[anti-abuse-wg] Bulletproof servers causing mischief on the internet

Defining '​bulletproof hosting' as a relatively simple problem that RIPE can tackle is a bit naive.
There are several layers, a lot is happening in the darkweb with no clear linkage to the clearnet, this is clearly outside the scope of RIPE.
The most sofisticated cybercrime syndicates provide Crime-Infra-a-as-Service (CIaaS), they hire servers from the larger hosting companies, react very fast on abuse notices and migrate the offending customer to their CIaaS at an other hoster. These syndicates are very welcomed by the hosting company as they act immediately on abuse complaints, they are the poster child for 'how a reseller needs to deal with abuse'. As there is no 'global view' it is not know who these are. Europol will not investigate, Dutch Police will not investigate (when prosecuted they will not se sentenced to Dutch jail so all the time spend investigating them will not count for their KPI's .. (sad but true)). Nothing RIPE can do about this either.
What's left are the smaller players that rent /24's and ASN, or register an anonymous company (fi US LLC) and anonymously become a LIR and do their 'bad thing'. This will check-out for RIPE! And then become a client of some larger 'very permissive' hosters (if they are lazy) or they build a spiderweb and contract their IaaS, buy colo, buy transit from separate third parties . These third parties normally see no abuse so for them no red flags, these contracts normally are with other companies so when you aks them if fi. 'Inferno Ltd' is a customer they genuine can say 'no', as their is no clear linkage between 'Inferno ltd." and their customer 'HELL LLC'.
In NL we received a list of 'known bulletproof hosters' from the NL Police (they did a Russian language google search on 'bulletproof hosting + netherlands', it turned out later), when we checked the list we had about a 40% rate of actual bulletproof server delivery, most of these sites scam their prospective criminal client. So it is not all happy in criminal wonderland.
RIPE needs to ensure the registration data is correct, this is their main 'raison d'être'. However they cannot do it all themselves, nor is their remit to be the internet  sheriff of last resort. This puts boundaries on what you can expect from RIPE. You can be a cybercriminal and be fully complaint with RIPE rules and regulations, you can be a fully legit company and break all those. It is not for RIPE to label you a 'bad actor'. 
The fact some one does not act on abuse complaints is not a RIPE issue however with the Digital Services Act (DSA) becomming active soon it will become a DSA issue. Please investigate how you can use the DSA to your advantage in fighting abuse (within the EU).

Cheers,
Alex​-- IDGARA | Alex de Joode | alex at idgara.nl | +31651108221 


On Fri, 19-01-2024 14h 07min, OSINTGuardian <contact at osintguardian.com> wrote:
> hi Carlos,

> 
I'm not talking about RIPE NCC being responsible when someone random on some random provider in the world uploads something illegal. This is incorrect and I never referenced this.
I am referring to criminals who use RIPE NCC to buy many IP addresses to later sell them to criminals and that this hosting provider is sold publicly as "bulletproof hosting".

> 
I think the comparison with phone providers would be good if a phone provider sells thousands of phone numbers to criminals so that these criminals then make a "bulletproof phone provider" using the phone numbers previously sold, and then these telephone numbers are used for illegal activities.

> 
Would the original telephone provider that sells the phone numbers have consequences? Yes, the authorities would probably investigate them for selling thousands of phone numbers to criminals and doing nothing to monitor that this was happening or to suspend service to all the phone numbers sold to the criminal who created "the bulletproof number provider."

> 
In this case, criminals come to RIPE NCC to buy thousands of IP addresses to later use them in a "bulletproof hosting" market, most of these hosting providers ignore DMCA, spam, hackers, etc. But there is a very dark part of these hosting providers that are complicit in child pornography, pedophilia, drug trafficking, non-consensual pornography, weapons sales and terrorist websites.

