[anti-abuse-wg] RIPE 67 AA-WG Meeting Minutes

Colleagues,

More minutes! Here are the minutes from RIPE 67 for your approval.

Anti-Abuse Working Group
Date: 17 October 2013, 14:00-15:30
Chairs: Brian Nisbet and Tobias Knecht
Scribe: Anand Buddhdev

A. Administrative Matters

Brian Nisbet, Working Group Chair, welcomed the attendees and the 
minutes from RIPE 66 were approved.

B. Policies

RIPE Policy 2011-06 Update, RIPE NCC
Denis Walker, RIPE NCC

This presentation is available at:
https://ripe67.ripe.net/presentations/335-RIPE67abuseCv2.pdf

Piotr Strzyzewski, Silesian University of Technology, Poland, requested 
advance notice of the addition of abuse-c attributes to PI address space 
objects. Brian suggested that would be appreciated.

Gilles Massen, Fondation RESTENA, questioned the practice of duplicating 
data in the RIPE Database. Denis agreed that duplication is a bad idea, 
but that this database was designed with duplication in mind – not just 
for abuse-c but in other areas as well. He said there was no good 
solution yet and asked the audience to let the RIPE NCC think about this 
and come back with some ideas.

Bill Boughton asked via chat whether the tool being developed for PI 
holders will work with PGP-signed objects. Denis replied that it 
probably will not, because it’s difficult signing web forms and PGP 
works best with email, but said he will think about it.

Peter Koch, DENIC eG, said he agreed with Gilles, and couldn't see why 
the RIPE Database was designed with duplication in mind. He said that 
changing to a more specific object will confuse people, and the main 
point is figuring out who the target audience is for the whole abuse-c 
project, such as end users, automated systems, tool writers, etc.

Denis responded that there are tools to find the abuse contact 
information. The problem with putting these contacts in different places 
is that it will become difficult to maintain and will make it more 
difficult for the exiting finder tools to find the abuse contacts.

Peter thanked Denis for his explanation, but said that attaching the 
abuse-c attribute to the organisation object is a serious breach of the 
RIPE Database paradigm. He said that, if that’s confusing the 
maintainers, maybe it’s time to rethink the strategy and, if end users 
are confused, maybe tools are required to help them, which he said the 
RIPE NCC is already implementing.

Denis suggested that there may be a need to take a step forward with the 
admin-c and tech-c and others. Brian said that there was not time to 
discuss that idea in the session, or in the working group. He said that 
there’s more for the RIPE NCC to consider when it comes to the 
implementation of abuse-c.

Brian Nisbet asked about a message from the Database Working Group 
Mailing List about contradictory abuse contacts and statistics. Denis 
said that, before abuse-c existed, abuse contacts were allowed in five 
different object types, and that these references still exist, so it’s 
possible that the 4,000 members who have added abuse-c haven’t removed 
the old abuse mailboxes. He said things are now in a confusing 
transition period because of this. He said that there is no easy answer, 
and that mass emails asking people to clean up their old references 
might not be the best solution. He asked those in attendance to please 
clean up their old references.

Brian agreed that more emails might not be the answer but added that, at 
some time in the future, the strategy should be revisited and discussed 
on the mailing list. Denis explained that an automatic cleanup of the 
RIPE Database is not possible because of the complexity involved.

Brian thanked Denis for his presentation.

Update: RIPE Policy Proposal 2013-01
Sander Steffan, SJM Steffann

Sander Stefann said that there have been no comments on the mailing list 
about the latest version of RIPE Policy Proposal 2013-01, “Openness 
about Policy Violation”. He stated that he will ask for a final call for 
comments and that if he doesn’t see any within a few weeks, he will 
assume that there’s no support and will withdraw the proposal. Brian 
encouraged participants to provide feedback.

C. Updates

C1. Recent List Discussion

Brian Nisbet talked about ongoing mailing list discussions. He noted 
that there were hardly any messages about specific issues that needed 
solving. He said that there were often messages to the list from people 
with problems, who aired them hoping for someone to propose a policy or 
do some other work on it, but that's not how things work. Wilfried 
Wöber, UniVie/ACOnet, said that it was actually a good thing that 
messages to the list did not automatically turn into actions for someone 
else. Brian agreed, noting that there were procedures in place to start 
work. He stressed that the chairs do read all the messages, and hear 
peoples' concerns.

C2. Anti-Abuse Working Group Charter

Brian Nisbet said that the new text for the Anti-Abuse Working Group 
Charter had not yet been written, but that no major changes were 
planned. It will be prepared well before RIPE 68 in Warsaw and 
circulated on the mailing list.

D. Interactions

D1. Working Groups

Brian Nisbet said that nothing had been written yet regarding 
interacting with other working groups. He said that he and Tobias Knecht 
have some ideas about certain policies, which may be better suited to 
the Database Working Group.

