Anti‑Abuse Working Group session

5 November, 2014, at 2 p.m.:

BRIAN NISBET: Hello to perhaps the strangest layout I have seen for an Anti‑Abuse Working Group session in a long time. I believe there are people over here obscured by this speaker and a very, very picky uppy mike.
Hello. I am the co‑chair of the Anti‑Abuse Working Group. Unfortunately, the other co‑chair Tobias can't make it, he is unfortunately ill and he couldn't make it today; he was hoping to be here for the day but it isn't possible. And I am not sure if I am allowed be left alone with a Working Group on my own without any co‑chair, strange things happened last time, but we will try not to repeat that set of circumstances.

We have a relatively full agenda today but I promise not to keep people as long as I did in Warsaw, you will have a coffee break, I promise you. Welcome to London, not as close to me as Dublin was, strange currency, but they live. Thank you to the NCC staff for their support and the scribe, whoever is looking after the RSC channel and as always to our wonderful stenographers who make all of this make sense later.

If you are asking any questions at the mics, please say who you are and what organisation, if any, you represent. Again, all of this session is being recorded and webcast, so please keep that in mind whenever you are standing up and talking.

So the first thing we need to do is approve the minutes of RIPE 68. Apologies for the tardiness of their being sent out, we did have a couple of things we needed to mention on that but I think they have all been fixed at this point in time. Are there any other comments people want to make about minutes from 68? Yes, please.

AUDIENCE SPEAKER: As far as ‑‑ at RIPE 68 there was discussion about a law enforcement agencies and RIPE NCC and I have not seen a section about this.

BRIAN NISBET: So, yes, I know what you asked; I don't think that that is part of the update that we are expecting today. I will be honest, I was remiss, I didn't follow up with them but you are correct, it was something that was asked for for an action for the NCC so I will talk to them again on foot of this meeting.


BRIAN NISBET: I think it was in the minutes but lacking in action point. I think I will need to go back and check in regards to it and what I will do, I will pull out the segment ‑‑ I remember it now ‑‑ and I will talk to you guys in the NCC about it and we will see, we will get the exact thing from it.

If there are no other comments, we had one last minute change to the agenda, which is a five‑minute presentation at the end about DDoS and research and some other things around that which will be explained when we get to that point in time. But unless there is any other additions to the agenda that anyone wants to put in at this point in time? No. Excellent. Grand.

We shall move on, then. So, this is the bit where I suddenly realise I need my laptop. Don't worry, I am not going to try and display anything from it. So there is three things ‑‑ two things from the recent list discussion, I am going to deal with the easy one first. We talked about the charter in Warsaw, we had a bit of a discussion about it in June. Everyone seems happy. We published a new version on the website, so as far as I am concerned that is done and closed at this point in time, and we can move on with the new charter for at least a little while until we start running out of content at some point and don't feel the need to talk about it again. Unless begin disagrees with me. No, what I like.

The other piece is around the procedure for Working Group Chair appointment and removal and such things. Any of you who went to some Working Groups this morning will see this is now cropping up in every single Working Group. This was an action put on the Working Group Chairs to put in place a form of words for and procedure for the appointment of Working Group Chairs and indeed for the removal of Working Group Chairs at a later point, presumably a later point in time. There are a number of reasons for this, one of them is to make the procedure open and transparent. We did attempt, as Hans Petter did publicise recently, to come up with a form of words for all Working Groups; we didn't quite manage that, so each Working Group is coming up with their own procedure, albeit they seem to be falling under three or four different broad headings. There was wording sent to the list about a month‑and‑a‑half ago, we had a bit of a discussion, with some very useful input. I published another form of words yesterday evening, which was really a very minor change to this. The short version for those of you who haven't had the chance to look at this, and I am not going to go through this in ‑‑ I am not going to read it all out, but the kind of short version for anyone who disagrees with me interpretation should feel free to tell me so, is that the Working Group chairs will have a term, there will be no limit on the number of terms they can ‑‑ sorry, they can have, but that there will be a term of, it should be three years, but I could be wrong, yes, it is, given I wrote this original document it would be very worrying if your that, so the term will be three years and after that that Chair can obviously choose to leave at any point in time or they can put themselves back in front of the Working Group for reselection, effectively. We have two Chairs at the moment, I think we are doing OK with two Chairs; if we have a potential increase to three, if necessary, so there is an open slot and again it's up to the Working Group to decide if that is needed.

In regards to the selection of Chairs, preferably we will do this by consensus, so preferably it would be nice if we could reach a point where the Working Group is happy to aclaim someone. If that consensus system doesn't work, if there are two people going for one slot and the Working Group cannot reach consensus then we will go to a secret ballot. Personally, I am not a huge fan of the notion of voting for this sort of thing. I vastly prefer the consensus method and if we can't reach that there has to be a way of breaking those ties. In the same way there is some text there in removal to the Working Group Chair that the Working Group feels is not doing their job, and that comes essentially down to a vote of no confidence. Again, if there is an aclammation there, then, cool, if it's very obvious, but we do have the methodology for a vote there.

Ultimately, as with all ‑‑ and the intention is that those decisions would be made at Working Group sessions. There was some debate there about the presence of people, whether that should be done on the mailing list or whether people need to be present in the meetings. I think people should be present in the meetings. No one really seems to have raised ‑‑ there was one suggestion otherwise but not actually a call for lack of consensus and there hasn't been a massive outcry against that. I think that kind of restricts the ability of people to stuff the ballot box, so to speak, from doing that from a mailing list point of view. Ultimately, this procedure has to be agreed on the mailing list, but I would be interested to hear any comments that anybody has in the room at this point in time. What is likely to happen by the way, on foot of this, assuming we agree this, one of either myself or Tobias will put ourselves up for ‑‑ you know, there will come a space free at the next RIPE in Amsterdam, one of myself or Tobias will put ourselves up for that. It will be open to other people, this will all be advertised to the mailing list and we will go from there. But we are not going to have both Chairs up for reselection at the same time because that is just not a good way of going about things.

