Skip to main content

Security Working Group Minutes RIPE 90

Tuesday, 13 May 16:00 - 17:30 (UTC+1)

Chairs: Brian Nisbet, Markus de Brün, Tobias Knecht

Scribe: Ed Shryane

Status: Draft

The recordings and presentations are available at:

https://ripe90.ripe.net/programme/meeting-plan/security-wg/

The stenography transcript is available at:
https://ripe90.ripe.net/archives/steno/22/

A. Administrative Matters

Brian opened the session, co-chairing with Markus de Brün with Tobias being absent at this session.

The minutes from RIPE 89 were approved.

B. Update

B.1. Recent List Discussion

Brian asked the community for more discussion on the new security WG mailing list.

B.2. RIPE NCC LEA Transparency Report & Activities
Dick Leaning, RIPE NCC

The presentation is available at: https://ripe90.ripe.net/wp-content/uploads/presentations/58-LEA-engagement-RIPE90.pdf

Dick Leaning from the RIPE NCC talked about the transparency report the RIPE NCC published recently, and how the RIPE NCC will engage with law enforcement on behalf of the RIPE NCC membership. Many of the requests the RIPE NCC receives is for information that the organisation does not have. LEA guidelines have been added to a new Trust Portal website, which explains who the RIPE NCC is and what we do for LEAs. He asked for input from the community on content to add to the Trust Portal.

An audience member asked how e-evidence will be accounted for. Richard replied that it’s on the radar, the Legal department was looking into it and there would be an analysis published at the end of the year. The RIPE NCC was following progress and was already involved in the discussions.

Michele Neylon, Blacknight, requested that the RIPE NCC train law enforcement on how to read Whois records. He said he gets requests for public information. Also for law enforcement to change which of the vendors they are using for getting data as they get abuse reports from the wrong contacts. Richard replied it’s something the NCC will look into this year on the educational side, and he has spoken with law enforcement on this matter in the past.

There were two questions online from Robert Scheck, ETS GmbH, asking what kind of information about RIPE Atlas probes had been requested by law enforcement. Athina Fragkouli, Legal Counsel at the RIPE NCC replied that it was about information either the RIPE NCC did not have, or was publicly available already. Another question asked whether the NCC enforces inbound and outbound encrypted emails while communicating with lea@ripe.net. Richard replied that it was not enforced, but they do verify the request is from a legitimate law enforcement agency.

Athina Fragkouli later corrected what she said about the Atlas probe request, it was a mixture of a request for public and non-public information that the RIPE NCC did not have, but it was categorised as a request for non-public information in the transparency report. In the end, the RIPE NCC only provided the public information.

C. Policies

No policies for discussion.

D. Interactions

D.1. Europol Capacities and Effort Supporting Law Enforcement Against Cybercrime

Emanuele lovini, Europol

The presentation is available at: https://ripe90.ripe.net/wp-content/uploads/presentations/11-Europol-EC3-IOVINI-Emanuele-RIPE90-presentation-13-May-2025.pdf

Emanuele lovini works at the European Cyber Crime Centre at Europol, in the Prevention and Outreach team. He explained what the team does at Europol, what they want to do, and their goals. The Centre was set up by Europol to strengthen the law enforcement response to cybercrime in the EU. He highlighted the importance of public and private partnership, and that they cannot tackle cybercrime if we don’t work together. He asked for questions and ideas on partnership and cooperation.

Michele Neylon, Blacknight, said that he did not find the presentation particularly helpful. He said he found it aggressive and anti-network operator. Also, he saw cooperation framed here as a number of laws which they would have to conform with. Emanuele replied that they needed to find the right balance between freedom and fighting crime. As law enforcement they are the helper, they wanted to tackle the offender and did not want to block people’s freedom.

Lee Kent, beIN Media Group, commented that he agreed the presentation was quite heavy handed, and that a softer approach could be taken. He made a point that information held by operators needs to be better, and that would help law enforcement identification, and also help operators so they are not bombarded by unnecessary requests for information that they don’t have. He was excited to hear Dick’s presentation in regard to educating law enforcement about what information registries and operators hold, and that would be a big step forward, and sees that as good cooperation between the two different sides of the Internet. Also, he noted that law enforcement needs to understand how the Internet works.

Alex de Joode, AMS-IX, suggested that the laws and regulations mentioned in the presentation would not solve the problem. For example, resellers who are located outside the EU, don’t have a reason to register or answer questions about their customers. Emanuele replied that they wanted to tackle the problem one at a time, starting with information in Europe.

