Bulletproof servers causing mischief on the internet
Hi, I have been wondering for a while about this same issue. And I guess there are both pros and cons about RIPE providing registration services to such IP addresses. As you've stated, contacting them most of the time is useless. But most of the cases these IPs are blacklisted or on DROP-lists (spamhaus for example) I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact. As for bulletproof hosting, it is at the best interest of the Internet that these IPs remain duly registered. There are many cases where the original registrant might not even be properly aware, or at fault when such activities happen with their addressing. The most effective action is to contact the upstream ISPs and cut their connectivity. If such a system would be implemented by RIPE, I think it should be oriented towards making sure the abuse contacts are up to date and reachable. Rather than to police about the use of the addresses. As ultimately the connectivity for such activities is provided by ISPs. I do see the analogy you made with ICANN but registering a domain on the internet is much more reachable to everyone when comparing to IP space, when most of that space is reassigned from upstream ISPs. Also addresses are assigned in blocks, when domains are assigned individually. Please understand that I don't condone at all bulletproof hosting or such activities in way. In fact it should be stopped. But the most effective action is likely not from RIPE to just deregister such resources when abuse happens or when an abuse contact is incorrect. It is worth noting that RIPE does apply restrictions to LIRs that repeatedly cause issues, and this includes falsifying contact information. I think this is worth discussing if more restrictive actions should be taken towards such LIRs where illegal activities such as bulletproofing are the main business. But I'm worried about RIPE NCC's ability to verify on abuse that happens on the internet. Best regards, Tomás Leite de Castro On 2024-01-17 19:52, OSINTGuardian wrote:
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly promoted, it is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites that provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
On 17/01/2024 23:05, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg wrote:
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
I have heard so often that RIPE NCC's job is to *not* police the Internet. Then I heard John Curran's keynote at NANOG in October: The Expanding Landscape of Internet Governance: Why Network Operators Need a Global View https://www.youtube.com/watch?v=U1Ip39Qv-Zk and realize that over the next decade we will be handed EU edicts that will far exceed anything we thought possible. Take the 45 minutes and listen to John. Regards, Hank
Hi Hank Thanks for this: It's pure gold. I sometimes think this WG is held prisoner by a hand full of people, which are the ones that then whine in five years because the EU will put a stop at this on their terms. Here in Switzerland more and more anti abuse legislation is enacted because some providers just won't move. Best Serge On 18/01/2024 07:46, Hank Nussbacher wrote:
On 17/01/2024 23:05, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg wrote:
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
I have heard so often that RIPE NCC's job is to *not* police the Internet. Then I heard John Curran's keynote at NANOG in October: The Expanding Landscape of Internet Governance: Why Network Operators Need a Global View https://www.youtube.com/watch?v=U1Ip39Qv-Zk and realize that over the next decade we will be handed EU edicts that will far exceed anything we thought possible. Take the 45 minutes and listen to John.
Regards, Hank
-- Dr. Serge Droz Director, Forum of Incident Response and Security Teams (FIRST) serge.droz@first.org | https://www.first.org
Over a decade ago, a friend (then working at a large national telecom regulator) told me that industry self regulation works best, and that if the government was forced to step in and regulate, neither industry nor government would be happy with the results. Looks like that saying seems to be coming true. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Friday, January 19, 2024 2:16:19 AM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet Hi Hank Thanks for this: It's pure gold. I sometimes think this WG is held prisoner by a hand full of people, which are the ones that then whine in five years because the EU will put a stop at this on their terms. Here in Switzerland more and more anti abuse legislation is enacted because some providers just won't move. Best Serge On 18/01/2024 07:46, Hank Nussbacher wrote:
On 17/01/2024 23:05, Tomás Oliveira Valente Leite de Castro via anti-abuse-wg wrote:
I believe RIPE NCC's job is not to police the internet, but to provide registration services. However RIPE should guarantee that the registrant's data is correct and up to date. This includes a proper abuse contact.
I have heard so often that RIPE NCC's job is to *not* police the Internet. Then I heard John Curran's keynote at NANOG in October: The Expanding Landscape of Internet Governance: Why Network Operators Need a Global View https://www.youtube.com/watch?v=U1Ip39Qv-Zk and realize that over the next decade we will be handed EU edicts that will far exceed anything we thought possible. Take the 45 minutes and listen to John.
