RIPE 62

RIPE Anti-Abuse Working Group: Minutes – RIPE 62
Thursday, 4 May 2011, 14:00-15:30 – Amsterdam

Co-Chairs: Brian Nisbet and Tobias Knecht
Scribe: Fergal Cunningham

Chat Monitor: Sandra Brás

A. Administrative Matters

Welcome

Working Group co-Chair Brian Nisbet welcomed attendees. He thanked the scribe, chat monitor and stenographer, and he asked that those asking questions clearly state their name and affiliation.

Approve Minutes from RIPE 61

Brian noted that there were some initial comments and the minutes were updated accordingly. He asked if there were any further comments. There were none and Brian deemed the minutes from RIPE 61 to be formally approved.

New Working Group Co-Chair

Tobias Knecht was formally approved as the new Anti-Abuse Working Group co-Chair. Brian said that Tobias would help to resurrect the best common practice document process. Brian said two documents would be produced – an administrative document and a technical document.

Finalise agenda

There were no additions to the agenda.

B. Update

B1. Recent List Discussion

Brian noted that there was a lot of discussion in the past few months. He said the Abuse Contact Task Force was addressing some issues and some were being addressed by the ripe-517 Closure and Deregistration document. He proposed that the working group not delve into those issues at that time.

B2. Admin Tools for Blackhole Administration - Ingvar Mattsson, Google

The presentation is available at:
http://ripe62.ripe.net/presentations/155-blackholeslides.pdf

David Freedman from Claranet said this approach was to be commended. He said he had a similar in-house tool and if anyone wanted to know more about that he could show them afterwards. He said the main problem is if prefixes are not reaped and remain in blackholing. He said the support team needs to be aware of what’s going on and it must be done in an intelligent way.

Ignvar asked if it was more pleasant to use blackholing and David said it was.

B3. Arbor 2010 Infrastructure Security Report - Darren Anstee, Arbor Networks

The presentation is available at:
http://ripe62.ripe.net/presentations/88-Darren-Anstee-AA-RIPE-2011-DDoS_Trends.ppt.pdf

Ian Meikle, RIPE Measurement, Analysis and Tools (MAT) Working Group co-Chair, noted that Darren would talk about the ATLAS initiative at the MAT Working Group session.

Wout de Natris, Chair of the Cybercrime Working Party, asked if the rise of DDoS attacks was down to criminal or political reasons.

Darren said he was not sure. He thought there might be a fair mixture of both, but he said people could look and draw their own conclusions.

Wout said he attended a meeting on botnets, where it was noted that attacks from mobile devices were not a problem yet. He asked if this was becoming a problem.

Darren said more attack traffic was coming from mobile devices. He said Symantec have seen a growth in malware targeted at smart devices and it is probably only a matter time before we see attacks coming from smart devices.

Wout asked if Darren had tips for developing countries.

Darren said diagnostic ACLs and flow tools could be used if these countries did not want to use commercial products to detect DDoS attacks.

Daniel Karrenberg, Chief Scientist at the RIPE NCC, asked if on the Port 53 attacks there was any differentiation on whether the attack traffic was queries or responses.

Darren said there was not.

Daniel asked for more details, saying it would be interesting to see how the relative proportion was reflected in the attacks. He said he suspected a fair amount of reflection was going on.

Darren said he would be asking what people wanted to see from the Atlas initiative, and he said this is one area they would be looking at.

Paul Germano, Google, asked if the data received was just megabits per second and Darren said this was indeed the case.

C. Policies

Abuse Contact Management Task Force

Brian said that the three proposals (2010-08, 2010-09 and 2010-10) that were presented at RIPE 61 were withdrawn and that the Abuse Contact Management Task Force was formed to look at the issues or concerns in the three proposals. Brian gave an update from the task force, which is available at:

http://ripe62.ripe.net/presentations/218-acm_tf_ripe62.pdf

Brian asked if there were any questions. There were no questions, and Brian took this to be approval to continue with the work of the task force.

D. Interactions

D1. Working Groups

Brian said the Database Working Group was the one the Anti-Abuse Working  Group interacted with the most. He said that the main interaction with that group currently was concerned with the work of the Abuse Contact Management Task Force.

D2. Cybercrime Working Party Update - Wout de Natris

(No presentation was uploaded)

Wout de Natris, Chair of the Cybercrime Working Party (CCWP), described the meetings he attended and presented at on behalf of the CCWP. He said that the main area the CCWP was looking into was training law enforcement agencies (LEAs) on the use of tools and databases that would help them in their work. He said a template for information requests would be created to send requests to the RIPE NCC. He said a list of LEA contacts would enable LEA officials to easily contact each other and share experiences. He said LEAs would look at coming up with a list of topics that they would want to discuss with the RIPE community.

Wout asked the RIPE community what it would like to discuss with LEAs. He said people should bring issues to the CCWP if they wanted clarification from LEAs.

Wout concluded by noting that the CCWP was making progress, and he reiterated that the process was a two-way street. He said LEAs could use the group to bring forward their concerns and the RIPE community could do likewise.

Frank Salanitri, APNIC, said APNIC’s IRT object contact address received up to 30,000 abuse mails and that it was impossible to check these on an individual basis. He suggested they might be used for IP reputation services. He said, potentially, they could show the most abused allocations and the countries the abuse came from. He said this information could be logged in a database that could be made available to researchers.

Wout asked if APNIC had contacted the Australian and New Zealand active anti-spam LEAs.

Pablo Hinojosa, APNIC Public Affairs Officer, said APNIC was corresponding with these groups and was actively looking for ways to increase cooperation.

D3. RIPE NCC Government/LEA Interactions Update

Brian said a number of things have happened to give encouragement to RIPE and the RIPE NCC’s interactions with LEAs. He said the engagement of LEAs with the RIPE community has increased, and they have shown a greater understanding of the issues at hand. He said LEAs recognised the need to keep a good registry database.

Brian said LEAs were happy with RIPE Policy Proposal 2010-06 on registration of IPv6 in the RIPE Database.

He said the RIPE NCC procedural document, ripe-517, on closure and deregistration of LIRs was a positive step because it reduces the ability to abuse mechanisms there.

Brian added that they also talked about what is likely to happen following the exhaustion of the IPv4 address pool. He said interaction with both LEAs and government agencies would continue.

Brian noted that there are issues being discussed on the RIPE Address Policy Working Group mailing list that the Anti-Abuse Working Group should look at. He said the RPKI discussion should be of particular note and he asked everyone to pay close attention to these issues.

X. AOB

There was no other business to attend to. Brian asked for items for RIPE 63. He noted that Tobias would talk about the best common practice documents at RIPE 63 and he promised to have those documents posted to the mailing list. Brian thanked the attendees and said he looked forward to the next meeting in Vienna.

Recordings of all presentations and discussion in the RIPE Anti-Abuse Working Group session at RIPE 62 are available at:
http://ripe62.ripe.net/archives#Thursday