of the entities that specializes in flagging and trying to bring down these criminals is spamhaus (https://www.spamhaus.org/). There are more, but I personally use the spamhaus blocklist so I'm randomly quoting this one. It is also important to understand that RIPE will only revoke addresses if the LIR is going against RIPE's policies. Since RIPE covers many regions and jurisdictions it makes the job much harder. As far as I know, sending SPAM email and other type or bulletproof hosting activities, is technically not a RIPE policy violation. Providing false contact information, and false documentation to obtain number resources is a policy violation. RIPE must always maintain a very neutral position in all of this, and as you mention a Netflix documentary (I'm assuming it was "Cyberbunker"?) where they were in fact a LIR, those addresses were not revoked, rather than sold to another company. The documentary reflects this. Also, RIPE provides registration services for these LIRs. Nothing else. Without RIPE's job you wouldn't know who was controlling these blocks, including abuse contacts. If you cannot get in contact with a LIR through an abuse contact, then you can contact the registrant's local authorities. If such entity does not exists, then this is a policy violation and the LIR account will be revoked including the IPs registered to it. I personally blame ISPs involved in providing connectivity as they probably are aware of weird traffic patterns (such as IP spoofing), and might be contacted every once in a while as to why they are providing connectivity to these other, smaller, ISPs. Also I believe that some of the activities you described happen on the "Tor" network, the .onion websites, which are a bit out of scope here. At the end of the day, there is very little RIPE can do about this. As I mentioned on my other email, IP leasing happens a lot nowadays with IPv4 shortage so revoking a LIR account or addresses that were used for these activities wouldn't even punish the scammers. You would be punishing an ISP that allocated addresses to scammers. And I think you can see where the legal fights begin, RIPE does not want to be sued by ISPs. Best regards, Tomás Leite de Castro On 2024-01-17 23:00, OSINTGuardian wrote:
hi tomás,
thanks for answering me
I understand that RIPE NCC's job is not to monitor the internet, but unfortunately criminals see that they do not get consequences and decide to join the bulletproof hosting business. People financed by organized crime see this as a business opportunity.
and hackers, pedophiles, scammers, drug dealers, arms dealers and other people see an opportunity to be a customer of these bulletproof hosting. criminals see that they get no consequences for doing this and make a lot of money.
If RIPE NCC creates an abuse team that monitors that no one uses RIPE NCC as a form of business model to create bulletproof servers to sell to criminal networks, the Internet would become a cleaner place. It became a business model to ignore abuse reports sent by email to hosting companies.
There is a wiki on Wikipedia about bulletproof servers that describes the same thing, documentaries on Netflix and series that explain how criminals do illegal activities on the Internet using bulletproof hosting. If there is no prompt action against this, the only one who will benefit is organized crime.
What can be done against a person who operates a bulletproof server?: From what I've noticed, you said that restrictions apply to LIRs. How do they punish people who operate bulletproof servers? And what to do when someone has a lot of evidence that a person operates bulletproof hosting and uses it to sell services to dark net criminals?
I myself spoke to bulletproof hosting owners, and they feel totally immune and untouchable. They feel that no one can do anything against them, many of them are in countries with few laws regarding the Internet and they abuse this, what resources are there to combat this?
or is there nothing to do? "> On ene. 17 2024, at 6:05 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hi,
I have been wondering for a while about this same issue. And I guess
there are both pros and cons about RIPE providing registration services to such IP addresses. As you've stated, contacting them most of the time is useless. But most of the cases these IPs are blacklisted or on DROP-lists (spamhaus for example)
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
As for bulletproof hosting, it is at the best interest of the Internet that these IPs remain duly registered. There are many cases where the original registrant might not even be properly aware, or at fault when such activities happen with their addressing. The most effective action is to contact the upstream ISPs and cut their connectivity.
If such a system would be implemented by RIPE, I think it should be oriented towards making sure the abuse contacts are up to date and reachable. Rather than to police about the use of the addresses. As ultimately the connectivity for such activities is provided by ISPs.
I do see the analogy you made with ICANN but registering a domain on the internet is much more reachable to everyone when comparing to IP space, when most of that space is reassigned from upstream ISPs. Also addresses are assigned in blocks, when domains are assigned individually.
Please understand that I don't condone at all bulletproof hosting or
such activities in way. In fact it should be stopped. But the most effective action is likely not from RIPE to just deregister such resources when abuse happens or when an abuse contact is incorrect. It is worth noting that RIPE does apply restrictions to LIRs that repeatedly cause issues, and this includes falsifying contact information.