So, is there any other conversation about that that people wish to have now? Or are people broadly happy with that. Has anyone read it? Does anyone care? Sander, OK. You are sticking your thumb up. OK. Grand. Hopefully this is something which will be OK, more thumbs up, this is all very positive. Hopefully it will be very lightweight and I think it's a good, it's an open procedure and this Working Group particularly is one of the Working Groups that is kind of spurred the need for this because we had had to remove a Chair at a previous point in time, so I never want to go through that particular procedural mess again. It would be nice to have something in place. It would be nice to never have to use it, that would be the ideal situation.

Grand. So, move on. There is a ‑‑ there is a live discussion on the mailing list right now, which has changed subject title and I see this now as I have my mail client open in front of me, from RIPE AS numbers to EU data protection. There is 15 new mails in it since last looked this morning, and I don't ‑‑ I haven't even caught up, so I don't really want to start discussing that here, largely because I think most of the room is going to be behind the live discussion and I know I am. That said, there were some questions raised a couple of days ago and we have been looking at them and I have spoken to Athena and Jocaim in the NCC and Ingrid to see if there is NCC input into that conversation as well, so I don't know where it's gone from them. A couple of others ‑‑ I say that in the ‑‑ it is a continuation of that conversation in regards to, well in regards to the date that the NCC have about various pieces of information and what they can release. So, unless someone has a burning need to discuss that in the room now, which I am more happy to do if you wish to, I am going to suggest we keep that on the mailing list so I and others can catch up, if nothing else.

AUDIENCE SPEAKER: Would you care to just say what the question is?

BRIAN NISBET: Very briefly. Yes. Ronald Humet proposed a couple of questions in regards to ‑‑ so it's when was a record created, so when was an org or otherwise created, it given an AS number, how can you find the identity of the associated LIR, what sorts of credentials or bona fides should applicants who are requesting an AS number provide to the RIPE LIR which processes the requests and have any allocations issued been revoked without the consent of the registrant of the application, and looking for some more information around those revocations. So that is when the conversation started. It has gone on since then.

Everyone is sitting down. Was it a nice lunch? OK. In which case, we will move on. I think this is the bit where I get to sit down for 30 seconds. Ah, yes, this space is still left intentionally blank. Unfortunately, with Tobias being ill we haven't had the chance to talk about the ‑‑ some of the policies we were talking about in Warsaw. We have a call to be arranged with the lovely NCC people in early December to start talking about some stuff, may which well end up in database and some of the things we have been talking about but there has been no progress on that so there is nothing particularly to discuss. And I am not aware of any policy proposals from the community which are relevant to the Anti‑Abuse Working Group. So, there is nothing particularly additional there to discuss.

So unless someone in the room has suddenly had a fantastic idea for an anti‑abuse‑related policy, we shall move on from that as well.

So, interactions, and this is where I think I get to sit down and Mirjam gets to ‑‑ is it you? Random NCC person who I believe is person. It's these two bits but...

MIRJAM KUEHNE: I thought there was 1, and 2 ‑‑

BRIAN NISBET: There was but they are basically all you.

MIRJAM KUEHNE: What we are doing is a triple act in fact, so it's only three or four slides, doing it with three people to make it a bit more interesting. We have Evo here is the RIPE NCC security officer, we have security officer for five years now at the RIPE NCC, but a few years ago we started to do a bit more outreach into the security community, if you will, so we want to talk a bit about that. I am the community builder at the RIPE NCC and you know me from RIPE Labs publications, I think. Marco will do the last about about our involvement with LEAs, law enforcement agencies.

So why don't we start reaching out more to the security community and what does that mean, security community is a very broad scope, different, little different communities in there. First of all, there is some security activities in the RIPE community, well for instance this Working Group, but there is so much more out there which we don't really see a lot here in RIPE so we try to do a bit of a bridge between those communities and make sure, maybe get some content into RIPE but also report back to the other security communities what is going on in RIPE and also what is going on in the RIPE NCC and a bit more education about the RIPE NCC activities.

Another goal was also to develop a bit more understanding of what the concerns are in the various security pockets in the community, to keep our ears open and see what people are discussing and what the concerns are. And yeah, we listed just a few little communities that we are actually reaching out to, governments, researchers, hackers' community, like the computer security incident response teams, and operators, obviously, also deal with security issues.

And another goal was for us as the RIPE NCC it's also important to lead by example, to make sure we are using the best current practices, make sure our operations are up to scratch when it comes to security. That is mostly Evo's task but we hear things and we respond to that and there was one reason why we started this activities. I am going to hand over to Evo now

EVO: What the activities are that we are doing is mostly reach out to the diverse security communities, visit their events and try to learn something from them but also like Mirjam said, share some of our knowledge and tools because we also see they are not very aware of what the RIPE NCC does, how they can participate and how they can use our tools, for example, stat could be very important for some of the security communities out there.

So some of the conferences that we have been visiting are, for example, the Dutch national cyber centre conference ways very large international conference with all types of attendees, and also the various security or maybe hacker security conferences and try and learn something, see the latest threats which also for us, operationally, is very important to know what can we expect, what should we prepare for, and also try to get some contacts there and convince people to maybe send in some presentation proposals for the RIPE meeting so that we can also have some more exposure to certain subjects. It might not have been here otherwise.

One of the things that is being mentioned in this group is the MAAWG meeting, I am not sure if there is any more present right now. This is one of the conference that is we are also attending and we are planning to participate there in at least the European meetings, and see what subjects pop up there and where we can participate and possibly interact with them. And of course, attracting presenters, it's also one of the things that we aim to do.

