Re: [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Furio If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements. On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily. If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant While this may be different with ccTLDs you haven't specified that you're only referring to cctlds .. And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory. I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements. I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
Luckily, the times have changed and country CERTs are nowadays much more aware of the C&C problem and of the need to take down those domains swiftly.
Irrelevant statement CERTs have little impact on registry operations when they're run by private entities
As it often happens with large organizations, 'learning' may be very slow and may need to be stimulated by external forces - not because of lack of capacity of the individuals working in the organizations to understand the issue, but because of the fear of those individuals to break a complex set of rules, and the possible need to have those rules changed to avoid breaking them.
I believe that all the external forces working on this problem - Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and others - have played and are playing a very important role in interacting with registries and CERTs regarding cybercrime domains, even more so when those interactions have to be a little 'rough' to get some traction. Nobody likes friction i think, but sometimes it is needed to shake things and see some action.
furio ercolessi
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Domains ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Michele, there's this thing called fastflux NS as well Host the NS on compromised nodes with a low TTL and you just don't need to find an ISP or dns provider to host NS for you. As for the defamatory / sweeping statements thing - I will only say that an analysis of the number of .at / .lv etc domains turning up in traps, honeypots, bls etc tends to bear out an impression that once criminals find a gTLD or ccTLD where terminations are slow to non existent, they will crowd on to it, in increasingly larger numbers. .hk found that out the hard way some years back and it took a lot of data passed to hkdnr, and a lot of convincing and/or pressure on them from a variety of sources (including, presumably, some official ones) made them take several steps to lock their ccTLD down. There should be a presentation somewhere from HKDNR's Bonnie Chun talking about their experiences and the steps they took to ensure this doesn't recur. I can tell you for sure that soon after the largescale termination of like thousands of .hk domains in a matter of days, the domains started to crop up on a provider in another (very small) asian nation, where a simple email to a trusted contact there was enough to get them turfed off, very quickly indeed. They didn't ever come back there as far as my statistics show - and this is from nearly a decade back. This is absolutely not behavior restricted to registrars or TLDs. If you find a colo host that is lackadaisical about abuse issues for whatever reason, that provider will pretty soon find his service overrun with spammers, bot c&c, irc kiddiez and whatever else, compared to providers that run a tighter ship wrt abuse mitigation. So, I am sorry to say but furio's statements are fairly accurate, though they may be a trifle more blunt than some can take. thanks -srs On Thursday, June 27, 2013, Michele Neylon :: Blacknight wrote:
Furio
If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements.
On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it <javascript:;>> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily.
If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant
While this may be different with ccTLDs you haven't specified that you're only referring to cctlds ..
And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory.
I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements.
I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
Luckily, the times have changed and country CERTs are nowadays much more aware of the C&C problem and of the need to take down those domains swiftly.
Irrelevant statement
CERTs have little impact on registry operations when they're run by private entities
As it often happens with large organizations, 'learning' may be very slow and may need to be stimulated by external forces - not because of lack of capacity of the individuals working in the organizations to understand the issue, but because of the fear of those individuals to break a complex set of rules, and the possible need to have those rules changed to avoid breaking them.
I believe that all the external forces working on this problem - Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and others - have played and are playing a very important role in interacting with registries and CERTs regarding cybercrime domains, even more so when those interactions have to be a little 'rough' to get some traction. Nobody likes friction i think, but sometimes it is needed to shake things and see some action.
furio ercolessi
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Domains ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- --srs (iPad)
Suresh Ramasubramanian wrote:
Michele, there's this thing called fastflux NS as well
Host the NS on compromised nodes with a low TTL and you just don't need to find an ISP or dns provider to host NS for you.
Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?) So: you can always find the server running the nameserver for that domain. Take this server down. Again: a domain name is not something physical, its just a name There are some registries offering domains where you do not have to put nameservers in, when you dont want to. There is no service running then under these domains, they are just reserved names, nothing physical. Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can. Kind regards, Frank
On Thursday, June 27, 2013, Frank Gadegast wrote:
Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?)
So: you can always find the server running the nameserver for that domain. Take this server down.
for fastflux, take it down and theres a fresh ns real soon. then what?
Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can.
headdesk. -- --srs (iPad)
Suresh Ramasubramanian wrote:
On Thursday, June 27, 2013, Frank Gadegast wrote:
Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?)