> 
Can RIPE NCC stop these bulletproof hosting providers? Yes
These hosting providers ignore abuse reports and do not comply with abuse emails, even though RIPE NCC prohibits this, what is RIPE NCC doing to punish these bulletproof hosting providers? As far as I know nothing is done.

> 
about the fact that this would not only have to be for RIPE NCC, but also the other RIRs, yes. I agree with this.

> 
Honestly, I would like to speak to a RIPE NCC member about this as I have a lot of evidence against bulletproof hosting that does extremely illegal activities and is used to provide websites on the Tor network (although most of the illegal content it is on the clear web)

> 
>From what I saw in this group, there are a lot of people here who are upset that this is happening. Bulletproof hosting providers are everyone's problem. but no one does much to punish them and unfortunately the only ones who win are the criminals and their accomplices.

> 
I hope that RIPE NCC along with other RIRs get together and do something against organized crime. It would be great news for everyone.
Although I'm not going to get my hopes up, maybe this will happen in 10 years when something so serious happens on the Internet that it forces us to do something against bulletproof hosting, but it seems that currently the RIRs don't seem to take it seriously

> 
thanks for your contribution carlos

> 
Claudia Lopez
OSINTGuardian

> 
> 
        
> 
        
          On ene. 19 2024, at 6:35 am, Carlos Friaças <cfriacas at fccn.pt> wrote:
          
> 
        

        > 
          Greetings,

Maybe we need a bulletproof hosting directory on the web? :-))

>From what i've learned, illegal content depends on jurisdiction, and 
effectively that's what greatly impacts the possibility of takedowns.

I've also seen what you mention about advertising services as 
'bulletproof', but i've already seen some of those companies remove that 
kind of advertising (in this case, web archives are your friend!)

The RIPE NCC, afaik, doesn't act on illegal content, because it lacks any 
mandate for that.

In the same way criminals are able to use phones, they are allowed to 
use IP addresses. The downside with the IP addresses is they can in 
practice build/manage (informal?) network operators, which provide them 
with a lot more flexibility. But that's the model we have had for 
decades...

I totally agree with the ICANN comparison, but it wouldn't be only RIPE 
NCC, for efectiveness you would have to have all the five RIRs on the same 
page.

But i'm afraid "the community" -- which also includes the 'bulletproofers' 
-- will not issue any mandate to the RIPE NCC to do something. Instead, 
at some point, we well see more regulatory stuff kicking in........


Best Regards,
Carlos



On Wed, 17 Jan 2024, OSINTGuardian wrote:

> hi,
> 
> There are more and more bulletproof hosting in the world every month and they are causing more and more chaos, feeding the dark web by
> providing servers to criminals of all kinds who use the servers on .onion websites in Tor and flooding the clear web with illegal
> content.
> 
> There is a bulletproof hosting market that is even openly promoted, it is as easy to find companies that provide bulletproof servers as
> searching on Google, hacker forums or simple internet websites that provide lists of bulletproof hosting companies.
> 
> The business model of these companies is to ignore reports of abuse of illegal content, to look the other way when someone uploads
> illegal content. This is openly their business model, what does RIPE NCC do about this?
> 
> RIPE NCC provides IP addresses to many of these companies with bulletproof servers that are then used by criminals on the Internet,
> strengthening organized crime. 
> 
> ICANN publicly has an abuse reporting form, where users can report if a company provides bulletproof domains or ignores abuse reports.
> If RIPE NCC did this same thing, the internet would become a better place.
> 
> If RIPE NCC did this and also other IP address accreditors, they would greatly affect criminals on the Internet and therefore the
> Internet would become a slightly safer place than it is today. Bulletproof server companies would be afraid of being caught by RIPE NCC
> committing these violations. Unfortunately, these companies currently feel enough freedom to do this, that they even show themselves
> publicly.
> 
> Is RIPE NCC planning to do anything against this?
> 
> - Claudia Lopez
> OSINTGuardian
> 
>

        
      
--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20240120/37c2ffec/attachment.html>