Other activities is try to assemble all the security information that we already have on our website and make them more or easy searchable and findable. We are still in the process of doing that, taking all the subjects and making sure that if people look for security related subjects, that it's quite easy to find on our web pages. We are still in progress, it's still a project that is running. I think one important thing that has been established in the last two months is the responsible disclosure policy which actually invites people that find flaws in our network or services or systems, to report them to us anonymously or not, whatever they choose, be able to interact with us and find a solution for the problems that they find. And actually, there is quite a number of people that came forward, luckily for us there are no big issues found but there are quite some interesting things that people find on our network and are happy to share with us. And of course, we try to solve them as quickly as possible. Important also that we try to really focus the security effort within our company. We have an internal security focus group. That group more or less tries to find all the events that we would like to participate in, also which we think would be beneficial for us and the RIPE in general, and to spread the word of RIPE also. One thing I would really like to share here is that the RIPE NCC is becoming a member of the TERENA CSIRT focus, it's a lot of computer security incidents which in our region are joining that organisation and there is, the main effort is I think sharing information also sharing contact information and being updated on the latest threats. For us, that is very important so that we know how to defend ourselves basically. But also to interact with that community because we have some tools that are very beneficial for them. And they have some information that we might be able to use for improvement of our services. And I think this is where Mirjam wants to have a little talk.

MIRJAM KUEHNE: Very briefly. One thing I was wondering, I don't know if ‑‑ one of the TERENA task force will be called ‑ association task force since they have been merging recently but I don't know about that. One activity we have been doing together with the CSIRT is this document and I think ARIN was here last time to talk about that document where we are working together to, first of all, documenting all the data sources that are out there that could be relevant for abuse handlers in organisations, like the RIPE database, like internal contact database the CSIRTs have, RIPE stat as an entry point and to make it easier ‑‑ first of all to describe all these data sources but to also describe the search path and the abuse handlers could use to get, in the end, to the contact person that they are looking for. And so we have been working on this together with some of the /SEURTs and it's kind of in its final stages and will be sent around for feedback soon.


MIRJAM KUEHNE: It's out there, you can look it up, it's on /TKPWEUB had you been. I don't know the exact title.

BRIAN NISBET: So just on that because relevant to it (GitHub) in Warsaw the NCC were asked to send some information and links to the list which I don't think happened.

MIRJAM KUEHNE: I will do that. It's really in quite a good state now so it would be great to get some feedback and maybe some additional data source that we are missing. If there are no other questions about that part or maybe the questions at the end, I want to hand over from Marco.

MARCO HOGEWONING: Hello, external relations and part of my job is to deal with law enforcement or engage with law enforcement. I have talked to this before. My objective, why do you keep ‑‑ why do you work with law enforcement, it's pretty simple, we are all after the same thing. I know in the past we are sort of like us against them, we are all trying to make the world a different place, different tools and different methods for it, but we are all after the same thing. Biggest goal there is to increase efficiency and the easiest way to do that secretaries plain what RIPE is what RIPE NCC is, how we work and operate, we might have the information, we don't have, and how people can use our tools, our data sets and our public information to retrieve that information without going to very expensive and time consuming international processes for legal assistance and warrants and subpoenas, so the way to do that is capacity building; we give training courses but we also actively engage with people and talking with them, have you thought about this tool, have you looked into this. So current status update, we are planning to develop a bit more on‑line training material for make it easier for them to use and more cost‑effective for us. And the other big step compared to when we were last talking to each other is, we started to engage with a bit more with especially in the Middle East with law enforcement community. Our Dubai office is working hard with local agencies there. In Europe, we have got quite an easy reach, we can easily reach out to EU countries. In the Middle East it's more work. We are happy to cooperate there with Interpol, they have got a special group for Middle East countries to come together. We were actually invited to one of their meetings in Lyon, with we visited and we talked a bit and I can tell you there is a lot of interest in basically us explaining the tools and learning what RIPE and RIPE NCC can do in making their life easier.

And the other big deal there is continuing the dialogue about emerging issues like the consequences of NAT being deployed and NAT 64 and impact of IPv6 roll out to law enforcement procedures and helping to catch up. So that is it regarding the mentions of Alexander on the minutes, yes there was an action point to give a bit more information about meetings. Well, we haven't done any of our ‑‑ we are currently planning to hold one again in March so hopefully by the next meeting, I have got more to tell but that sort of engagement but right now it's very preliminary and all we are talking about is training courses. I am happy to take any questions.

BRIAN NISBET: OK. Yes, are there any questions on any of that? Any suggestions, anything you'd like to see the NCC doing? You would like to see them stop doing? You are all perfectly happy with everything the NCC is doing in this area. OK. I don't know if they are planning on renaming all the task forces with the ‑‑ possibly one of the ‑‑ the /SKWRA*EUPBT association, nothing funny there at all. So I don't know, but I think that is something that the community needs to work at. We have only changed the name five minutes ago. My CEO is one of the board members so I will bug him tomorrow and try and find out.

AUDIENCE SPEAKER: Does RIPE publish any kind of ‑‑ Heather sheller, /TKPWAO*G he will fine. Does RIPE publish any law enforcement trance /PARPBy report about the number and type of requests that you have received?

BRIAN NISBET: This is kicking back to what we need to discuss from the last one.

MARCO HOGEWONING: Yes, we did, for the last two years we published a transparency report. It's available as a RIPE document, we list how many requests we got and the type of requests and I am sure that by the end of the year we will publish another one.

RUEDIGER VOLK: You give information about the queries, you are not giving the information about how much access you give.

MARCO HOGEWONING: The current transparency report and you can look it up on‑line, basically lists how many valid warrants we got from which countries they came but we also provide a short overview of some of the questions we got that we didn't respond to either because they were not in our jurisdiction or about information that the RIPE NCC could not give so there is more to it than just numbers but we tried to provide a bit of an overview of that side of the world, without, of course, disclosing too much information.

BRIAN NISBET: And if I recall correctly, certainly the announcements of those documents are sent to a number of lists, including the anti‑abuse mailing list, but they are there as RIPE documents now. That was excellent time. We have three presentations as it happens, now, and one of the things about the Working Group always is that we are trying to mix the policy and the interaction and all the rest with a healthy dose of technical information about anti‑abuse. This is, after all, primarily a meeting of operators so it's important to make sure we are not just talking about things but we are giving out useful information as well.

