You're viewing an archived page. It is no longer being updated.
Anti-Abuse WG - RIPE 71
Date: Thursday, 19 November 11:00 - 12:30
WG Co-Chairs: Brian Nisbet, Tobias Knecht
Scribe: Laura Cobley
A. Administrative Matters [5 min]
- Welcome
- Scribe, Jabber, Stenography
- Microphone Etiquette
- Approve Minutes from RIPE 70
- Finalise Agenda
B. Update [15 min]
- B1. AA-WG Chair Matters
Tobias was accepted to continue as co-chair. - B2. Recent List Discussion
- Foreign/Undelegated Route Objects (see section C) - no comments
- Data Verification and abuse-c contact methods - no comments
- LIR Contract Discussions - no comments - Brian has asked the RIPE NCC for more info on the claims that RIPE NCC is party to End User contracts.
- Sources of Abuse Contact Info Document - no comments
C. Policies [0 min]
- Foreign objects in the RIPE DB - Brian encouraged the group to participate in the discussions taking place in the Database Working Group (DB-WG).
D. Interactions [20 min]
- D0. Richard Leaning (RIPE NCC) will work on extending Law Enforcement engagement
- D1. Update on RIPE NCC Security Outreach Activities - Mirjam Kühne
https://ripe71.ripe.net/presentations/5-SecurityUpdate4RIPE71.pdf
Sean Turner (IECA) asked whether the work between ICANN and the RIRs on IP and Whois accuracy and due diligence public safety has started yet, as per the ICANN meeting minutes. Marco Hogewoning (RIPE NCC) confirmed that RIPE NCC is involved with the PS WG.
Hans Petter Holen (RIPE Chair) added that lots of suggestions from ICANN meetings come up from misunderstanding existing processes. He suggested that they believe we have more problems with Whois accuracy than they do with domain names - he thinks it's the opposite.
Marco confirmed that the RIRs continue to educate where needed.
Mirjam Kühne (RIPE NCC) added that the RIPE NCC is educating and engaging on how to use our tools.
Brian Nisbet (AA-WG Chair) commented that the MAAWG meeting was surprisingly good and that there was a positive reaction to the presentation and the openness of the RIPE Community - the relationship continues.
Mirjam reiterated that there is a continued need for more collaboration between the two communities.
Peter Koch (DENIC) commented that openness can be a barrier to collaboration.
Marco d'Itri (Seeweb) reminded the group of the open invitation from MAAWG to RIPE community members to participate.
Mirjam rounded off by adding that if RIPE NCC can help to bridge any divide, it is happy to and will continue to.
E. Presentation [45 min]
- E1. Open Source Abuse Management for Network Operators - Abuse.io (Erik Bais)
https://ripe71.ripe.net/presentations/130-AbuseIO-4.0-RIPE71-AAWG-v1.pdf
(Bart Vrancken is on IRC to answer additional questions)
Marco D'Itri asked whether the system process ARF and legacy feedback group. Erik confirmed that they do include Spamhaus reports and ARF as well. You can also write your own parsers.
Bengt Gorden (Resilans) asked whether it was easy to get your own customer database included?
Erik confirmed that they did it manually, but there is an option to do lookups in your own administrative environment.
Bart Vrancken (via IRC) confirmed that there is built-in support and 4.0 support for PHP.
Erik encouraged everyone to look at the website, join IRC and chat with Bart. - E2. The Traffic Amplifiers Great Hunt - ANSSI (Florian Maury)
https://ripe71.ripe.net/presentations/65-ripe71_antiabusewg_anssi_the_traffic_amplifiers_great_hunt.pdf
Steve Nash (Arbor Networks) added that another thing people can do is to elevate management visibility so that the money becomes available.
Erik Bais (A2B Internet) asked whether the info from the scans has been made available?
Florian clarified that they haven't performed any scans. They used open data, which is already available publicly. - E3. Helping Network Operators to Bring Down DDoS Sources - ANSSI (Markus de Brün)
https://ripe71.ripe.net/presentations/72-DDoS_Open_Services_Cleanup_Germany.pdf
Brian asked whether there is any feeling for when ANSSI would no longer consider this to be a problem worth worrying about? Do you ever expect it to reduce to zero?
Markus explained that the goal is to get as far down as possible and that this will take a long time.
Florian Maury confirmed that indeed this would be difficult, but reducing the number of available nodes is a short-term action that can be taken now. But also longer term actions (such as working on anti-spoofing technologies and updating the protocols being used for these attacks) can be useful too.
Marco Hogewoning asked what triggered the ISPs into action? Was it the outreach or incidents happening?
Markus shared that early on, due to repeated communication, ISPs that were not aware of the situation took action.
Mohsen Souissi (AFNIC) asked whether DNS over TLS will ever become a full replacement?
Florian suspects that it won't solve the problem but having DNS over TCP will probably help.
Will van Gulik (IP-Max SA) indicated that receiving reports from other countries (e.g. France) would be really appreciated.
Markus advised that they only have data for Germany, but perhaps his French colleagues would start an action like this.
Florian explained that their data came from worldwide scans, so if you provide the prefixes you are interested in we can share.
Brian reminded the room that the Internet has no borders.
Chris Baker added that the shadow serve foundation is available to give reports without country restrictions.
X. A.O.B.
Brian mentioned that there is still time to submit a lightning talk for tomorrow's session.