<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:122115052;
mso-list-type:hybrid;
mso-list-template-ids:-1095452190 1158584274 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:716929581;
mso-list-template-ids:-786107964;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>Hi Erik,<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>This is a vital topic! You focused a bit on the Dutch community. However, I think it is globally significant.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>We at DE-CIX are very active in reacting to abusive peers on our IXPs. We have disconnected peers who were (repeatedly) not obeying the law or the DE-CIX Terms and Conditions. I gave a talk about what DE-CIX does in this regard during RIPE75 (https://ripe75.ripe.net/archives/video/103/).<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>Disclaimer: I am not a lawyer.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>The European telecommunication law does not allow IXPs to look into peers' traffic on the application level (for a good reason, I believe). So, we do not know if a peer hosts malware or is sending out spam only. DE-CIX is only allowed to look into the operational data (e.g., Route or ASN hijacks) or behavior (e.g., unwanted traffic due to static routes on the Peering LAN). Based on this information, DE-CIX is acting.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>I am highlighting this because I see issues if IXPs (or carriers and transit providers) are used as central infrastructure to filter data due to information they cannot verify or generate. Just think about the central DNS filtering and censoring discussion we had on a European level to stop certain abusive and harmful Internet services from being accessible.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'>Thomas<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>-- <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Dr. Thomas King<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Chief Technology Officer (CTO)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>DE-CIX Management GmbH | Lindleystraße 12 | 60314 Frankfurt am Main | Germany | <a href="http://www.de-cix.net">www.de-cix.net</a> |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Phone +49 69 1730902 87 | Mobile +49 175 1161428 | Fax +49 69 4056 2716 | <a href="mailto:thomas.king@de-cix.net">thomas.king@de-cix.net</a> |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Geschaeftsfuehrer Harald A. Summa and Sebastian Seifert | Registergericht AG Koeln HRB 51135<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>DE-CIX 25th anniversary: Without you the Internet would not be the same!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Join us on the journey at <a href="https://withoutyou.de-cix.net">https://withoutyou.de-cix.net</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-DE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> connect-wg <connect-wg-bounces@ripe.net> <b>On Behalf Of </b>Erik Bais<br><b>Sent:</b> Tuesday, 18 May 2021 21:52<br><b>To:</b> connect-wg@ripe.net; anti-abuse-wg@ripe.net<br><b>Subject:</b> [connect-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Hi, <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default ) <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>The companies associated with AAN setup and all signed a manifest ( in Dutch - <a href="https://www.abuse.nl/manifest/">https://www.abuse.nl/manifest/</a> ) that states that we will all do our best to provide a better and cleaner internet. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. ) <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH .. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Topics that should be included on the rating for the list : <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Phishing (hosting sites / domain registrations ) <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Malware hosting ( binaries and C&C’s ) <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>DDOS traffic ( number of amplification devices in the network compared to the number of IP address ratio )<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Login attacks / excessive port scanning <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Hosting of Child exploitation content <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Infected websites / Zeus Botnets <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo3'><span lang=EN-IE style='font-size:11.0pt'>Etc<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Your constructive feedback is highly appreciated. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>Erik Bais<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'>A2B Internet <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='font-size:11.0pt'><o:p> </o:p></span></p></div></body></html>