So, the first presentation we have today, so yes, there is two technical presentations and I lied about the order of these, so E1 is in fact first. So, Jurre is somewhere. So this is the presentation on Tor censorship counter measures and how you can help.

JURRE VAN BERGEN: Hi. So, if I say next slide, somebody will go to the next slide. By day I work for Greene House, at night I work for nonprofit organisation who runs two access nodes. Currently we put about a little bit more than a gigabit of traffic a month grabbed through various countries in the European Union, and we would really like to see more ‑‑ to see a more diverse Tor network by utilising more diverse networks, because currently the Tor network is kind of centralised at certain big hosting providers, for example, in France or Athna where a big part of the Tor network is situated, we would like to bring them to, for example, South America.

Would you like to get ‑‑ we would like to get some help in that. So, our agenda. I would like to discuss the misconceptions, the censorship of Tor, existing counter measures and how Tor is using this to route around censorship, how you can help and a little Q and A section.

So, there is a misconception, I think, that only bad people use Tor. Especially the last year or two we have heard a lot about bad people use C growth, that people use it to send bomb threats to certain governments, for example, we have got some abuse e‑mail about that. And it's not only bad people who actually use Tor, there is a lot of cases to use (legitimate) to use Tor. How do we balance this? And that is a tough question to answer, because it can generate a lot of abuse of port scans, or spam and the server. And then we have Tor can get my IP blocks blacklisted. And I think this is mostly not the case, as far as I know. Maybe there are certain exceptions of various institutions who might block certain IP block even if you would use only one IP of an IP block to when you run access node, to IP block gets blacklisted but I haven't really heard of anything like this. So that is, shouldn't be a problem if you would run it.

And/or I can get prosecuted for running a Tor access node. In fact, I haven't ever seen a prosecution of somebody running a Tor relay. There has been a case in the last year or two in Austria where a Tor access operator was arrested by the local law enforcement agencies, but this was mostly because the person was also hosting child pornography on the same server or trying to plausible deny that it was just a Tor access node. There was some other issues. So it wasn't really completely related to a Tor relay but it's part of initial ‑‑ sparked initial investigation and then they found way more but this is mostly an exception.

So, hopefully this might clear up mis ‑‑ you know some of the misconceptions that are kind of based around the Tor network.

And then we have the censorship of Tor. So, it might be that you might think the Tor network as a whole, you know, you install the Tor browser, go on‑line and go visit websites and, you know, you can't really be found out because it's Tor and it's anonymous. This isn't quite the case, and why is this? It's because the Tor protocol itself is reasonably easily detectible, you know, IP are public and you can download them, and could you possibly, if you get a lot of abuse from the Tor network, you could fetch a list of Tor access nodes, IPs, you could block them on your network. I would not advise to do that. And how this happens is that it has some SSL easily detectible things in the protocol itself so it's quite easy to detect it if would you use normal Tor instead of a proxy to get on to the Tor network, so the traffic will look like random garbage rather than SSL, so it will be quite easy detectible by nationwide depacket inspection but if you would use something like a proxy you can bypass the censorship of an ISP or a nationwide depacket inspection operation performed by all the ISPs because the government has ordered them to do so. And then of course, we still have the blocking of the Tor SSL, some countries have been doing this, for example, Ethiopia was one of them two years ago, and Syria, and probably some other countries also do this by trying to block the Tor SSL together with the DPI and access node, things or entry nodes. And then we of course have countries like China or Iran where SSL network in itself is mostly throttled, when they see an SSL it might be active and quite fast for a minute or five or ten, but after that the DPI machine says oh this is an SSL connection we are going to bring it down to five kilobytes a second, where you before had a 500 kilobytes a second. So it's quite a jump there to be solved and actually this has mostly been solved. Like I said before, there are existing counter measures that Tor has developed. Normally we don't ‑‑ Tor for a while had a thing called Tor brings for example, if a lot of Tor had been blocked, where you get an IP you could connect to and you could still come on under on to the normal Tor network where all the other Tor nodes are sensored for whatever reason. This has changed throughout the years is that the sensors have found a way and the traffic to these Tor bridges. So the Tor people have developed Tor obfuscated bridges and various examples of those. One of them is O B F S proxy and one from meek which runs on Google app spot, from Microsoft and they use a trick on the Google network itself where they allows them to make the transport so it will look like you will send traffic to where you send to the actual Tor network and a lot of people have been using this since have been introduced in the latest update to the Tor ‑‑ so a lot of people can now get on to the Internet from China more easily or from Iran more easily because it's very hard for censor to block the whole Google or the ‑‑ or for businesses. And then we have flash proxy and that is a flash transport which you can put on your website itself and it will function as a Tor bridge, so you can put a few lines of code on your website and it will allow people to actually get on to the Tor network.

So, how can you help? Like I say, we actually at the moment ‑‑ umbrella organisation called tool service .net where various people from around the world have set up nonprofit foundations to run Tor bridges and access nodes. Mostly in the European Union. And we have been looking for ways to get, to kind of get away from asking for donations and then renting service space for that to run fast to access nodes, so we have been trying to get more into contact with existing ISPs who might, might want to help the Tor network and have certain IPs left, either one or two or even sometimes /24s that they have been giving out to us in support of Tor network and sustaining it.

So I know that some people might have a /8 yet, I am kidding. You know, we would like to diversify the network and not have it centralised in smaller parts of a very small network, like very cheap and big providers, we would like to expand to academic networks and to IPs from businesses like Microsoft or other big providers that can give the plausible liability to the sensors that the people who are connecting are legitimate use cases. So we can help the people in countries better to connect more safely to the Internet. We are perfectly ‑‑ web perfectly help you with the set‑up or answer any questions to do that. And, you know, if you want to help with that, we have swag to hand out, we have stickers, very nice Tor shirts. Just give me a ping. And then of course, practice what you preach. So we have set up our own Tor access nodes at our own provider, called GHTOR2. To look at what it's doing. And then we have set up a Tor access node for a political party in the Netherlands which is called the human ‑‑ young democrats and then we have the ‑‑ HVIVTOR access nodes which are in the Netherlands and Germany at the moment. And that is kind of it. If you have any questions, I would happily answer them.