So: you can always find the server running the nameserver for that domain. Take this server down.
for fastflux, take it down and theres a fresh ns real soon. then what?
The botnet has usually one domain wired into the bot. This domain "a" is running on a nameserver. The bot is asking the nameserver (wich isnt changed by the botnet owner) for a second domain "b" (wich might not be registrered at all, but configured) running fastflux for the IP of its control servers. But: you can find the domain "a" by reverse engeneering the bot. Find the nameservers for "a" and your done. And if the bot is doing only single fastflux, the botnet owner HAS to update the domain at the registry, makes it even easier. Take the first nameservers down, wait for the update at the registry, take the next two nameservers down aso until there is none left. Complaining about Registries isnt the right start, even if it would make things easy. Domains could change, even complaining about the nameservers on hacked servers isnt the right start (probably because they are hosted in countries where you have no chance to to find a legal argument to take them down). I would even argue that not only the domainname cannot harm anybody, the nameservers arent doing that too. A nameservice itself isnt something illegal even if it resolves IPs for a botnet (except it resides on a hacked und misused server and if that is illegal in the country where it resides). They are both only part of a system. The harmfull parts are the bots and the intruded and misused servers, if you delete the domainname, they are all still floating about and will be soon part of the next botnet ... I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ... But then you have the antitrust agencies arguing that Microsoft is not allowed to install a antivirus solutions because it wouldnt be that nice to their competitors ... And surely have laws in all countries to forbid to run servers delivering malware and force the ISPs to remove them after knowledge ... Kind regards, Frank
Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can.
headdesk.
-- --srs (iPad)
Usually one domain..? More often than not, a domain generation algorithm with lots more than just one Beyond that, please do some more research. On Thursday, June 27, 2013, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
On Thursday, June 27, 2013, Frank Gadegast wrote:
Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?)
So: you can always find the server running the nameserver for that domain. Take this server down.
for fastflux, take it down and theres a fresh ns real soon. then what?
The botnet has usually one domain wired into the bot. This domain "a" is running on a nameserver. The bot is asking the nameserver (wich isnt changed by the botnet owner) for a second domain "b" (wich might not be registrered at all, but configured) running fastflux for the IP of its control servers.
But: you can find the domain "a" by reverse engeneering the bot. Find the nameservers for "a" and your done.
And if the bot is doing only single fastflux, the botnet owner HAS to update the domain at the registry, makes it even easier. Take the first nameservers down, wait for the update at the registry, take the next two nameservers down aso until there is none left. Complaining about Registries isnt the right start, even if it would make things easy. Domains could change, even complaining about the nameservers on hacked servers isnt the right start (probably because they are hosted in countries where you have no chance to to find a legal argument to take them down).
I would even argue that not only the domainname cannot harm anybody, the nameservers arent doing that too. A nameservice itself isnt something illegal even if it resolves IPs for a botnet (except it resides on a hacked und misused server and if that is illegal in the country where it resides). They are both only part of a system.
The harmfull parts are the bots and the intruded and misused servers, if you delete the domainname, they are all still floating about and will be soon part of the next botnet ...
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
But then you have the antitrust agencies arguing that Microsoft is not allowed to install a antivirus solutions because it wouldnt be that nice to their competitors ...
And surely have laws in all countries to forbid to run servers delivering malware and force the ISPs to remove them after knowledge ...
Kind regards, Frank
Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can.
headdesk.
-- --srs (iPad)
-- --srs (iPad)
Suresh Ramasubramanian wrote:
Usually one domain..? More often than not, a domain generation algorithm with lots more than just one
True, so why trying to argue with the registries ? Will not help ...
Beyond that, please do some more research.
Pfff ... Kind regards, Frank
On Thursday, June 27, 2013, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
On Thursday, June 27, 2013, Frank Gadegast wrote:
Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?)
So: you can always find the server running the nameserver for that domain. Take this server down.
for fastflux, take it down and theres a fresh ns real soon. then what?
The botnet has usually one domain wired into the bot. This domain "a" is running on a nameserver. The bot is asking the nameserver (wich isnt changed by the botnet owner) for a second domain "b" (wich might not be registrered at all, but configured) running fastflux for the IP of its control servers.
But: you can find the domain "a" by reverse engeneering the bot. Find the nameservers for "a" and your done.