I think this is worth discussing if more restrictive actions should be taken towards such LIRs where illegal activities such as bulletproofing are the main business. But I'm worried about RIPE NCC's ability to verify on abuse that happens on the internet.
Best regards,
Tomás Leite de Castro
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly
is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites
On 2024-01-17 19:52, OSINTGuardian wrote: promoted, it that
provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
If the database is filled with nonsensical information that anyone can hand in and get themselves a large netblock there isn’t much point to the entire exercise. Much as if a bank manager were to accept any random paperwork and hand over loans – which is what RIPE is doing with IP space that it is the custodian of. Not much point in arguing this, once the conclusion is that no action is about to be taken and a “not in my backyard” attitude adopted, no amount of such discussion over decades is going to change a thing. Regulatory action is entirely possible if something egregious enough turns up as it eventually will, and then none of us is going to like the end result. --srs From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> Date: Thursday, 18 January 2024 at 5:41 AM To: Anti-abuse Wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet Hi, As far as "taking down" bulletproof hosting, that is very hard to do as they often operate on jurisdictions that are easier for them to run their business. RIPE NCC only allocates blocks of IP addresses to LIRs, which in turn LIRs allocate to end users. There have been cases where the LIR itself are cybercriminals that exploit this to get addresses for their activities. There are other entities that do flag these blocks in an attempt to make the internet safer by flagging these IP blocks and even entire ASNs. I think the most important thing to note, is that at the end of the day no one "controls" the internet. And RIPE's job is to coordinate these blocks of IPs assigned to LIRs/ISPs and maintain an up to date database of all these allocations. RIPE is not in any way an ISP, they don't have insights on the traffic of the internet including the IPs they assign (RIPE does operate RIS but it's out scope for this topic). One of the entities that specializes in flagging and trying to bring down these criminals is spamhaus (https://www.spamhaus.org/). There are more, but I personally use the spamhaus blocklist so I'm randomly quoting this one. It is also important to understand that RIPE will only revoke addresses if the LIR is going against RIPE's policies. Since RIPE covers many regions and jurisdictions it makes the job much harder. As far as I know, sending SPAM email and other type or bulletproof hosting activities, is technically not a RIPE policy violation. Providing false contact information, and false documentation to obtain number resources is a policy violation. RIPE must always maintain a very neutral position in all of this, and as you mention a Netflix documentary (I'm assuming it was "Cyberbunker"?) where they were in fact a LIR, those addresses were not revoked, rather than sold to another company. The documentary reflects this. Also, RIPE provides registration services for these LIRs. Nothing else. Without RIPE's job you wouldn't know who was controlling these blocks, including abuse contacts. If you cannot get in contact with a LIR through an abuse contact, then you can contact the registrant's local authorities. If such entity does not exists, then this is a policy violation and the LIR account will be revoked including the IPs registered to it. I personally blame ISPs involved in providing connectivity as they probably are aware of weird traffic patterns (such as IP spoofing), and might be contacted every once in a while as to why they are providing connectivity to these other, smaller, ISPs. Also I believe that some of the activities you described happen on the "Tor" network, the .onion websites, which are a bit out of scope here. At the end of the day, there is very little RIPE can do about this. As I mentioned on my other email, IP leasing happens a lot nowadays with IPv4 shortage so revoking a LIR account or addresses that were used for these activities wouldn't even punish the scammers. You would be punishing an ISP that allocated addresses to scammers. And I think you can see where the legal fights begin, RIPE does not want to be sued by ISPs. Best regards, Tomás Leite de Castro On 2024-01-17 23:00, OSINTGuardian wrote:
hi tomás,
thanks for answering me
I understand that RIPE NCC's job is not to monitor the internet, but unfortunately criminals see that they do not get consequences and decide to join the bulletproof hosting business. People financed by organized crime see this as a business opportunity.
and hackers, pedophiles, scammers, drug dealers, arms dealers and other people see an opportunity to be a customer of these bulletproof hosting. criminals see that they get no consequences for doing this and make a lot of money.
If RIPE NCC creates an abuse team that monitors that no one uses RIPE NCC as a form of business model to create bulletproof servers to sell to criminal networks, the Internet would become a cleaner place. It became a business model to ignore abuse reports sent by email to hosting companies.