BRIAN NISBET: Thank you. Are there any questions, comments?

AUDIENCE SPEAKER: Erik. You said you had some kind of foundation or something that you are actually running Tor access nodes or helping people maintaining it, those kind of things?


AUDIENCE SPEAKER: Trading or can you provide some guidance on what kind of work is actually involved in this?

JURRE VAN BERGEN: How to maintain this foundation?

AUDIENCE SPEAKER: No, no actually running an access node yourself.

JURRE VAN BERGEN: So we started a year ago, so we set up the foundation in 2013 and bun one of the reasons we decided to set it up we want to maintain a dialogue with law enforcement about the activities we are doing and want to actively assist them in if they have any requests about subpoenas or requests about who are the people running these access nodes or provide them with help or training, we would very happy help these people in answering any questions that we have. I would also like to give any training to any provider. We set up Tor relays mailing list so we want to have a better dialogue with the community around it in the Netherlands, and we will happily assist any network operator who has questions or want to help maintain an access node, we will happily help set it up, help maintain it or even answer your abuse e‑mails for you.

AUDIENCE SPEAKER: Lets take this off‑list.


BRIAN NISBET: So I know just from my own point of view, you mention academic networks and one of the issues we potentially have ‑‑ there was two, really: One of which is most of us have acceptable usage policies which forbid us letting somebody use our network for purposes other than either reaching a resource on the network or reaching the Internet from the network. And so one of the problems there is obviously putting a node on, then potentially means we have people transiting through the network which is against the acceptable usage policy that we have. The other problem that we have had is that I think this goes along with a lot of misconceptions about the Tor project, is because we receive basically all of our funding from governments, there is that political issue there of if somebody turned around and said hang on you are running this, clearly this subversive thing on the network, this is wrong, then yeah, there is a lot of layer 9 issues and layer 8 issues involved

JURRE VAN BERGEN: Maybe you could tell them that the Tor project also receives most of the money from the government.

RUEDIGER VOLK: From the most friendly country on earth.

BRIAN NISBET: So that is kind of some of the problems that I think we have. And if the information and resources were there, now, I am not necessarily saying you must suddenly go away and read that paragraph and set up a node on the network but that PR is the big challenge that we have there.

JURRE VAN BERGEN: Yeah, I agree. Like, at the moment we have got an IP block from an academic provider in the Netherlands and it's not part of the academic network at the moment but it's an IP block they had laying around and they repurposed it. So, it's still ‑‑ it's our upstream provider but it's still not exactly the academic provider.

BRIAN NISBET: IP blockages just lying around they can repurpose, they must be rich. You can get good money for those things these days. Are there any other questions, comments?

AUDIENCE SPEAKER: So, does your foundation ‑‑ sorry, I am Sasha, I work with Jurre, my question is not green host ‑‑ the question I was wanting to ask is, do you have like any ‑‑ are you collecting any best practices in terms of abuse policies that people could easily implement, like there might be people in this room who are like yeah it would be interesting to like revise our policies towards Tor access nodes but how can we operationalise that and make that a smooth transition because you don't want to have tonnes of extra work for your abuse desk because it becomes a bit...

JURRE VAN BERGEN: Sure. So you could decide if you want to run access node, on which IPs it can actually access on, you could allow port 22 and 80 and 443 but you will disallow all others, so you don't send e‑mails of SMTP or any other sports. This is perfectly possible and the most amount of abuse e‑mail we would get is every once in a while and we also operate with a reduced exit policy, so you call it. So, these things exist and these things can also be found on the Tor service .net website which is part of the umbrella organisations of all the other organisations, so this definitely exists, yes. And maybe we could revise that one time and provide a minimal exit policy with least amount of possible abuse for organisations.

BRIAN NISBET: I think that would be great, and you mentioned handling abuse queries as well and one of the pieces we work on here is abuse policies and things like that so the actual kind of text around that and advice around that or links to stuff that is already written would be fantastic and I think if you wanted to share those with the mailing list after the meeting, I think that would be useful for people, because, again, if someone is going to do this, I think one of their big questions is going to be what do I do with the potential abuse reports or otherwise. And of course, I mean from purely my point of view and do I not speak for the Working Group here, I think that one of the things that interests me and one of the reasons why I asked you to come and talk is that I think that a lot of the counter measures against Tor are the network abuse and that is the interference with the flow of packets, so I think things that we can do to help that and help get around that I think are positive things for the global availability of the Internet.


BRIAN NISBET: OK. Thank you very much.


So the second presentation and sorry for lying to you about the running order, so more technical again, so it's impact of the rom‑0 by Tomas.

TOMAS HLAVACEK: And I am going to talk about rom‑0 or Rom vulnerability and its spread.

So, I suppose you all know about this simple stupid vulnerability that is present, it's widely known. This is example how you can exploit a router. The only thing you need for it is simple decoder of the rom‑0 file that you can freely download without any authentication, without anything from ‑‑ from interface, of course, from outside Internet and contains passport for web interface of the router. So you can easily download the decoder, which is 100 line of C code and it's available freely from GitHub, for instance. And that is it.

Actually ‑‑ are using this vulnerability for packing into routers and change DNS servers that are being used for the network behind a router, or behind the gateway, and they are redirecting generally trusted and high profile sites like Google and Facebook and they do their own malware and phishing sites so that is the obvious point of interest for us as DNS operator, because actually it bypasses the DNSSEC, it's typical instance of insecure network or insecure path to work resolver.