And if the bot is doing only single fastflux, the botnet owner HAS to update the domain at the registry, makes it even easier. Take the first nameservers down, wait for the update at the registry, take the next two nameservers down aso until there is none left. Complaining about Registries isnt the right start, even if it would make things easy. Domains could change, even complaining about the nameservers on hacked servers isnt the right start (probably because they are hosted in countries where you have no chance to to find a legal argument to take them down).
I would even argue that not only the domainname cannot harm anybody, the nameservers arent doing that too. A nameservice itself isnt something illegal even if it resolves IPs for a botnet (except it resides on a hacked und misused server and if that is illegal in the country where it resides). They are both only part of a system.
The harmfull parts are the bots and the intruded and misused servers, if you delete the domainname, they are all still floating about and will be soon part of the next botnet ...
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
But then you have the antitrust agencies arguing that Microsoft is not allowed to install a antivirus solutions because it wouldnt be that nice to their competitors ...
And surely have laws in all countries to forbid to run servers delivering malware and force the ISPs to remove them after knowledge ...
Kind regards, Frank
Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can.
headdesk.
-- --srs (iPad)
-- --srs (iPad)
-- Mit freundlichen Gruessen, Frank Gadegast -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
On Jun 27, 2013, at 10:50 AM, Frank Gadegast wrote:
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
Not all computers run Microsoft software. Furthermore not all computers run *recent* Microsoft software. There's still a very fair share of, for instance, Windows XP machines out there. Compromise 50% of them and you'll get yourself a very nice botnet to play with. The fact that a machine ships with an anti-virus dos not imply that said AV will remain running, maintain effectiveness over time, etc. From past experience, a significant proportion of infected machines in an access ISP network did have an anti-virus installed by the time we had to pull the plug on the customer because they were spewing. Being proactive in this front will only get you that far. You still need to have a reactive mechanism to respond and mitigate. Best regards -lem
Luis Muñoz wrote:
On Jun 27, 2013, at 10:50 AM, Frank Gadegast wrote:
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
Not all computers run Microsoft software.
Oh, sorry, I dint know that ...
Furthermore not all computers run *recent* Microsoft software. There's still a very fair share of, for instance, Windows XP machines
With an update mechanism in place on most of them ...
out there. Compromise 50% of them and you'll get yourself a very nice botnet to play with.
The fact that a machine ships with an anti-virus dos not imply that said AV will remain running,
Sure, that why I sayd, that Microsoft should only allow an internet connection WHEN its running.
maintain effectiveness over time, etc.
From past experience, a significant proportion of infected machines in an access ISP network did have an anti-virus installed by the time we had to pull the plug on the customer because they were spewing.
Being proactive in this front will only get you that far.
Sure, but its a good start. Old OSes will die one day, and all others should only be allowed to connect when there is something protecting it. From today on. This would then kill most of the bots ... What I sayd: a good start. And forcing ISPs step-by-step to stop their intruded servers is another good start (and thats what we are starting here, I always thought). Kind regards, Frank
You still need to have a reactive mechanism to respond and mitigate.
Best regards
-lem
In message <51CC5148.902@powerweb.de>, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
There is a simpler solution that nobody ever talks about because it is not politically viable. (Translation: Too many campaign contributors with too much money are against it.) Ths simple solution is just to withdraw the existing specific exemptions to product liability laws that allow Microsoft and other software vendors to ship dangerous crap to people and yet never get sued for doing so. (This is a special exemption that applies to essentially no other cate- gory of product.) Regards, rfg
Ronald F. Guilmette wrote:
In message <51CC5148.902@powerweb.de>, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ...
There is a simpler solution that nobody ever talks about because it is not politically viable. (Translation: Too many campaign contributors with too much money are against it.)
Ths simple solution is just to withdraw the existing specific exemptions to product liability laws that allow Microsoft and other software vendors to ship dangerous crap to people and yet never get sued for doing so. (This is a special exemption that applies to essentially no other cate- gory of product.)
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ? And a framework to withdraw address space, if there is whatever evidence that the resource holder is not doing enough to stop it ? I think this is the main question in wich direction we all should go after the abuse-c is in place. Its nice, that there will be contact now for every address space, but now we should talk about responsibilies of resource holders and procedures to control them. For a start Im really interested how the current revoking process at RIPE NCC actually looks like and examples how this process was actually used in the past ... I might have missed that, but maybe that was never comunicated to the list in detail. Kind regards, Frank
Regards, rfg
On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote:
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ?
Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic passing their networks? Apart from the fact that this is undemocratic and unworkable, how well did that work for China? rgds, Sascha Luck
Sascha Luck wrote:
On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote:
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ?
Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic
Sure, its a matter we should discuss, how far we like to push things. For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic. F.e. by returning ticket numbers or the like. Or sending automatic CCs to the RIPE NCC .. This could be controlled, weighted and analyzed by the NCC and could give evidence about how the ISP is working with abuse reports. And this could be used in the autiting process somebody (sorry, forgot the name) likes to bring a bit further right now here on this list. Others have probably other ideas, lets hear and discuss them.
passing their networks? Apart from the fact that this is undemocratic and unworkable, how well did that work for China?
We are talking about the RIPE region. Kind regards, Frank
rgds, Sascha Luck
Den 6/28/13 10:50 AM, skrev Frank Gadegast:
Sascha Luck wrote:
On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote:
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ?
Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic
Sure, its a matter we should discuss, how far we like to push things.
I find it disturbing that anyone would even consider regulating IP allocations based on abuse just because they don't have a good enough spamfilter themselves. I would rather see a regulation that would deny address space allocation to LIRs not having a good spamfilter.
For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic.
Do you believe this is practically possible for any huge email provider (or other services) ?
F.e. by returning ticket numbers or the like. Or sending automatic CCs to the RIPE NCC .. This could be controlled, weighted and analyzed by the NCC and could give evidence about how the ISP is working with abuse reports.
Or even better; RIPE NCC could just get a login to PRISM and read all your mail there.
Others have probably other ideas, lets hear and discuss them.
Accepting your abuse mail is not a right, but a service. This may be unfortunate, but it should be up to each LIR to decide if and through what media they accept complaints. Creating a standard and encourage all LIRs to use it would however be great.
The discussion in this thread has also included bot and crimeware netblocks.. As for the 'good enough spam filter' versus giving spammers and botmasters an unlimited supply of IP space, it starts to remind me of those high school maths problems where a burette empties out a tank while a firehose fills it up People with good enough spam filters to run mail for millions of users each will tell you much the same thing --srs (htc one x) On 28-Jun-2013 3:09 PM, "Jørgen Hovland" <jorgen@hovland.cx> wrote:
Den 6/28/13 10:50 AM, skrev Frank Gadegast:
Sascha Luck wrote:
On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote:
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ?
Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic
Sure, its a matter we should discuss, how far we like to push things.
I find it disturbing that anyone would even consider regulating IP allocations based on abuse just because they don't have a good enough spamfilter themselves. I would rather see a regulation that would deny address space allocation to LIRs not having a good spamfilter.
For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic.
Do you believe this is practically possible for any huge email provider (or other services) ?
F.e. by returning ticket numbers or the like.
Or sending automatic CCs to the RIPE NCC .. This could be controlled, weighted and analyzed by the NCC and could give evidence about how the ISP is working with abuse reports.
Or even better; RIPE NCC could just get a login to PRISM and read all your mail there.
Others have probably other ideas, lets hear and discuss them.
Accepting your abuse mail is not a right, but a service. This may be unfortunate, but it should be up to each LIR to decide if and through what media they accept complaints. Creating a standard and encourage all LIRs to use it would however be great.
Jørgen Hovland wrote:
Den 6/28/13 10:50 AM, skrev Frank Gadegast:
Sascha Luck wrote:
On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote:
What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ?
Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic
Sure, its a matter we should discuss, how far we like to push things.
I find it disturbing that anyone would even consider regulating IP allocations based on abuse just because they don't have a good enough
Well, everybody is free to have his own opinion. I dont see this. I you get a "lend" of something you should be carefull with it.
spamfilter themselves.
Thats a stupid estimation. abuse has not only something to do with spam ...
I would rather see a regulation that would deny address space allocation to LIRs not having a good spamfilter.
Honest ? Well, describe how this could work and we discuss it here. If a majority likes it ...
For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic.
Do you believe this is practically possible for any huge email provider (or other services) ?
Sure, how many abuse reports are beeing send during a day. Does anybody has a number or a good estimation ?
F.e. by returning ticket numbers or the like. Or sending automatic CCs to the RIPE NCC .. This could be controlled, weighted and analyzed by the NCC and could give evidence about how the ISP is working with abuse reports.
Or even better; RIPE NCC could just get a login to PRISM and read all your mail there.