D2. RIPE NCC Government/LEA Interactions Update

Brian noted that the RIPE NCC was continuing to interact with law 
enforcement agencies (LEAs), and that there was nothing new lately. He 
noted that it was good to see LEAs attend meetings.

E. Presentation

E1. ACDC (Advanced Cyber Defence Center) Project
Thorsten Kraft, eco e.V.

This presentation is available at:
https://ripe67.ripe.net/presentations/347-ACDC_Presentation_RIPE_67.pdf

Alexander Lyamin (HLL) asked whether the main source of data was end 
user reports. Thorsten said it wasn't just end user reports but also 
notifications from ISPs and server operators. Alexander was happy to see 
that this project was not only focused on end user PCs. He asked what 
ACDC would do about things like set-top boxes and DSL modems whose 
firmware is not easy to update, and which are often used in DDoS attacks.

Thorsten said that they would talk to the CERT closest to the vendor to 
pass on the information. He said currently there were no vendors (except 
Cisco) participating in ACDC. Alexander asked about ACDC's strategy in 
the face of new-generation botnets without command and control servers, 
and Thorsten said that, since it was funded by the EU, they will not be 
shooting any updates on the boxes because it's not permitted by law.

Brian Nisbet asked what the end goal of this project is and what happens 
after the initial funding period. Thorsten said the project is here to 
stay and that they want to develop more tools and let others run this 
kind of project independently. He also said he wants to develop a 
proposal for the European Commission about running this project 
themselves after the funding period, and find business models to keep 
the project running. He said the project is open and welcomes ideas from 
everyone.

Patrick Tarpey, Ofcom, asked whether this data can be shared with other 
people, and Thorsten confirmed that the data can be shared.

Brian asked about the definition of legitimate parties, and Thorsten 
said that most data would be open unless a contributor requests that it 
be restricted.

Brian asked how open this project was going to be, and Thorsten said it 
would be totally open, so others can also use it.

An audience speaker noted that there were more initiatives like this, 
such as SpamHaus, and asked how ACDC is better than them. Thorsten said 
they do not want to be better, but just want something that is open and 
community driven.

Brian asked about the target users of this project and whether they 
would be end users, companies or law enforcement. Thorsten said that it 
is for everyone.

Thorsten said this is a very important project, and needs data. He 
appealed to participants for help.

E2. x-arf (Extended Abuse Reporting Format)
Tobias Knecht, abusix GmbH

The presentation is available at:
https://ripe67.ripe.net/presentations/342-abusix_RIPE.pdf

Brian Nisbet asked how stable the x-arf specification was. Tobias said 
that it is quite standard now, and being used by large companies. He 
added that he was talking to people within the IETF to make it a 
standard within the next two to three years. Brian asked Tobias to come 
back and talk more about it when changes have been made to it. Brian 
asked the room if many people were using this, and Bengt Gördén, 
Resilans AB, said they were “sort of” using it. Bengt added that he was 
looking for ways to standardise abuse reporting, and was looking at 
x-arf, but is not quite there yet.

Brian asked one of the participants, Richard Leaning, Europol, about the 
automation of these kinds of tools and information, and if anything fits 
in with what Europol is doing. Richard responded that they were using 
tools at Europol, but not x-arf. He stated that he didn’t know much 
about it and would therefore talk to Brian about it.

X. AOB

Bengt Gördén, Resilans, talked about issues with American ISPs 
blacklisting PI address space, and failing to delist it or delisting it 
very slowly. He asked how the working group or the RIPE NCC can help.

Tobias Knecht replied that it's a known problem, especially with ISPs 
such as AOL. He said that addresses that were clean end up on blacklists 
because of botnet command and control servers, for example, and hosting 
and VPS providers have the same problem. He explained that their 
addresses change hands frequently and can easily become blacklisted.

Tobias said the issue of detecting whether address space is clean is an 
important one, but not easy to solve. He said it was not enough to just 
have a flag in the RIPE Database to indicate that IP address space had 
changed hands. Bengt said that the IP addresses were not bad, but had a 
poorer reputation because someone had blocked them. Thomas cited 
examples of hosting providers who had to change customers' IP addresses 
because their old addresses were unusable.

Thomas asked how IP address reputation could be measured. Brian Nisbet 
said that, in this context, the accuracy of the registry is very 
important. He mentioned RIPEstat as producing good information about 
when address space changes hands. He said that if users wanted the RIPE 
NCC to help more with this, they could talk to the RIPE NCC about it.

Z. Agenda for RIPE 68

Brian Nisbet urged participants to think about agenda items for RIPE 68, 
to be held in May, in Warsaw. He thanked the RIPE NCC staff, 
stenographers and participants before closing the session.