Actually, this particular vulnerability or, it came to our attention because we are also operating around 1,000 routers in Czech Republic, like home gateways which are part of projects ‑‑ projects trists and we have seen a lot of attempts to get/rom‑0 files from a whole bunch of IP addresses from outside network, and it alerted us, so these are curious. And obvious question was who is vulnerable or what is ‑‑ how you can find out whether your router is vulnerable or not. It's hard to answer because those routers that are vulnerable are made by different brands or different vendors. These vulnerabilities is not determined by a specific version or by a specific model of a router, and we have find out that maybe vendors are sharing some code base or actually it's a really old code base, some realtime operating systems so it's not Linux or free BTSB or something like that inside or it's closed source. There is no S D K for it which is good because black heads are unable to compile their own binaries so this is the good point of not being OpenSource because it's not that bad but actually, changing DNS is enough for them. And the downside is that those devices with this particular vulnerability are being sold, are still being sold, not only in remote countries but also in Europe; I found some instances.

So, we wanted to answer the question, who is vulnerable? And the first task to create a web test of a page that can check from rom‑0 file from outside, so you can easily type IP address or it's prepared by the vendor itself or by the page itself and it just tests your router. It was pretty successful in Czech Republic because it got some media coverage and we had around 50,000 tests in first ten days, which is pretty good. And then we were curious how many ‑‑ how many routers or how many boxes are vulnerable in the whole Internet. So there is the measurement, we decided to scan the Internet for file rom‑0, particularly for http had the answer with correct status and content length, which is enough for us to be sure that the router is vulnerable. And it's also particularly good because we are not downloading the file or possibly just asking whether the file is available or not. So, we collected this test, first of all we collected this test in May this year and we have found almost three times the worst ‑‑ we have been able to find before. We have tested 71 million http servers and 1.2 million were vulnerable and in Czech Republic it was over 5300, so it was pretty stunning numbers or these are stunning numbers, for us. And actually, we decided to repeat those tests but before that I can show you the map and this is the first scan. And there were few countries with quite a lot of vulnerable boxes, but actually if you can't see it, don't worry because there will be a link at the end of my presentation to all data, maps, charts, so you can easily find it. This is the plot from repeated scans. I decided to repeat scans on monthly basis and we assume that ‑‑ actually, this is the first and last scan. The first one is the red from May and the last one is October is the blue. There are ‑‑ and those are top 15 countries. There are several countries from RIPE service region and among the most notable is Italy, which is in third place here.

We also look down to data of other parties and the question was: What is the chance that vulnerable box is actually gets abused? And this thing that the chance is enormous because look at most common passwords, the first one. So, I think that almost all vulnerable boxes are likely to get hacked at some point. So, we did repeated tests and this map shows change or changes by countries from May to October. The green is decrease and RIPE is increase of course. Actually, for the whole world is decreasing but there are some hot spots that are increasing more than twice, especially here in Africa. We are look at chart for top three countries, the top one is Thailand. It had over 167,000 vulnerable boxes in first measurement. And it dropped dramatically, especially from the previous to the last measurement. So I suspect that it's some sort of ISP action or national rate ‑‑ right action because now it's under 20% of the first value.

Almost the same thing is in Colombia, they started at 139,000 and now they are on 35% of the original state. So it's good.

Unfortunately, Italy dropped from 116,000 to 80% or 83%, something like that, and it's steady since then. It's decreasing but slowly. So it's not that good.

And for information, this is Czech Republic. We had 5,300 at the beginning and now we are on ‑‑ or we have seen 3,200 vulnerable boxes here.

So that is it. Thank you for attention. This is the website that contents all graphs and charts. You can look up your country.

BRIAN NISBET: There is a disturbing prevalence of QR codes at this RIPE meeting, I think it's spreading. Thank you for releasing the data.

ERIK: It's actually interesting to see this particular box and hearing that the box is actually wide open. It actually gives a very good understanding for me now based on a similar pox that I have laying on my desk from a journalist in the Netherlands, asking me can you look into this, my DSL stopped working and a bit confused here, specifically he was actually doing work on the snow den files. However, the question that I have on the IP addresses that you found, did you contact the ISPs and actually tell them that those boxes were vulnerable?

TOMAS HLAVACEK: Actually, we have discussed this option in Czech Republic and we decided that it's not real because there are not interested or we have tried to contact some people and discuss it with them but we decided to go in other ways so some newspaper articles, blog posts and a lot of people accessed our website so I think ‑‑ or from our point of view, this was the only possibility to do something with it.

AUDIENCE SPEAKER: Do you have the data

TOMAS HLAVACEK: Yes, of course

AUDIENCE SPEAKER: Is the data available?

TOMAS HLAVACEK: No, no, the IP addresses are kept secret for us.

AUDIENCE SPEAKER: I would like to have a discussion with you on that.

TOMAS HLAVACEK: We can discuss it afterwards.

AUDIENCE SPEAKER: Because the information is seriously enough ‑‑ we do with syncholing and BotNets, and then we contact the IP owners from some that are connecting to the synchole. Why don't we do this because this has equal impact?

TOMAS HLAVACEK: Sure. I discussed also with our CS IT team that we are operating for Czech Republic and their advice was to use media and right articles rather than those but I don't know, maybe it's possible or somewhere else to do this.

AUDIENCE SPEAKER: From my experience /PH cleaning up BotNets and using sinkholes, you have to start e‑mailing the owners of the IP addresses and a lot of ISPs actually really value that information because they can actually inform their customers that they have equipment in their house which is unsafe. So, you know, I know working with Tobias in Germany, but also ‑‑ they would love to help you out on dealing with this.

TOMAS HLAVACEK: OK, thank you very much, I will be glad to do something, we can cooperate. I am really glad, thanks.

AUDIENCE SPEAKER: From escrow. You said that there are various types of boxes that are affected. Do you have a top five? I mean, is it trend net, is it Cisco, it Juniper? Is the link? What kind of equipment is affected by this vulnerability?

TOMAS HLAVACEK: Yes, it's cheap Chinese equipment like brands that are not, definitely not Juniper, Cisco and those brands, but I would rather avoid saying their names because we have pretty nasty mail communications with some of them after some of our newspaper articles releases.

AUDIENCE SPEAKER: I think naming and shaming the name of the brands would actually force them to provide a fix for those devices.