Others have probably other ideas, lets hear and discuss them.
Accepting your abuse mail is not a right, but a service.
Good point.
This may be unfortunate, but it should be up to each LIR to decide if and through what media they accept complaints. Creating a standard and encourage all LIRs to use it would however be great.
You see ? Currently the abuse-c will be the only practical way to get in contact. You can send letters, drive-by, a fax, whatever, but the addresses are probably worse than the abuse-c's email address. So there is no real descision to make wich way is best to contact them. The current regulations at RIPE now say in fact, that you can only get (or keep) your resources when you have an abuse-c Its only another step to enhance the regulations that you need to read email coming in. Kind regards, Frank
Frank Gadegast wrote: [...]
For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic.
Can you describe the incentive that would force this? Regards, Leo Vegoda
Leo Vegoda wrote:
Frank Gadegast wrote:
[...]
For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic.
Can you describe the incentive that would force this?
Could be a step-by-step educational/regulation process. First, when NCC gets a complaint about a netblock, they could check if the abuse address is working at all. Or they send an email ordering a return receipt (might indicate something, but is probably no proof). NCC could also check regulary of they exist. (I know, it could also be filtered or faked at the receivers side) Or it could be a regulation, that such an address has to return something (email, ticket). Or abuse reports should always be sent with a CC to an ripe address, where the NCC does some counting. Or the abuse-c has to send a CC to the NCC when replying ... or both together ... When an netblock is suspiscous, these "sums" could be looked at (going up, going down, short outbreak or beeing very high all the time compared to others with that size of allocations aso). Or trusted blacklist could prepare some kind of counting and forward this to the NCC (we can tell quite a lot about non-existing, not-working or non-reponsive addresses and also about spam-per-networksize ratios, just looked into our database: some ISPs in Poland, Ukraine and Spain are still at the top, then a lot of nothing, but Kazachstan is moving, aehm, forward). All this is a kind of "indirect force". When there are audits, no network admin likes to have a bad reputation, right ? If I knew how to start an audit process, I would have a few nice candidates, that did nothing during the last years to get their complaint ratio down. Another example: we also have some netblock from another LIR not belonging to our AS. Surely this LIR forwards complaints to us and we are forced to reply, because its his abuse-c address visible through whois. The LIR is always pretty happy, when we reply and audits this again after a while, if the complaints stopped or not. If not, they will start to look closer at us and maybe revoke our netblocks ... NCC could do the same, it only depends on what kind of regulations we want, what kind of framework, rules, values, whatever. I know, that there are lots of holes we could fall into (like faked reports to kill somebodies reputation, automatic replies that look, if everything is good aso), but we cannot get this going, if we do not collect ideas, how it could work ... But I guess, it would be pretty easy to find and seperate the really bad ones from the ones, that only sometimes have a problem and those, that have never a problem. Kind regards, Frank
Regards,
Leo Vegoda
Frank Gadegast wrote the following on 28/06/2013 08:47:
For a start Im really interested how the current revoking process at RIPE NCC actually looks like and examples how this process was actually used in the past ... I might have missed that, but maybe that was never comunicated to the list in detail.
I don't have direct references for past use, but the Closure & Deregistration document has been repeatedly communicated to this list. It is here in all its glory: http://www.ripe.net/ripe/docs/ripe-578 Brian
Brian Nisbet wrote:
Frank Gadegast wrote the following on 28/06/2013 08:47:
For a start Im really interested how the current revoking process at RIPE NCC actually looks like and examples how this process was actually used in the past ... I might have missed that, but maybe that was never comunicated to the list in detail.
I don't have direct references for past use, but the Closure & Deregistration document has been repeatedly communicated to this list.
It is here in all its glory:
Looks like to me, that the NCC can only revoke resources or terminate contracts, because the member does not follow regulations like allocation size, db entries or is insolvent or similar, rather formal reasons. Any LIR or customer or a LIR can probably setup the contract and DB data in a way it fits those needs, but still use the resources for massive abuse. These seems to be also true for the audit process. The LIR can withdraw a customers resource, if the current usage does not comply to its initial order purpose, but the NCC cant do the same. Should it be not part of the audit process to check the current usage of sponsored resources against their initial purpose ? Then the following could happen: - the community askes the NCC to start an audit for a special resource/LIR because of constant abuse coming from that network - the NCC askes the LIR for the initial purpose of the sponsored resources - and ask him to check the current usage, because of massive abuse complaints Now the LIR (lets trust him in the first stage), can check and maybe revoke the resources. If the problems continue, NCC could start to audit the LIR itself ... At that stage, the NCC would need trustful data to proove, that the resources are massivly used for abuse and the big question is, how to either collect them at the NCC or how to get them from trusted third parties. Kind regards, Frank
Brian
On Thu, Jun 27, 2013 at 01:38:48PM +0000, Michele Neylon :: Blacknight wrote:
Furio
If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements.
