Input request for system on how to approach abuse filtering on Route Servers - bad hosters
Hi, As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default ) As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/ ) that states that we will all do our best to provide a better and cleaner internet. As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view. The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks. What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. ) A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH .. Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network. Topics that should be included on the rating for the list : * Phishing (hosting sites / domain registrations ) * Malware hosting ( binaries and C&C’s ) * DDOS traffic ( number of amplification devices in the network compared to the number of IP address ratio ) * Login attacks / excessive port scanning * Hosting of Child exploitation content * Infected websites / Zeus Botnets * Etc So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014. By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits. And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra. And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation. So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers. Your constructive feedback is highly appreciated. Regards, Erik Bais A2B Internet
Am 18.05.21 um 21:52 schrieb Erik Bais:
Hi,
As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default )
As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl
The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/ ) that states that we will all do our best to provide a better and cleaner internet.
Nice initiative!
...
Topics that should be included on the rating for the list :
* Phishing (hosting sites / domain registrations ) * Malware hosting ( binaries and C&C’s ) * DDOS traffic ( number of amplification devices in the network compared to the number of IP address ratio ) * Login attacks / excessive port scanning * Hosting of Child exploitation content * Infected websites / Zeus Botnets * Etc
One problem with the approach is that there isn't a single measure of badness, as the topic list already shows. It's a multi-dimensional vector, and its dimensions are not easily defined in a non-controversial way. The criteria for including a network in a top N list will therefore be unavoidably subjective. In the process of thinking about ways to tackle e-mail abuse (which doesn't even show in your list, probably because it's not really a problem for network operators but only for mail operators) I came up with some ideas about a distributed reputation network that might have some desirable properties: * Separation of network and resource owner observations and policy decisions: It would be very helpful to have multiple independent and reliable sources listing type and severity of network abuse in real time, but I'd like to define my own policy rules and use those abuse metrics as input for policy decisions. As a mail operator, I might be personally very concerned about malware hosting, but the things that would affect my blocking policy are spam volume and mail account bruteforce attacks (and to some extent, DDOS traffic). Network operators may have different policies to protect the integrity of their networks and implement legally required rules. * Distributed P2P database: I'm thinking about something like a cryptocurrency blockchain or the PGP web of trust, which avoids having a single point of failure and also avoids a single hierarchy of trust. Cryptography provides some excellent tools, but apart from the ubiquitous TLS (and the mentioned blockchain systems) it's used much too sparingly in securing information integrity. * Reputation metrics: It should be possible to assert not only observations of network behavior, but also reputation statements about the publishers of such observations. This makes evaluating the trustworthyness of a reporter possible, and with enough participants could provide a relatively unbiased view. Hope this provides some food for thought/discussion. I'm well aware that my viewpoint is necessarily limited, as I don't have any network operating experience, but some aspects may be transferrable to that area. Cheers, Hans-Martin
Hans-Martin Mosner wrote: One problem with the approach is that there isn't a single measure of badness, as the topic list already shows. It's a multi-dimensional vector, and its dimensions are not easily defined in a non-controversial way. The criteria for including a network in a top N list will therefore be unavoidably subjective. In the process of thinking about ways to tackle e-mail abuse (which doesn't even show in your list, probably because it's not really a problem for network operators but only for mail operators) I came up with some ideas about a distributed reputation network that might have some desirable properties: * Separation of network and resource owner observations and policy decisions: It would be very helpful to have multiple independent and reliable sources listing type and severity of network abuse in real time, but I'd like to define my own policy rules and use those abuse metrics as input for policy decisions. As a mail operator, I might be personally very concerned about malware hosting, but the things that would affect my blocking policy are spam volume and mail account bruteforce attacks (and to some extent, DDOS traffic). Network operators may have different policies to protect the integrity of their networks and implement legally required rules. I agree. There are two points. First to agree on a list of observations/metrics, so that everyone categorises things the same way. This should be relatively simple. And then, hopefully, some kind on agreement on a recommended threshold. Or a set of thresholds depending on the tolerance (which also allows initiatives like AAN to start gradually). * Distributed P2P database: I'm thinking about something like a cryptocurrency blockchain or the PGP web of trust, which avoids having a single point of failure and also avoids a single hierarchy of trust. Cryptography provides some excellent tools, but apart from the ubiquitous TLS (and the mentioned blockchain systems) it's used much too sparingly in securing information integrity. Cryptocurrency blockchains are not a good tool, but I completely agree. Validation should be included from the beginning. It can be as simple as including signatures. Similar to Certificate Transparency servers. Note you also need to define who is allowed to send there if you expect "everybody" to consume it. This is similar to your following point: * Reputation metrics: It should be possible to assert not only observations of network behavior, but also reputation statements about the publishers of such observations. This makes evaluating the trustworthyness of a reporter possible, and with enough participants could provide a relatively unbiased view. although I was thinking in a bad actor flooding the database with useless observations in order to make it inoperative. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
participants (3)
-
Erik Bais -
Hans-Martin Mosner -
Ángel González Berdasco