There is a wiki on Wikipedia about bulletproof servers that describes the same thing, documentaries on Netflix and series that explain how criminals do illegal activities on the Internet using bulletproof hosting. If there is no prompt action against this, the only one who will benefit is organized crime.
What can be done against a person who operates a bulletproof server?: From what I've noticed, you said that restrictions apply to LIRs. How do they punish people who operate bulletproof servers? And what to do when someone has a lot of evidence that a person operates bulletproof hosting and uses it to sell services to dark net criminals?
I myself spoke to bulletproof hosting owners, and they feel totally immune and untouchable. They feel that no one can do anything against them, many of them are in countries with few laws regarding the Internet and they abuse this, what resources are there to combat this?
or is there nothing to do? "> On ene. 17 2024, at 6:05 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hi,
I have been wondering for a while about this same issue. And I guess
there are both pros and cons about RIPE providing registration services to such IP addresses. As you've stated, contacting them most of the time is useless. But most of the cases these IPs are blacklisted or on DROP-lists (spamhaus for example)
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
As for bulletproof hosting, it is at the best interest of the Internet that these IPs remain duly registered. There are many cases where the original registrant might not even be properly aware, or at fault when such activities happen with their addressing. The most effective action is to contact the upstream ISPs and cut their connectivity.
If such a system would be implemented by RIPE, I think it should be oriented towards making sure the abuse contacts are up to date and reachable. Rather than to police about the use of the addresses. As ultimately the connectivity for such activities is provided by ISPs.
I do see the analogy you made with ICANN but registering a domain on the internet is much more reachable to everyone when comparing to IP space, when most of that space is reassigned from upstream ISPs. Also addresses are assigned in blocks, when domains are assigned individually.
Please understand that I don't condone at all bulletproof hosting or
such activities in way. In fact it should be stopped. But the most effective action is likely not from RIPE to just deregister such resources when abuse happens or when an abuse contact is incorrect. It is worth noting that RIPE does apply restrictions to LIRs that repeatedly cause issues, and this includes falsifying contact information.
I think this is worth discussing if more restrictive actions should be taken towards such LIRs where illegal activities such as bulletproofing are the main business. But I'm worried about RIPE NCC's ability to verify on abuse that happens on the internet.
Best regards,
Tomás Leite de Castro
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly
is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites
On 2024-01-17 19:52, OSINTGuardian wrote: promoted, it that
provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Hi, On Thu, Jan 18, 2024 at 04:04:03AM +0000, Suresh Ramasubramanian wrote:
If the database is filled with nonsensical information that anyone can hand in and get themselves a large netblock there isn???t much point to the entire exercise.
This claim has, as usual, no basis. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Thu, 18 Jan 2024, Gert Doering wrote:
Hi,
On Thu, Jan 18, 2024 at 04:04:03AM +0000, Suresh Ramasubramanian wrote:
If the database is filled with nonsensical information that anyone can hand in and get themselves a large netblock there isn???t much point to the entire exercise.
This claim has, as usual, no basis.
Hi Gert, All, Allow me to disagree. Please check this WG's minutes at RIPE77 (October 2018): https://www.ripe.net/community/wg/active-wg/anti-abuse/minutes/ripe-77/ I briefly presented about "LIRs from Outside the RIPE NCC Service Region". If my mind doesn't fail me, at the time most of the "nonsensical information" was related to locations outside the RIPE NCC Service Region. Cheers, Carlos
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Fri, Jan 19, 2024 at 08:38:27AM +0000, Carlos Friaças wrote:
Please check this WG's minutes at RIPE77 (October 2018): https://www.ripe.net/community/wg/active-wg/anti-abuse/minutes/ripe-77/
I briefly presented about "LIRs from Outside the RIPE NCC Service Region".
If my mind doesn't fail me, at the time most of the "nonsensical information" was related to locations outside the RIPE NCC Service Region.
So there is LIR contact data in the RIPE DB which is not properly validated - and that should certainly be brought to the NCC's attention, and fixed. This is still far from Suresh' usual claim "the NCC is complicit to all the IPv4 gangsters out there, doesn't validate anything, and the DB is full of fake data". Which is being repeated frequently, to the point of being outright detrimental because it just annoys, without spurring anyone into corrective action. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Fri, 19 Jan 2024, Gert Doering wrote:
So there is LIR contact data in the RIPE DB which is not properly validated - and that should certainly be brought to the NCC's attention, and fixed.