Regards, Hank
-- Dr. Serge Droz Director, Forum of Incident Response and Security Teams (FIRST) serge.droz@first.org | https://www.first.org -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
On 18 Jan 2024, at 6:46, Hank Nussbacher wrote:
I have heard so often that RIPE NCC's job is to *not* police the Internet. Then I heard John Curran's keynote at NANOG in October: The Expanding Landscape of Internet Governance: Why Network Operators Need a Global View https://www.youtube.com/watch?v=U1Ip39Qv-Zk and realize that over the next decade we will be handed EU edicts that will far exceed anything we thought possible.
Thanks, Hank, for nudging me. Watching John's keynote has been on my TODO list since Randy Bush encouraged people to look at it in his RIPE87 presentation ["The RIR Social Contract"](https://ripe87.ripe.net/archives/video/1144/). John's keynote is both excellent and relevant. John takes the concept of "respective roles" from the Tunis Agenda, and points out that regulation and compulsion fall within the role of government. He cites examples of engagement with government in other industries, where technical professionals develop codes and norms, which remain voluntary best practices until they are referenced by and mandated in legislation or regulation. He presents this model as the way ahead for engagement between the technical professionals of the Internet ("us", if I may put it like that), and the various agencies of Government. John also cites a couple of the norms we have already, BCP38 and MANRS, as examples of useful and relevant work which this technical community has already done. He urges us (see above) to engage with government, communicating how norms we have already developed might be relevant to problems which they need to address, and taking account of their goals in areas where further technical norms may be needed. It's significant for me that John is not urging us to expect the RIPE NCC, or other RIRs, either to take on a policing role or to make their administrative processes more onerous, but rather to engage with government to understand their goals, and to continue developing and promoting technically sound good practices. As Hank says, unless you've done so already,
Take the 45 minutes and listen to John.
Best regards, Niall O'Reilly RIPE Vice-Chair
Greetings, Maybe we need a bulletproof hosting directory on the web? :-))
From what i've learned, illegal content depends on jurisdiction, and effectively that's what greatly impacts the possibility of takedowns.
I've also seen what you mention about advertising services as 'bulletproof', but i've already seen some of those companies remove that kind of advertising (in this case, web archives are your friend!) The RIPE NCC, afaik, doesn't act on illegal content, because it lacks any mandate for that. In the same way criminals are able to use phones, they are allowed to use IP addresses. The downside with the IP addresses is they can in practice build/manage (informal?) network operators, which provide them with a lot more flexibility. But that's the model we have had for decades... I totally agree with the ICANN comparison, but it wouldn't be only RIPE NCC, for efectiveness you would have to have all the five RIRs on the same page. But i'm afraid "the community" -- which also includes the 'bulletproofers' -- will not issue any mandate to the RIPE NCC to do something. Instead, at some point, we well see more regulatory stuff kicking in........ Best Regards, Carlos On Wed, 17 Jan 2024, OSINTGuardian wrote:
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly promoted, it is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites that provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
On 19 Jan 2024, at 10:35, Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Greetings,
Maybe we need a bulletproof hosting directory on the web? :-))
From what i've learned, illegal content depends on jurisdiction, and effectively that's what greatly impacts the possibility of takedowns.