TOMAS HLAVACEK: Yeah OK, so what we have seen in our lab, it was dealing, ‑‑ it was really a lot of routers. I have read some blog posts about Bailyen or how it's called the T‑I, it's really wide spectrum of brands, some of them are completely unknown for us in Europe, so I think it's better to test them or to just try to access the rom‑0 than listing them because there are a lot of different types and a lot of different brands.

AUDIENCE SPEAKER: And another question, the last one, sorry: How did you get those numbers, did you start scanning the whole Internet to see who is vulnerable to that?

TOMAS HLAVACEK: Definitely. And those numbers are not ‑‑ there is a huge variance in numbers because the test lasts for few hours, actually, it's something like 17 hours or more, it depends on network connectivity, depends on conditions, so ‑‑

AUDIENCE SPEAKER: You probably scanned a few million IP addresses, a couple of billion, am I right?


BRIAN NISBET: I think at any given point in time numerous people are scanning the entire Internet for presentations at RIPE meetings and things like that.

AUDIENCE SPEAKER: Just two quick comments. One, there was some work and I don't want to put a name on organisation, but by a group that was trying to collect various different kinds of like home CPE and ISP provided CPE devices to do various kinds of testing for different vulnerability but also testing to see various levels of support for v4, v6, different protocols, so that might be something helping to make sure that they have some of the equipment that you found or that your service provides for that testing. And then the other thing that I was going to say is, what was said before, there is very large organisations, they are called super remediators, CAMry is another and they are really good at taking data about compromised machines and redistributing that en masse to responsible parties based on their ASNs and they have done a great job of doing doing that. They have framework existing, all you have to do is provide them the data. So consider working with them. If you are not going to, tell them so other people can go scan the Internet and do the same.

TOMAS HLAVACEK: Thank you very much, I will contact you afterwards.

AUDIENCE SPEAKER: Bruce from Nominum. I am wondering were you able to identify the resolvers that they were redirected to and did you characterise the behaviour of those to see what kind of answers you got and how those would compare to legitimate answers?

TOMAS HLAVACEK: Actually, we haven't looked deep or ‑‑ deeper into it. I have just tried one single case and it was a resolver hosted by OVH in France and it responded to Google and Facebook to its own IP address. And there was some phishing site, but I am not expert on phishing or malware so I don't know really know what it does for victims.

BRIAN NISBET: I think that information as well would be of great interest to the groups we mentioned already.

AUDIENCE SPEAKER: I will track you down afterwards, I would like to talk to you a bit more after that.

MARCO HOGEWONING: Yes, sorry for not queuing up there, I am tried to scribe. Personal interest but if you scanned 4 billion IP addresses how many abuse reports did you get from people noticing you scanning them?

TOMAS HLAVACEK: Each scan generated I think three abuse reports.

BRIAN NISBET: Wow, OK. Everyone else is asleep.

RUEDIGER VOLK: That you got?

TOMAS HLAVACEK: That I got. Three global ‑‑

BRIAN NISBET: Anything else? No. Listen, thank you very much.


And our last presentation parachuted in at the last moment is it's ‑‑ DDoS is a service phenomenon by Jair.

JAIR SANTANNA: Today we talk something that is a little bit different and I ask these five minutes to ask what is DDoS as a service today, anti‑abusing community and so on. My name is Jair Santanna, I today I want to talk about these websites. The point is, these, I Google for you just to see you can easily find these websites, when you click on these you can just create an account and start ‑‑ attack. At the point is how much do you think that you spend to perform an attack? Yes. So I put here for you that is around 5 dollars or less or more, it depends on something I want to tell you later. The point is I want to tell that this is "DDoS Attacks for Dummies," because everyone with start or can launch one DDoS attack. And the point is, they surprise me, how often we can get these in our network, I talk about the academic network. And my question, I have a lot of results but one of the questions was: How can I pay for these attacks? Yeah. And the point was, my first answer was Bitcoin, yeah, of course, but PayPal account, credit account, I will never put my credit card number there.

But I want to steer a little bit more because once you pay the five dollars or whatever, you can perform as much attack as you want. It means that when someone subscribe you can perform for one month in a row. Quite interesting.

Of course as a network researchers or network administrator you want to know how much damage booters can cause and I measure and I pay for and I measure the attacks. What I get for was that kind of measurements or that kind of traffic. I bought UDP attacks by the way and what I measure was DNS based charged based attacks. That is reflection attacks that we know or you should know in theory. But the point is, the attacker is the only one that knows how much traffic we will generate and you know that if he uses a different service that can put these attacks a little bit worse. So lets ‑‑ SURFnet guys and they told me they measured these attacks last week and the list of open resolvers in the world, and I noticed that these were ‑‑ can be amplified even 100 times more. But, you know, Cloud flare attacks and so on. Actually it was not against, but they minimised the attack. My question was I will be able to mitigate this kind of phenomenon and so on because they offer all kinds of attacks, layer ‑‑ application layer, layer 3, 4 and so on and I said yes, we can. My advice is that I am a dreamer, but I do believe that it is possible. So this is more or less how do I believe? When a customer access these booters website, the booter website access the back end infrastructure and then these back end infrastructure access the reflectors or what indeed perform the attack, what indeed generate the attack. So, my idea for the next round of measurements is count only your help in these level. Because if in your network you have these kind of service or N service that have been misused by booters or attackers, I can easily ‑‑ not easily, but I can try to find this guy. That is my goal.

Yes, thank you very much and I want to hear from you if you can help me and your insights.

BRIAN NISBET: You have agreed to send some of this as well, we have a limited amount of time today. Any comments, thoughts, theories, offers of help? Please.

AUDIENCE SPEAKER: When looking into this kind of booter networks the thing that you didn't point out was actually the website itself, whereas when we were researching a bit into this some time ago, we found out that a lot of these websites are actually using well‑known DDoS protection surfaces to protect themselves because it turns out that booters like to boot each other all the time, so and those commercial N ND OS services that might have to do something with flames and bring, that are offering these services to protect websites and are very famous, are not really acting against hosting this kind of attackers. So, I would say that would also be an angle of attack against this kind of networks, at least making sure that you do not host the front ends of it.

