Colleagues, Here are the draft minutes from the AA-WG meeting at RIPE69. Could you please take a look and come back to me with any corrections on your part? Thanks, Brian --------- Anti-Abuse Working Group Draft Minutes - RIPE 69 Date: 5 November 2015, 14:00-15:30 Working Group Co-Chairs: Brian Nisbet, Tobias Knecht Scribe: Marco Hogewoning Status: Draft Brian Nisbet, WG co-chair, welcomed the attendees and apologised on behalf of Tobias Knecht who due to illness could not attend the session. A. Administrative Matters Brian apologised for the minutes of RIPE 68 being sent out late and asked the audience if there where any comments or additions. Alexander Isavin, NetLine, mentioned that the section on law enforcement agencies is missing from the minutes. Brian says he remembers the discussion and will look into the matter. He asked the working group to approve the session's agenda, which they did without further comments. B. Update - Brian Nisbet, AA Working Group Co-Chair Brian mentioned the charter was discussed in Warsaw and some follow up discussion took place in June. The new charter has been published on the website and Brian closed this action point. Brian introduced the procedure to select working group chairs and gave the working group some background on why this is needed. A draft text was sent to the mailing list and a version with some minor changes in wording was published on Tuesday evening. Brian highlighted the main elements of the proposal that the chairs will have a term, there will be no limit on the number of terms and each term will last for three years. There will be two or a maximum of three chairs for the working group and the decision on who will become chair preferably is made by consensus or alternatively by a secret ballot. Brian asked if there were any further comments and deferred the discussion back to the mailing list to come to a conclusion about this topic Sander Steffann raised his thumb. Brian pointed to a discussion the mailing list about AS Numbers and said that due to the recent number of emails he was not able to catch up.He suggested to leave the discussion on the mailing list as more people are likely to be behind on this topic. Brain mentioned that the RIPE NCC was already looking into some of the questions raised in the list and was expected to reply. He clarified the discussion has to do with the credentials supplied when an AS Number is requested and any allocations that have been revoked. C. Policies Brian mentioned that due to Tobias' illness they haven’t looked into the issue and mentioned that a conference call with the RIPE NCC has been planned in December to talk about this. D2: RIPE NCC anti-abuse outreach activities Mirjam Keuhne and Ivo Dijkhuis from the RIPE NCC presented about their outreach activity. A copy of the presentation is available at https://ripe69.ripe.net/presentations/116-SecurityUpdate4RIPE69.pdf Brian reminded Mirjam about an open action point for the RIPE NCC from Warsaw to send some more information to the list, which hadn’t happened yet. D3. RIPE NCC Governemnt/LEA Interactions Update Marco Hogewoning, RIPE NCC, gave a short update on the interactions with law enforcement and governments. An archived copy of Marco’s presentation is available at https://ripe69.ripe.net/archives/video/10140/ Coming back to Alexander Isavin’s earlier question about the minutes, Marco mentioned there is an open action point to provide more information about the LEA meetings. As there haven’t been any LEA meetings yet, this information was not published. Heather Schiller, ARIN, asked if the RIPE NCC published a report about the number of LEA enquiries they receive. Marco mentioned the RIPE NCC in 2012 and 2013 published a transparency report which is available on the website. Ruediger Volk, Deutsche Telekom, pointed out that the report does not list the level of access given to law enforcement agencies. Marco explains the information contained in the report and said that it not only provides the number of enquiries but also gives some information on where the are coming from and provides an overview of the nature and reason of declined requests. E2. Tor censorship countermeasures and how you can help Jurre van Bergen, Greenhost, presented about countermeasures to Tor censorship. A copy of the presentation is available at https://ripe69.ripe.net/presentations/112-tor-ripe69.pdf Erik Bais, A2B Networks, asked if he understood correctly that Jurre had set up a foundation for this and what kind of work was involved in running an exit node. Jurre clarified that the foundation was set up to maintain a dialogue with the law enforcement community and to actively assist them with warrants and subpoenas. He said they are happy to provide operators with training and help them to set up and suggested to take the discussion private. Brian Nisbet mentioned that research networks have two issues with running tor exit nodes. One being the acceptable use policy prohibiting ^a third party from using these networks for this purpose. The other being that the misconceptions about the Tor project might lead to questions from the governments who fund the research network. Jurre pointed out that majority of funding for the Tor project comes from governments. He explained they are using an IP block from a Dutch research institute, but as it was re-purposed they are not really using the research network. Sacha van Geffen, Greenhost, asked if the foundation was busy creating and publishing any best current practices. Jurre answered this is done and gave an example on controlling which ports can be used on a Tor exit node to limit certain services. Brian suggested to Jurre to share some of this information with the mailing list, especially the ones on abuse policy as they relate to the working group. E1. Impact of rom-0 vulnerability in SOHO routers Tomas Hlavacek, NIC.CZ, presented on the ROM vulnerability in routers, an archived copy of his presentation is available at https://ripe69.ripe.net/presentations/61-rom0-vuln.pdf Erik Bais, A2B Internet, asked if the holders of the IP addresses found in the research were notified about the issue. Tomas explained this was not done because people were not interested and the team chose to use mass media to create awareness. Erik suggested to have a chat about this as he had experience with cleaning up botnets and mailing owners might help. Elvis Valea, V4Escrow, asked if there was a list with vulnerable modems available. Tomas answered it is usually the cheaper brands but they would not disclose names as the manufacturers don’t like that. Elvis asked Tomas if they scanned the whole Internet. Tomas confirmed. Heather Schiller, Google, mentioned there are other groups looking into CPE vulnerabilities and it might help to share the data with them. Bruce van Nice, Nominum, asked if any work was done in profiling the resolvers to see which sites were abused. Tomas answered they found one doing Google and Facebook phishing. Marco Hogewoning, RIPE NCC, asked how many abuse reports came in after scanning the entire Internet. Tomas said he received three complaints. E3. DDoS as a service Jair Santanna, Universiteit Twente, presented on Booters: the DDoS as a Service phenomenon. An archived copy of his presentation can be found at https://ripe69.ripe.net/presentations/115-20141105_RIPE69_jjsantanna.pdf A member of the audience mentioned they did some investigation to Booters themselves and find out these often use commercial anti-DDoS protection services as Booters sites tend to attack themselves. He suggested to work with these companies to take the front-end offline. Jair said it is hard to find the evidence, but when they do these sites get taken offline by their providers. X. AOB Brian asked for any other business. Erik Bais mentioned he had noticed that after an IP transfer abuse reports get sent to the old IP address holder and that is a clear indication that people are not using the RIR whois databases and fail to update their own information in time. He said it also takes quite an effort to de-list transferred resources with blacklist operators. Brian asked for suggestions on how the working group can help to improve this. Erik responded that more information about transfers to the abuse community could help and offers to explain how a transfer is actually done. Another suggestion is to make it easier to prove a transfer is legitimate. Ruediger Volk suggested looking into the data flow from the RIPE NCC who administers the transfers to the parties who collect and distribute anti-abuse information. Elvis Valea mentions that they observed BGP hijacks taking place in the brief period a transfer takes place and the RIPE Database objects get deleted. Brian responded that they haven’t discussed BGP hijacks but this is worth looking into as it might require a policy change or change the way transfers are done. Brian Nisbet thanked the attendees for their participation and closed the session.