Not sure about "broad sweeping". I gave my opinions for what they are worth. The facts are out there, several links have been given already and I do not see the need to go through them in a list post.
On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily.
If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant
While this may be different with ccTLDs you haven't specified that you're only referring to cctlds ..
Sorry, yes, I was referring to cctlds. More generally one could refer to the domain registration system, including registrars and registries but specifically excluding the DNS provider. [ Still, for very serious issues involving cybercrime it could be reasonable to have a nucleus of competence coordinating remedies within the registries, since there are wide differences between different registrars (in skills, resources, ethics etc), and registrars tend to not listen to abuse reports from users and security organizations. (There are exceptions for sure!) ]
And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
In fastflux there is a DNS server somewhere but you would not be able to locate it from DNS records. All you can find from the NS delegations of the domain and the corresponding A records are machines running malware without their owner knowing it. That malware is basically a DNS proxy that sends the query to the real server and passes the answer back. All the involved NS domains are cybercrime domains. Killing those machines does not accomplish any result as far as the botnet operation is concerned, while killing the domains may result in a major disruption of the botnet.
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory.
I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
I am sorry if they get offended, but I think I described fairly well the net outcome as observable from outside. 'Doing nothing' reflects an absence of observable actions, not a lack of actions. There could have been a large amount of internal discussions and meetings, possibly board meetings too, which did not produce any observable action with respect to abuse mitigation for rather long times. Again, this is the past, and I do not think anyone working in these organizations should be personally blamed. It is quite common and normal that structured organizations are unable to address effectively an unexpected issue on a short timescale, and I can see that there could be very good reasons for this. But it is also my belief that, when this happens, applying a pressure to have things fixed as quickly as possible is healthy for the system as a whole, particularly when the positive and negative effects are integrated over time. Applying pressure is not a pleasant thing for both parties involved, as any parent reprimanding his/her child would know - but it is a healthy thing for everybody when you look at it on a larger timescale and on a larger perspective.
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements.
I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
Broad sweeping? It is a one-line summary of a rather huge cybercrime problem on these ccTLDs. This is peripheral to the current discussion - it may deserve a separate thread, but I am not sure if this would be the proper forum for this discussion as no RIPE resource would be involved. furio ercolessi
In message <D1AC4482BED7C04DAC43491E9A9DBEC381AA4361@bkexchmbx02.blacknight.loc al>, "Michele Neylon :: Blacknight" <michele@blacknight.com> wrote:
On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily.
If registries are going round the place pulling domains it causes headaches for registrars
Do you know what this is? ->.<- Answer: World's smallest violin. In short, any registrar who cannot cope with a reasonable action taken to defend the Internet from a botnet should get out of the business. The world does not revolve around them.
- and the registries don't have a contract / agreement with the registrant
Correct, and in this context, that is a Good Thing, because it means that they can kill a C&C domain and they are not breaking any contract when they do so. So what is the problem?
And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
The criminals use hijacked machines of their own choosing (they usually have many to choose from) to supply whatever DNS they need. They have no reliance on traditional third-party suppliers of DNS, such as ISPs or registrars or dedicated DNS providers. (I suspect that this is what Furio was trying to say.)
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory.
I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
On this side of the pond, we have a saying... "If the shoe fits..."
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements.
Again, broadly true. I _personally_ have cataloged tens of thousands of crooked fake pharmacy domains, all registered under the .RU ccTLD.
I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
You really think that the problems with .RU have been "addressed"?? On what do you base this belief? Regards, rfg
participants (10)
-
Brian Nisbet -
Frank Gadegast -
furio ercolessi -
Jørgen Hovland -
Leo Vegoda -
Luis Muñoz -
Michele Neylon :: Blacknight -
Ronald F. Guilmette -
Sascha Luck -
Suresh Ramasubramanian