Hi Erik, Thank you for your talk yesterday, was very insightful. I have an issue with the concept of tagging an entire ASN/IP block with a negative brush, but I suspect this all boils down into how you define a “bad” ISP/IP block and the criteria needed to earn a blocking/place on the naughty list (back in 2010, there was a very interesting comparison of different blocklists here: https://labs.ripe.net/author/jsq/asn-ranking-correlations-between-spam-block... <https://labs.ripe.net/author/jsq/asn-ranking-correlations-between-spam-blocklists/> but this does refer to purely spam email). I suppose my major issue with this is collateral damage, for example say you’ve got a /24 with shared web hosting servers in there (which instinctively have lots of users on the same IP addresses, with no pre-filtering of content going online). I’ve seen situations where shared hosting domains with thousands of users have been revoked because one user hosted one malicious binary and I’d like to be assured that this can’t happen here, where one user is the downfall of everyone. I can easily see end-user eyeball ISP support getting confused with this, making un-needed blocks hard to remove. Thanks Harry
On 19 May 2021, at 11:00, connect-wg-request@ripe.net wrote:
Send connect-wg mailing list submissions to connect-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit https://lists.ripe.net/mailman/listinfo/connect-wg or, via email, send a message with subject or body 'help' to connect-wg-request@ripe.net
You can reach the person managing the list at connect-wg-owner@ripe.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of connect-wg digest..."
Today's Topics:
1. Input request for system on how to approach abuse filtering on Route Servers - bad hosters (Erik Bais)
----------------------------------------------------------------------
Message: 1 Date: Tue, 18 May 2021 19:52:15 +0000 From: Erik Bais <erik@bais.name> To: "connect-wg@ripe.net" <connect-wg@ripe.net>, "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: [connect-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters Message-ID: <9515151D-5223-457D-8BFC-D9610CEDA340@bais.name> Content-Type: text/plain; charset="utf-8"
Hi,
As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default )
As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) ? abuse.nl
The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/ ) that states that we will all do our best to provide a better and cleaner internet.
As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view. The issue is that even if you don?t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks.
What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. )
A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH .. Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network.
Topics that should be included on the rating for the list :
* Phishing (hosting sites / domain registrations ) * Malware hosting ( binaries and C&C?s ) * DDOS traffic ( number of amplification devices in the network compared to the number of IP address ratio ) * Login attacks / excessive port scanning * Hosting of Child exploitation content * Infected websites / Zeus Botnets * Etc
So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014.
By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits. And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra.
And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation.
So we don?t mind if we take their money as long as are not forced to peer with them via the routeservers.
Your constructive feedback is highly appreciated.
Regards, Erik Bais A2B Internet