This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Thu Jun 27 15:57:07 CEST 2013
Michele, there's this thing called fastflux NS as well Host the NS on compromised nodes with a low TTL and you just don't need to find an ISP or dns provider to host NS for you. As for the defamatory / sweeping statements thing - I will only say that an analysis of the number of .at / .lv etc domains turning up in traps, honeypots, bls etc tends to bear out an impression that once criminals find a gTLD or ccTLD where terminations are slow to non existent, they will crowd on to it, in increasingly larger numbers. .hk found that out the hard way some years back and it took a lot of data passed to hkdnr, and a lot of convincing and/or pressure on them from a variety of sources (including, presumably, some official ones) made them take several steps to lock their ccTLD down. There should be a presentation somewhere from HKDNR's Bonnie Chun talking about their experiences and the steps they took to ensure this doesn't recur. I can tell you for sure that soon after the largescale termination of like thousands of .hk domains in a matter of days, the domains started to crop up on a provider in another (very small) asian nation, where a simple email to a trusted contact there was enough to get them turfed off, very quickly indeed. They didn't ever come back there as far as my statistics show - and this is from nearly a decade back. This is absolutely not behavior restricted to registrars or TLDs. If you find a colo host that is lackadaisical about abuse issues for whatever reason, that provider will pretty soon find his service overrun with spammers, bot c&c, irc kiddiez and whatever else, compared to providers that run a tighter ship wrt abuse mitigation. So, I am sorry to say but furio's statements are fairly accurate, though they may be a trifle more blunt than some can take. thanks -srs On Thursday, June 27, 2013, Michele Neylon :: Blacknight wrote: > Furio > > If you're going to make statements about 3rd parties you should try to > restrict yourself to facts and not make broad sweeping statements. > > On 27 Jun 2013, at 14:13, furio ercolessi <furio+as at spin.it <javascript:;>> > wrote: > > > > > > > Therefore the responsibility for terminating C&C domains lies on the > > registries, not on the DNS providers (that may not even exist). > > Not necessarily. > > If registries are going round the place pulling domains it causes > headaches for registrars - and the registries don't have a contract / > agreement with the registrant > > While this may be different with ccTLDs you haven't specified that you're > only referring to cctlds .. > > And I don't see how a domain can resolve without a DNS provider - that > makes zero sense. > > > > > > The .AT and .LV cases have been two rather dramatic cases where the > > registries were sitting there doing nothing for a very long time, while > > the word spread among criminals that they were a 'safe haven'. > > > That's highly defamatory. > > I don't think the managers of either ccTLD would appreciate anyone > referring to them using that tone. > > > > Similar problems have then occurred in .PL and .RU as well. > > Again - broad sweeping statements. > > I'd take you more seriously if you referred to the current state of play > and not some past issues that have been addressed > > > > > > > Luckily, the times have changed and country CERTs are nowadays > > much more aware of the C&C problem and of the need to take down those > > domains swiftly. > > Irrelevant statement > > CERTs have little impact on registry operations when they're run by > private entities > > > > As it often happens with large organizations, > > 'learning' may be very slow and may need to be stimulated by external > > forces - not because of lack of capacity of the individuals working > > in the organizations to understand the issue, but because of the fear > > of those individuals to break a complex set of rules, and the possible > > need to have those rules changed to avoid breaking them. > > > > I believe that all the external forces working on this problem - > > Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and > > others - have played and are playing a very important role in > > interacting with registries and CERTs regarding cybercrime domains, > > even more so when those interactions have to be a little 'rough' > > to get some traction. Nobody likes friction i think, but sometimes > > it is needed to shake things and see some action. > > > > furio ercolessi > > > > Mr Michele Neylon > Blacknight Solutions ♞ > Hosting & Domains > ICANN Accredited Registrar > http://www.blacknight.co > http://blog.blacknight.com/ > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Facebook: http://fb.me/blacknight > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20130627/86d1493e/attachment.html>
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]