JAIR SANTANNA: Yes. Actually I have more results and I expect that booters have been protected by some companies, DDoS protection networks, but if I return one slide, we are able to measure here, right, and here we can cannot see who has generated the attack. The DDoS protection companies, they want to see this traffic, yes? When I send a message to the DDoS protection company that, you know, and I say that these booter generate these attacks they say no, because the IP that I can see here is not this IP. Yeah. So, once I have the information about these guys I have the IP from the DDoS protection company and I can shut down the booter. So yes, thanks for your comment.

BRIAN NISBET: Anything else? No. OK. Thank you very much.
(Applause) so, any other business? I am assuming would have said something by now.

AUDIENCE SPEAKER: Erik. Specifically on transfers, we have had, we have been transferring some IT space and it's interesting to see we get a lot of abuse messages after transfers from the new users, but the old holder still gets the abuse messages. Which basically means that probably a lot of companies that are actually taking the effort of sending abuse are not using the RAR database to get the updated information for the abuse contacts. And that can take up to nine months or longer to actually get that update, which I think is appalling; it's shocking. And it may not shock everybody else here but that is one of the things that I say we really need to do this better.

On the other hand, the other side of it, once IP addresses are transferred, there is actually quite some effort if IP addresses were listed, to actually get them delisted because they are now from a new entity which had nothing to do with the reason why it was listed in the first place. And I must say that is a challenging job as well.

BRIAN NISBET: Indeed. Is there something in particular you think the Working Group can do?

Erik: It's specifically some more guidance on how can we actually do this better as a community first on getting the actual abuse or the, do the actual contact, get the contacts updated quicker, that would help a lot. Second, it also helps if there is some potentially say guys this is legitimate transfers, it's easier for the new customers to actually get their listed IP space cleaned up and actually use this properly.

BRIAN NISBET: Lets ask someone who should know. Is there a response or otherwise

AUDIENCE SPEAKER: It was something else, a different AOB.

BRIAN NISBET: What I would love, we don't have a lot of time to discuss that here today, it would be great if we could try and talk to ‑‑ and I don't mean to single you out but you are just standing there, the people who are involved in IP transfers ‑‑ I know ‑‑ not RIPE NCC, people who are involved in IP transfers and to see if there are, and yourself to see if we can come up with some advice or otherwise and maybe this can be ‑‑ we can put more time for discussion of this obviously on the list, but more time for discussion of this in Amsterdam.

ERIK: That would be mine, I will be more than happy to spend some time on explaining what the actual ‑‑ how the transfers works and those kind of things so people in the abuse community can actually see why once IP addresses are transferred, the old reason for why it was listed in the first place is no longer valid any more.

BRIAN NISBET: I think that would be most useful. Very briefly because it is now half‑three Ruediger, so is that addressing Erik's point?

RUEDIGER VOLK: Question: Is there actually an organised information flow from the guys who are administrating the transfers, which we very well know, to a list of parties that may be running such lists, if that is not an organised activity, well OK, that should be done.

BRIAN NISBET: And you are right, I think that is the beginning of a much, much longer discussion but I take Ruediger's point and I think that might be something we will look at, we will discuss that in more detail in Amsterdam.

AUDIENCE SPEAKER: Escrow. There is one thing I wanted to bring to the attention of this Working Group, and I am not sure whether this Working Group can do anything about it or whether we can continue discussing about this problem. We have noticed problem which involves BGP hijacking and there are ‑‑ we have basely noticed more and more BGP hijacks happening now that v4 has basically run out and most of the times the BGP hijacks occur around IPv4 transfers, so we have had already two or three customers that have been affected by the same problem, basically the ISP that has the address space must delete everything from the RIPE database before transferring the block while the process of the transfer happens the block gets hijacked by spamers, IP addresses get listed in Spamhaus and all kinds of crazy things happen for those days while the transfer happens with the RIPE NCC and in one case both the address space that was transferred and the address ‑‑ so, both the address space of the company transferring and the one of the receiving company have been hijacked.

BRIAN NISBET: My initial reaction to that is that sounds something that needs a policy to change some of the mechanisms or ask the NCC to change, along with all the stuff which has been discussed. We haven't discussed BGP hijacking here particularly, there is no reason why we wouldn't but we tend to leave it to routing and a couple of other Working Groups.

AUDIENCE SPEAKER: It is an abuse.

BRIAN NISBET: I am not saying we shouldn't; I am just saying we haven't in the past. My initial reaction is there ‑‑ is that the biggest problem the way the transfers are done and is there a better way of handling that. But then again, I haven't thought about this very much.

AUDIENCE SPEAKER: It's just something I wanted to bring to the community and to this Working Group.

BRIAN NISBET: It's certainly something we are thinking about, it's certainly something that the NCC also might be able to give input into as well, because if that is the main reason for it or maybe that gap isn't the main reason for it, maybe the awareness of any sort of transfer is what is happening

AUDIENCE SPEAKER: We only noticed because they happened during us offering services to customers. They might happen also because address space is not announced but in this case we have only noticed it because it happened during a transfer.

BRIAN NISBET: It's a very interesting problem and I think maybe we need to look at how the transfers happen because of that problem. I think that is something we need to think about and the community needs to be aware of.

There is nothing else. I am going to do my traditional call for people to think about agenda items. We already have one from Erik. Certainly, for RIPE 70. And with that in mind, unless there is anything else, I will just say we have eaten slightly into your coffee break. Thank you very much for your time and we will see you hopefully back in our normal Thursday slottish in Amsterdam next year so thank you very much.
(Applause) sorry, one other thing and I should do this as a member of the RIPE PC, there is ‑‑ we are still looking for new volunteers for the PC with nominations to be in before 3:00 tomorrow. Please mail if you are interested and we do need new people because that is the way to keep all things fresh for the content. Thank you very much.