I agree. But who wants to spend effort on that? :-)
This is still far from Suresh' usual claim "the NCC is complicit to all the IPv4 gangsters out there, doesn't validate anything, and the DB is full of fake data". Which is being repeated frequently, to the point of being outright detrimental because it just annoys, without spurring anyone into corrective action.
The NCC has its due diligence process. It's not bulletproof, of course, and if there is intention and enough detail/care from the parties that want bogus contact data in the DB, it is an extremely hard job to spot the bad data. But if i'm not mistaken, that still happens sometimes and results in LIR closures. Cheers, Carlos
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Fri, Jan 19, 2024 at 09:42:08AM +0000, Carlos Friaças wrote:
On Fri, 19 Jan 2024, Gert Doering wrote:
So there is LIR contact data in the RIPE DB which is not properly validated - and that should certainly be brought to the NCC's attention, and fixed.
I agree. But who wants to spend effort on that? :-)
Whoever is interested in fixing things, not just claiming "all is bad and nobody cares". [..]
The NCC has its due diligence process.
It's not bulletproof, of course, and if there is intention and enough detail/care from the parties that want bogus contact data in the DB, it is an extremely hard job to spot the bad data. But if i'm not mistaken, that still happens sometimes and results in LIR closures.
Indeed. And judging from the reports (from all directions) that due dilligence process is quite thorough... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Well if ripe allows the creation of bogus LIRs with little or no oversight and these then go ahead and do all the evil sure, let’s not blame ripe for it. --srs ________________________________ From: Gert Doering <gert@space.net> Sent: Friday, January 19, 2024 2:15 PM To: Carlos Friaças <cfriacas@fccn.pt> Cc: Gert Doering <gert@space.net>; Suresh Ramasubramanian <ops.lists@gmail.com>; Anti-abuse Wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet Hi, On Fri, Jan 19, 2024 at 08:38:27AM +0000, Carlos Friaças wrote:
Please check this WG's minutes at RIPE77 (October 2018): https://www.ripe.net/community/wg/active-wg/anti-abuse/minutes/ripe-77/
I briefly presented about "LIRs from Outside the RIPE NCC Service Region".
If my mind doesn't fail me, at the time most of the "nonsensical information" was related to locations outside the RIPE NCC Service Region.
So there is LIR contact data in the RIPE DB which is not properly validated - and that should certainly be brought to the NCC's attention, and fixed. This is still far from Suresh' usual claim "the NCC is complicit to all the IPv4 gangsters out there, doesn't validate anything, and the DB is full of fake data". Which is being repeated frequently, to the point of being outright detrimental because it just annoys, without spurring anyone into corrective action. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, I just wanted to make a last comment on the previous email you sent.
The business model of many bulletproof companies is to ignore reports of abuse, RIPE NCC does not seem to do much against this and criminals are not afraid of retaliation from RIPE NCC towards them. and currently RIPE NCC is an attractive organization to get IP addresses for bulletproof servers, how good is this?
It is true that their job is to ignore abuse reports. Also please note that RIPE currently no longer has IPv4 blocks to assign. New members must either get their space from a waitlist (which takes time and it’s limited to a single /24) or buy IP space from other entities. I do not believe that RIPE is more “attractive” than other Registries to obtain IP space for such illegal activities. All 5 RIRs have similar policies. Take a look at ARIN’s fraud reporting results. https://www.arin.net/vault/reference/tools/fraud_report/results/2023/#2023Q2 As it’s been said, it’s not RIPE’s job to police the internet. And please note that ultimately the ISPs providing connectivity to these organisations are the ones “allowing” the fraud to happen. If all RIRs took action then I’m sure criminals would lease IP space from reputable LIRs. Given the current IPv4 shortage, I believe this is the case already. RIPE isn’t allocating a lot of IPs recently simply because they ran out. Best regards, Tomás Leite de Castro
On 18 Jan 2024, at 10:20, OSINTGuardian <contact@osintguardian.com> wrote:
Hi Tomas,
I am not referring to bulletproof servers in Tor, since I understand that this is more difficult to detect since it is deep in the internet. I am referring to the bulletproof hosting that is flooding the clear web with illegal content. I currently know different bulletproof hosting, as you probably do too, but no one does anything against this, which mostly affects the clear web.
illegal activities:
I am not referring to fighting bulletproof hosting due to spam networks, botnets and DDOS attacks. I am referring to bulletproof hosting that has clients who are pedophiles or drug traffickers (and these clients say it openly) and when the police or internet users send abuse reports to the bulletproof hosting email, the report is ignored.