Then there is an easy check that should be made: does the LIR that claims to be in that jurisdiction have any hardware and any connectivity from there, or is the majority of their network located outside that jurisdiction and is the 'address' just a postal address? Jurisdiction is a very tricky thing: is it the "address of the LIR" (eg Seychelles, Bahamas, ...) or is it where the physical hardware is located that actually does the harmful thing (eg hosting illegal content, bulletproof etc etc). Outside of the NCC though, an ISP can always apply Spamhaus DROP and similar things to their own network. At that point the only thing these LIRs are doing is causing more IPv4 exhaustion..... though we'll repeat this whole story with IPv6 again... (at least then with easy to block /32s instead of a bunch of /24s from various places, unless one drops ASNs completely and/or start doing the white-list ASN game... which kinda is happening already) Greets Jeroen
Defining 'bulletproof hosting' as a relatively simple problem that RIPE can tackle is a bit naive. There are several layers, a lot is happening in the darkweb with no clear linkage to the clearnet, this is clearly outside the scope of RIPE. The most sofisticated cybercrime syndicates provide Crime-Infra-a-as-Service (CIaaS), they hire servers from the larger hosting companies, react very fast on abuse notices and migrate the offending customer to their CIaaS at an other hoster. These syndicates are very welcomed by the hosting company as they act immediately on abuse complaints, they are the poster child for 'how a reseller needs to deal with abuse'. As there is no 'global view' it is not know who these are. Europol will not investigate, Dutch Police will not investigate (when prosecuted they will not se sentenced to Dutch jail so all the time spend investigating them will not count for their KPI's .. (sad but true)). Nothing RIPE can do about this either. What's left are the smaller players that rent /24's and ASN, or register an anonymous company (fi US LLC) and anonymously become a LIR and do their 'bad thing'. This will check-out for RIPE! And then become a client of some larger 'very permissive' hosters (if they are lazy) or they build a spiderweb and contract their IaaS, buy colo, buy transit from separate third parties . These third parties normally see no abuse so for them no red flags, these contracts normally are with other companies so when you aks them if fi. 'Inferno Ltd' is a customer they genuine can say 'no', as their is no clear linkage between 'Inferno ltd." and their customer 'HELL LLC'. In NL we received a list of 'known bulletproof hosters' from the NL Police (they did a Russian language google search on 'bulletproof hosting + netherlands', it turned out later), when we checked the list we had about a 40% rate of actual bulletproof server delivery, most of these sites scam their prospective criminal client. So it is not all happy in criminal wonderland. RIPE needs to ensure the registration data is correct, this is their main 'raison d'être'. However they cannot do it all themselves, nor is their remit to be the internet sheriff of last resort. This puts boundaries on what you can expect from RIPE. You can be a cybercriminal and be fully complaint with RIPE rules and regulations, you can be a fully legit company and break all those. It is not for RIPE to label you a 'bad actor'. The fact some one does not act on abuse complaints is not a RIPE issue however with the Digital Services Act (DSA) becomming active soon it will become a DSA issue. Please investigate how you can use the DSA to your advantage in fighting abuse (within the EU). Cheers, Alex-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 On Fri, 19-01-2024 14h 07min, OSINTGuardian <contact@osintguardian.com> wrote:
hi Carlos,
I'm not talking about RIPE NCC being responsible when someone random on some random provider in the world uploads something illegal. This is incorrect and I never referenced this. I am referring to criminals who use RIPE NCC to buy many IP addresses to later sell them to criminals and that this hosting provider is sold publicly as "bulletproof hosting".
I think the comparison with phone providers would be good if a phone provider sells thousands of phone numbers to criminals so that these criminals then make a "bulletproof phone provider" using the phone numbers previously sold, and then these telephone numbers are used for illegal activities.
Would the original telephone provider that sells the phone numbers have consequences? Yes, the authorities would probably investigate them for selling thousands of phone numbers to criminals and doing nothing to monitor that this was happening or to suspend service to all the phone numbers sold to the criminal who created "the bulletproof number provider."
In this case, criminals come to RIPE NCC to buy thousands of IP addresses to later use them in a "bulletproof hosting" market, most of these hosting providers ignore DMCA, spam, hackers, etc. But there is a very dark part of these hosting providers that are complicit in child pornography, pedophilia, drug trafficking, non-consensual pornography, weapons sales and terrorist websites.
Can RIPE NCC stop these bulletproof hosting providers? Yes These hosting providers ignore abuse reports and do not comply with abuse emails, even though RIPE NCC prohibits this, what is RIPE NCC doing to punish these bulletproof hosting providers? As far as I know nothing is done.
about the fact that this would not only have to be for RIPE NCC, but also the other RIRs, yes. I agree with this.
Honestly, I would like to speak to a RIPE NCC member about this as I have a lot of evidence against bulletproof hosting that does extremely illegal activities and is used to provide websites on the Tor network (although most of the illegal content it is on the clear web)
From what I saw in this group, there are a lot of people here who are upset that this is happening. Bulletproof hosting providers are everyone's problem. but no one does much to punish them and unfortunately the only ones who win are the criminals and their accomplices.