Finally, Ruediger Volk replied that as network citizens the attendees were already aware of the problems talked about. He said what was missing was the constructive part of the discussion, which was to facilitate cooperation. He asked who he should be cooperating with in Germany. He didn’t see that suggestion in the presentation, and that needs to be worked on. He asked if there was anything on the Europol website to find that information. Emanuele replied that it’s important to start the cooperation and to meet in the middle. Brian Nisbet replied that in Ireland, the advice is to go to the local police station.

E. Presentation

E.1. INFERMAL: Inferential Analysis of Maliciously Registered Domains

Samaneh Tajali, ICANN

The presentation is available at: https://ripe90.ripe.net/wp-content/uploads/presentations/68-infermal-RIPE90.pdf

Samaneh is the Director of Security Research at ICANN. She presented on the INFERMAL research project, which has two aims, to look into attackers’ preferences when it comes to domain name abuse and what the factors driving malicious activity. The research showed there is a weak but positive relation between the price of a domain and the odds of it being abused. There was a much stronger correlation between discounts offered for registration and the abuse. There was 50% more abuse if there was a registration discount. She invited discussion on key factors driving malicious domain registration from the attackers’ perspective.

Andrei Robachevsky, Global Cyber Alliance, asked whether the methodology used allows for periodic generation of the table data used in the presentation. Samaneh replied that the data and the methodology was published and that can be used to regenerate the data. Secondly, Andrei asked for whom did they foresee the study impacting. Samaneh replied that the study was requested by the ICANN community because they were interested in knowing what they should be looking into. This was the initial result and it was up to the community to decide where they wanted to put importance and possibly actions or discussions into the next phase of the study. She said they were looking forward to input on what the community wanted next.

Yuanyuan Zhou, University College London, asked what the aim of the model was, and whether classification was done to identify benign or malicious registrations. Samaneh replied that the goal was not to classify the data because they already used labelled data. Another question was how they selected features. Samaneh said that previous literature suggested the importance, the ICANN community which discussed the topic at length, and finally their own expert opinion.

Andrew Campling, 419 Consulting Ltd, said that Know Your Customer was a really helpful tool to discourage malicious registration and it was good to see that had come up in the research as well. He also mentioned that the DNS research foundation publishes a range of tables that show abuse by TLD and by registrar, which might encourage the community to take action and address their shortcomings. He suggested that visibility would drive up the bar of behaviour.

E.2. Identification and abuse characteristics of batch registered gTLD domains

Sam Cheadle, ICANN

The presentation is available at: https://ripe90.ripe.net/wp-content/uploads/presentations/65-RIPE_presentation_v1.1.pdf

Sam Cheadle is a Machine Learning Engineer at ICANN and presented on domain registration batches and how to identify them. He looked at how common batch registrations were and what the abuse profiles were of batch registered domains. Attackers often register domains in bulk, he noted. They have a preference to use APIs or bulk registration tools. He talked about how APIs introduce detectable patterns and understanding these patterns enables more effective detection, intervention and mitigation.

Jim Reid, rtfm LLP, asked how they could do something about this problem that’s going to have a meaningful impact. His question for ICANN and the community was what were they going to do with the data. Sam replied the analysis was at quite an early stage and they were validating the method. Once the community was happy with the results, he thought the idea of incentivising registrars, by maybe publishing results, was the direction it was going to go, but they would have to make sure they have a solid algorithm and background analysis. Jim replied he thought that there would be a game of whack-a-mole where the bad guys would move to another registrar and they’ll be doing this forever.

Sebastian Castro, dot ie, asked how quickly they do the analysis. Sam replied that he didn’t describe the timeframe of the data collection, they were looking at other data streams such as CT logs, but they were trying to speed up the detection. He then asked if there were other CC TLDs on the list. Sam confirmed that all of the results were for gTLDs.

Greg Choules, ISC, commented that publishing was giving the bad guys a way to avoid detection.

Andrew Campling, 419 Consulting Ltd, asked to add friction to make it harder, and to act on it. He said that research from the last ESR meeting was able to identify DGA registration which possibly ties in with the batches, and these two pieces could be linked together in future. Sam agreed and said there was a stronger link between abuse rates and those batches with DGA properties.

Alistair Woodman, NetDEF, suggested instigating a transactional tax to cover the cost of mitigation of this type of process.

X. A.O.B.

No AOB.

Z. Agenda for RIPE 91

No agenda items were set for RIPE 91.

Actions for RIPE NCC

None