Because of bulletproof hosting, the dark net has been on the clear web for some years with child pornography sites, pedophile forums, drug sales sites and among other websites that the owners are clients of bulletproof hosting. So you can see that I'm not exaggerating, google "dutchanonstore.to" and you'll see what I mean
In case you are wondering, the company behind this drug sales website is KODDOS (Amarutu Technology Ltd), one of the most famous bulletproof companies currently and which is on the TOP 1 list of ISPs that provide bulletproof servers for illegal websites
This is not the only famous bulletproof hosting, cybercriminals use a company like Cloudflare but Russian and with bulletproof servers that are hosted in Russia. the company DDOS-GUARD and it is not the first time that this company is mentioned here since some time ago a famous client of ddos-guard was Hamas (terrorist group)
I have a lot of evidence against bulletproof servers and how they are complicit in illegal activities, although having evidence of this is not that difficult since many of them are publicly promoted as "bulletproof hosting." The police usually do not do much against this, intelligence agencies such as the FBI, Interpol, Europol and among others are slow to do something against the bulletproof servers, and when they do something against this and they arrest the owners of these companies, which What they do is that new criminals create 6 new bulletproof hosting companies and all the clients go to that new company to host the illegal websites.
Not to mention, the time it takes for authorities to do something against bulletproof hosting is 3 to 6 years, until they arrest the people behind the company with illegal activities. The authorities act extremely slowly and the clean web is filling up with illegal websites.
Basically this is what has been happening for years and no one does anything: screenshot: https://i.imgur.com/nKZz8qx.png
The business model of many bulletproof companies is to ignore reports of abuse, RIPE NCC does not seem to do much against this and criminals are not afraid of retaliation from RIPE NCC towards them. and currently RIPE NCC is an attractive organization to get IP addresses for bulletproof servers, how good is this?
Claudia Lopez OSINTGuardian
On ene. 17 2024, at 9:10 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: Hi,
As far as "taking down" bulletproof hosting, that is very hard to do as they often operate on jurisdictions that are easier for them to run their business. RIPE NCC only allocates blocks of IP addresses to LIRs, which in turn LIRs allocate to end users. There have been cases where the LIR itself are cybercriminals that exploit this to get addresses for their activities. There are other entities that do flag these blocks in an attempt to make the internet safer by flagging these IP blocks and even entire ASNs.
I think the most important thing to note, is that at the end of the day no one "controls" the internet. And RIPE's job is to coordinate these blocks of IPs assigned to LIRs/ISPs and maintain an up to date database of all these allocations. RIPE is not in any way an ISP, they don't have insights on the traffic of the internet including the IPs they assign (RIPE does operate RIS but it's out scope for this topic).
One of the entities that specializes in flagging and trying to bring down these criminals is spamhaus (https://www.spamhaus.org/). There are more, but I personally use the spamhaus blocklist so I'm randomly quoting this one.
It is also important to understand that RIPE will only revoke addresses if the LIR is going against RIPE's policies. Since RIPE covers many regions and jurisdictions it makes the job much harder. As far as I know, sending SPAM email and other type or bulletproof hosting activities, is technically not a RIPE policy violation. Providing false contact information, and false documentation to obtain number resources is a policy violation.
RIPE must always maintain a very neutral position in all of this, and as you mention a Netflix documentary (I'm assuming it was "Cyberbunker"?) where they were in fact a LIR, those addresses were not revoked, rather than sold to another company. The documentary reflects this.
Also, RIPE provides registration services for these LIRs. Nothing else. Without RIPE's job you wouldn't know who was controlling these blocks, including abuse contacts.
If you cannot get in contact with a LIR through an abuse contact, then you can contact the registrant's local authorities. If such entity does not exists, then this is a policy violation and the LIR account will be revoked including the IPs registered to it.
I personally blame ISPs involved in providing connectivity as they probably are aware of weird traffic patterns (such as IP spoofing), and might be contacted every once in a while as to why they are providing connectivity to these other, smaller, ISPs.
Also I believe that some of the activities you described happen on the "Tor" network, the .onion websites, which are a bit out of scope here.
At the end of the day, there is very little RIPE can do about this. As I mentioned on my other email, IP leasing happens a lot nowadays with IPv4 shortage so revoking a LIR account or addresses that were used for these activities wouldn't even punish the scammers. You would be punishing an ISP that allocated addresses to scammers. And I think you can see where the legal fights begin, RIPE does not want to be sued by ISPs.