I hope that RIPE NCC along with other RIRs get together and do something against organized crime. It would be great news for everyone. Although I'm not going to get my hopes up, maybe this will happen in 10 years when something so serious happens on the Internet that it forces us to do something against bulletproof hosting, but it seems that currently the RIRs don't seem to take it seriously
thanks for your contribution carlos
Claudia Lopez OSINTGuardian
On ene. 19 2024, at 6:35 am, Carlos Friaças <cfriacas@fccn.pt> wrote:
> Greetings, Maybe we need a bulletproof hosting directory on the web? :-))
From what i've learned, illegal content depends on jurisdiction, and effectively that's what greatly impacts the possibility of takedowns.
I've also seen what you mention about advertising services as 'bulletproof', but i've already seen some of those companies remove that kind of advertising (in this case, web archives are your friend!) The RIPE NCC, afaik, doesn't act on illegal content, because it lacks any mandate for that. In the same way criminals are able to use phones, they are allowed to use IP addresses. The downside with the IP addresses is they can in practice build/manage (informal?) network operators, which provide them with a lot more flexibility. But that's the model we have had for decades... I totally agree with the ICANN comparison, but it wouldn't be only RIPE NCC, for efectiveness you would have to have all the five RIRs on the same page. But i'm afraid "the community" -- which also includes the 'bulletproofers' -- will not issue any mandate to the RIPE NCC to do something. Instead, at some point, we well see more regulatory stuff kicking in........ Best Regards, Carlos On Wed, 17 Jan 2024, OSINTGuardian wrote:
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly promoted, it is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites that provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Both registries and registrars that are accredited by ICANN have contracts with clear clauses related to abuse and their responsibility towards reports etc., As of right now no such requirement exists in the RIPE region, so I’m not sure that the parallel is a good one. In an ideal world self-regulation would be the way, but sadly there are a lot of providers who turn a blind eye to all sorts of unpleasant behaviour on their platforms / networks etc., so legislators are getting involved more and more. If there are LIRs in the RIPE region with dodgy contact details or anything else that would be illegal under Dutch law or in breach of any contracts or policies then they should be reported to RIPE NCC. It’s in RIPE NCC’s best interest not to run afoul of regulators and I know they invest quite heavily in engagement with government including LEA. Also please do not refer to DMCA. It’s American and is not legal in Europe. Seriously Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> Date: Friday, 19 January 2024 at 09:36 To: OSINTGuardian <contact@osintguardian.com> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Greetings, Maybe we need a bulletproof hosting directory on the web? :-))
From what i've learned, illegal content depends on jurisdiction, and effectively that's what greatly impacts the possibility of takedowns.
I've also seen what you mention about advertising services as 'bulletproof', but i've already seen some of those companies remove that kind of advertising (in this case, web archives are your friend!) The RIPE NCC, afaik, doesn't act on illegal content, because it lacks any mandate for that. In the same way criminals are able to use phones, they are allowed to use IP addresses. The downside with the IP addresses is they can in practice build/manage (informal?) network operators, which provide them with a lot more flexibility. But that's the model we have had for decades... I totally agree with the ICANN comparison, but it wouldn't be only RIPE NCC, for efectiveness you would have to have all the five RIRs on the same page. But i'm afraid "the community" -- which also includes the 'bulletproofers' -- will not issue any mandate to the RIPE NCC to do something. Instead, at some point, we well see more regulatory stuff kicking in........ Best Regards, Carlos On Wed, 17 Jan 2024, OSINTGuardian wrote:
hi,
There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal content.
There is a bulletproof hosting market that is even openly promoted, it is as easy to find companies that provide bulletproof servers as searching on Google, hacker forums or simple internet websites that provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads illegal content. This is openly their business model, what does RIPE NCC do about this?
RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet, strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports. If RIPE NCC did this same thing, the internet would become a better place.
If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez OSINTGuardian
participants (10)
-
Alex de Joode -
Carlos Friaças -
Hank Nussbacher -
Jeroen Massar -
Michele Neylon - Blacknight -
Niall O'Reilly -
OSINTGuardian -
Serge Droz -
Suresh Ramasubramanian -
Tomás Oliveira Valente Leite de Castro