Best regards,
Tomás Leite de Castro
On 2024-01-17 23:00, OSINTGuardian wrote:
hi tomás,
thanks for answering me
I understand that RIPE NCC's job is not to monitor the internet, but unfortunately criminals see that they do not get consequences and decide to join the bulletproof hosting business. People financed by organized crime see this as a business opportunity.
and hackers, pedophiles, scammers, drug dealers, arms dealers and other people see an opportunity to be a customer of these bulletproof hosting. criminals see that they get no consequences for doing this and make a lot of money.
If RIPE NCC creates an abuse team that monitors that no one uses RIPE NCC as a form of business model to create bulletproof servers to sell to criminal networks, the Internet would become a cleaner place. It became a business model to ignore abuse reports sent by email to hosting companies.
There is a wiki on Wikipedia about bulletproof servers that describes the same thing, documentaries on Netflix and series that explain how criminals do illegal activities on the Internet using bulletproof hosting. If there is no prompt action against this, the only one who will benefit is organized crime.
What can be done against a person who operates a bulletproof server?: From what I've noticed, you said that restrictions apply to LIRs. How do they punish people who operate bulletproof servers? And what to do when someone has a lot of evidence that a person operates bulletproof hosting and uses it to sell services to dark net criminals?
I myself spoke to bulletproof hosting owners, and they feel totally immune and untouchable. They feel that no one can do anything against them, many of them are in countries with few laws regarding the Internet and they abuse this, what resources are there to combat this?
or is there nothing to do? "> On ene. 17 2024, at 6:05 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hi,
I have been wondering for a while about this same issue. And I guess
there are both pros and cons about RIPE providing registration services to such IP addresses. As you've stated, contacting them most of the time is useless. But most of the cases these IPs are blacklisted or on DROP-lists (spamhaus for example)
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
As for bulletproof hosting, it is at the best interest of the Internet that these IPs remain duly registered. There are many cases where the original registrant might not even be properly aware, or at fault when such activities happen with their addressing. The most effective action is to contact the upstream ISPs and cut their connectivity.
If such a system would be implemented by RIPE, I think it should be oriented towards making sure the abuse contacts are up to date and reachable. Rather than to police about the use of the addresses. As ultimately the connectivity for such activities is provided by ISPs.
I do see the analogy you made with ICANN but registering a domain on the internet is much more reachable to everyone when comparing to IP space, when most of that space is reassigned from upstream ISPs. Also addresses are assigned in blocks, when domains are assigned individually.
Please understand that I don't condone at all bulletproof hosting or
such activities in way. In fact it should be stopped. But the most effective action is likely not from RIPE to just deregister such resources when abuse happens or when an abuse contact is incorrect. It is worth noting that RIPE does apply restrictions to LIRs that repeatedly cause issues, and this includes falsifying contact information.
I think this is worth discussing if more restrictive actions should be taken towards such LIRs where illegal activities such as bulletproofing are the main business. But I'm worried about RIPE NCC's ability to verify on abuse that happens on the internet.
Best regards,
Tomás Leite de Castro
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly
is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites
On 2024-01-17 19:52, OSINTGuardian wrote: promoted, it that
provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
So we repeat the entire exercise with v6 or Jim fleming’s ipv9 if and when that comes out? Right --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Tomás Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Thursday, January 18, 2024 8:51:29 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet Hi, I just wanted to make a last comment on the previous email you sent.
The business model of many bulletproof companies is to ignore reports of abuse, RIPE NCC does not seem to do much against this and criminals are not afraid of retaliation from RIPE NCC towards them. and currently RIPE NCC is an attractive organization to get IP addresses for bulletproof servers, how good is this?
It is true that their job is to ignore abuse reports. Also please note that RIPE currently no longer has IPv4 blocks to assign. New members must either get their space from a waitlist (which takes time and it’s limited to a single /24) or buy IP space from other entities. I do not believe that RIPE is more “attractive” than other Registries to obtain IP space for such illegal activities. All 5 RIRs have similar policies. Take a look at ARIN’s fraud reporting results. https://www.arin.net/vault/reference/tools/fraud_report/results/2023/#2023Q2 As it’s been said, it’s not RIPE’s job to police the internet. And please note that ultimately the ISPs providing connectivity to these organisations are the ones “allowing” the fraud to happen. If all RIRs took action then I’m sure criminals would lease IP space from reputable LIRs. Given the current IPv4 shortage, I believe this is the case already. RIPE isn’t allocating a lot of IPs recently simply because they ran out. Best regards, Tomás Leite de Castro
On 18 Jan 2024, at 10:20, OSINTGuardian <contact@osintguardian.com> wrote:
Hi Tomas,
I am not referring to bulletproof servers in Tor, since I understand that this is more difficult to detect since it is deep in the internet. I am referring to the bulletproof hosting that is flooding the clear web with illegal content. I currently know different bulletproof hosting, as you probably do too, but no one does anything against this, which mostly affects the clear web.
illegal activities:
I am not referring to fighting bulletproof hosting due to spam networks, botnets and DDOS attacks. I am referring to bulletproof hosting that has clients who are pedophiles or drug traffickers (and these clients say it openly) and when the police or internet users send abuse reports to the bulletproof hosting email, the report is ignored.
Because of bulletproof hosting, the dark net has been on the clear web for some years with child pornography sites, pedophile forums, drug sales sites and among other websites that the owners are clients of bulletproof hosting. So you can see that I'm not exaggerating, google "dutchanonstore.to" and you'll see what I mean
In case you are wondering, the company behind this drug sales website is KODDOS (Amarutu Technology Ltd), one of the most famous bulletproof companies currently and which is on the TOP 1 list of ISPs that provide bulletproof servers for illegal websites
This is not the only famous bulletproof hosting, cybercriminals use a company like Cloudflare but Russian and with bulletproof servers that are hosted in Russia. the company DDOS-GUARD and it is not the first time that this company is mentioned here since some time ago a famous client of ddos-guard was Hamas (terrorist group)
I have a lot of evidence against bulletproof servers and how they are complicit in illegal activities, although having evidence of this is not that difficult since many of them are publicly promoted as "bulletproof hosting." The police usually do not do much against this, intelligence agencies such as the FBI, Interpol, Europol and among others are slow to do something against the bulletproof servers, and when they do something against this and they arrest the owners of these companies, which What they do is that new criminals create 6 new bulletproof hosting companies and all the clients go to that new company to host the illegal websites.
Not to mention, the time it takes for authorities to do something against bulletproof hosting is 3 to 6 years, until they arrest the people behind the company with illegal activities. The authorities act extremely slowly and the clean web is filling up with illegal websites.
Basically this is what has been happening for years and no one does anything: screenshot: https://i.imgur.com/nKZz8qx.png
The business model of many bulletproof companies is to ignore reports of abuse, RIPE NCC does not seem to do much against this and criminals are not afraid of retaliation from RIPE NCC towards them. and currently RIPE NCC is an attractive organization to get IP addresses for bulletproof servers, how good is this?
Claudia Lopez OSINTGuardian
On ene. 17 2024, at 9:10 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: Hi,
As far as "taking down" bulletproof hosting, that is very hard to do as they often operate on jurisdictions that are easier for them to run their business. RIPE NCC only allocates blocks of IP addresses to LIRs, which in turn LIRs allocate to end users. There have been cases where the LIR itself are cybercriminals that exploit this to get addresses for their activities. There are other entities that do flag these blocks in an attempt to make the internet safer by flagging these IP blocks and even entire ASNs.
I think the most important thing to note, is that at the end of the day no one "controls" the internet. And RIPE's job is to coordinate these blocks of IPs assigned to LIRs/ISPs and maintain an up to date database of all these allocations. RIPE is not in any way an ISP, they don't have insights on the traffic of the internet including the IPs they assign (RIPE does operate RIS but it's out scope for this topic).
One of the entities that specializes in flagging and trying to bring down these criminals is spamhaus (https://www.spamhaus.org/). There are more, but I personally use the spamhaus blocklist so I'm randomly quoting this one.
It is also important to understand that RIPE will only revoke addresses if the LIR is going against RIPE's policies. Since RIPE covers many regions and jurisdictions it makes the job much harder. As far as I know, sending SPAM email and other type or bulletproof hosting activities, is technically not a RIPE policy violation. Providing false contact information, and false documentation to obtain number resources is a policy violation.
RIPE must always maintain a very neutral position in all of this, and as you mention a Netflix documentary (I'm assuming it was "Cyberbunker"?) where they were in fact a LIR, those addresses were not revoked, rather than sold to another company. The documentary reflects this.
Also, RIPE provides registration services for these LIRs. Nothing else. Without RIPE's job you wouldn't know who was controlling these blocks, including abuse contacts.
If you cannot get in contact with a LIR through an abuse contact, then you can contact the registrant's local authorities. If such entity does not exists, then this is a policy violation and the LIR account will be revoked including the IPs registered to it.
I personally blame ISPs involved in providing connectivity as they probably are aware of weird traffic patterns (such as IP spoofing), and might be contacted every once in a while as to why they are providing connectivity to these other, smaller, ISPs.
Also I believe that some of the activities you described happen on the "Tor" network, the .onion websites, which are a bit out of scope here.
At the end of the day, there is very little RIPE can do about this. As I mentioned on my other email, IP leasing happens a lot nowadays with IPv4 shortage so revoking a LIR account or addresses that were used for these activities wouldn't even punish the scammers. You would be punishing an ISP that allocated addresses to scammers. And I think you can see where the legal fights begin, RIPE does not want to be sued by ISPs.
Best regards,
Tomás Leite de Castro
On 2024-01-17 23:00, OSINTGuardian wrote:
hi tomás,
thanks for answering me
I understand that RIPE NCC's job is not to monitor the internet, but unfortunately criminals see that they do not get consequences and decide to join the bulletproof hosting business. People financed by organized crime see this as a business opportunity.
and hackers, pedophiles, scammers, drug dealers, arms dealers and other people see an opportunity to be a customer of these bulletproof hosting. criminals see that they get no consequences for doing this and make a lot of money.
If RIPE NCC creates an abuse team that monitors that no one uses RIPE NCC as a form of business model to create bulletproof servers to sell to criminal networks, the Internet would become a cleaner place. It became a business model to ignore abuse reports sent by email to hosting companies.
There is a wiki on Wikipedia about bulletproof servers that describes the same thing, documentaries on Netflix and series that explain how criminals do illegal activities on the Internet using bulletproof hosting. If there is no prompt action against this, the only one who will benefit is organized crime.
What can be done against a person who operates a bulletproof server?: From what I've noticed, you said that restrictions apply to LIRs. How do they punish people who operate bulletproof servers? And what to do when someone has a lot of evidence that a person operates bulletproof hosting and uses it to sell services to dark net criminals?
I myself spoke to bulletproof hosting owners, and they feel totally immune and untouchable. They feel that no one can do anything against them, many of them are in countries with few laws regarding the Internet and they abuse this, what resources are there to combat this?
or is there nothing to do? "> On ene. 17 2024, at 6:05 pm, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hi,
I have been wondering for a while about this same issue. And I guess
there are both pros and cons about RIPE providing registration services to such IP addresses. As you've stated, contacting them most of the time is useless. But most of the cases these IPs are blacklisted or on DROP-lists (spamhaus for example)
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
As for bulletproof hosting, it is at the best interest of the Internet that these IPs remain duly registered. There are many cases where the original registrant might not even be properly aware, or at fault when such activities happen with their addressing. The most effective action is to contact the upstream ISPs and cut their connectivity.
If such a system would be implemented by RIPE, I think it should be oriented towards making sure the abuse contacts are up to date and reachable. Rather than to police about the use of the addresses. As ultimately the connectivity for such activities is provided by ISPs.
I do see the analogy you made with ICANN but registering a domain on the internet is much more reachable to everyone when comparing to IP space, when most of that space is reassigned from upstream ISPs. Also addresses are assigned in blocks, when domains are assigned individually.
Please understand that I don't condone at all bulletproof hosting or
such activities in way. In fact it should be stopped. But the most effective action is likely not from RIPE to just deregister such resources when abuse happens or when an abuse contact is incorrect. It is worth noting that RIPE does apply restrictions to LIRs that repeatedly cause issues, and this includes falsifying contact information.
I think this is worth discussing if more restrictive actions should be taken towards such LIRs where illegal activities such as bulletproofing are the main business. But I'm worried about RIPE NCC's ability to verify on abuse that happens on the internet.
Best regards,
Tomás Leite de Castro
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly
is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites
On 2024-01-17 19:52, OSINTGuardian wrote: promoted, it that
provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
participants (6)
-
Carlos Friaças -
Gert Doering -
OSINTGuardian -
Suresh Ramasubramanian -
Tomás Leite de Castro -
Tomás Oliveira Valente Leite de Castro