Skip to main content

Security Working Group Minutes RIPE 92

Tuesday, 19 May 2026 16:00 - 17:30 (UTC +1)

Chairs: Tobias Knecht, Brian Nisbet, Markus de Brün

Scribe: Ed Shryane

Status: Draft

The recordings and presentations are available at:

https://ripe92.ripe.net/programme/meeting-plan/sessions/79/

The stenography transcript is available at:

https://ripe92.ripe.net/programme/meeting-plan/sessions/79/transcript/

Security WG RIPE 92 Intro

Brian Nisbet welcomed everyone to the WG session. The minutes from RIPE 91 were approved as there were no comments.

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/E8PQP9/resources/Security_WG_RIPE_92__BWezegx.pdf

LEA report 2025 and eEvidence implementation

Franca Bosompim, RIPE NCC

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/HLSCFD/resources/RIPE_92_-_LEA_REPORT_jgCODTI.pdf

Presentation on the RIPE NCC’s LEA report 2025 and the implementation of eEvidence regulation.

Franca, Senior Legal Counsel for the RIPE NCC, presented the 2025 LEA transparency report. In 2025, the RIPE NCC received 99 requests from LEAs, eight of which were binding requests from Dutch LEAs. Most requests came from France and the U.S.

Dick Leaning, RIPE NCC, came on stage to expand further on the LEA Transparency report. The RIPE NCC’s Learning and Development department provided training to 700 LEA staff and the goal is for LEAs to make requests which are in scope as this saves time for them and for the RIPE NCC.

Next Franca moved to the e-evidence package which is due to be transposed into Dutch law in 2027. This consists of the e-evidence regulation and directive. The regulation applies to the RIPE NCC, because it offers IP numbering services in the EU.

Subscriber data is e-evidence data that applies to the RIPE NCC. Traffic data or content data is not held by the RIPE NCC, because it doesn’t provide communication services. IP addresses are not explicitly included in the regulation, but as part of subscriber data. The RIPE NCC has objection rights to an order in certain cases. Requests must be kept confidential, and members are not notified of an order.

Alex de Joode, AMS-IX, said that Brussels had an opinion that the starting date would be 18 August, and if the Dutch were not ready, the RIPE NCC would also not be given extra time.

Leo Vegoda, PeeringDB, asked about the confidentiality requirement and whether reports would be added to future transparency reports.

Franca said that the RIPE NCC were investigating and would reply to the mailing list.

Alex de Joode further clarified that the amount of reports were not confidential, but the RIPE NCC would not yet know what exactly they would be allowed to report.

Residential Proxies and Infecting Infrastructure Working Session

Leslie Daigle

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/J7DTZA/resources/Residential_Proxies__3NNJTl2.pdf

Leslie Daigle summarised a Global Cyber Alliance roundtable on the growing challenge of residential proxies and infected infrastructure. Attack traffic has increased significantly since October 2024, with residential proxies making malicious activity difficult to detect and mitigate. Participants agreed that traditional IP-blocking approaches did not scale, particularly with the widespread use of carrier-grade NAT. The workshop identified control-plane mitigation as a more promising approach, with next steps including a report outlining concrete actions and the development of a pilot project.

Merike Kaeo, Co-chair of the NetSec Working Group said they have been working on this topic for the past six to eight months, and that it would be useful to collaborate with FIRST, and ISPs globally who were part of that initiative and discussion.

Stephen Farrell, Trinity College Dublin, asked which major AI companies were the largest funders.

Leslie replied that she was not going to name them, but there were attempts to circumvent blocks on large-scale scraping of content.

Nils Trampel, University of Chemnitz, pointed out there was also an intentional use of residential proxies by users who sell their bandwidth, and they saw some abuse in a university setting from someone who unintentionally informed them of this use, and asked for more research into this.

Leslie agreed and asked what one does this with this information once identified.

Brian Nisbet replied that such services would break AUPs of Universities or other clients of most National Research & Education Networks.

Lee Kent, beIN

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/QQVGMV/resources/The_Moving_Parts_of__XYdiZLk.pdf

Lee Kent from beIN gave an update on what they have been doing over the past 12 months and some of the research they had taken on board.

Non-compliant content providers cause a significant issue for rights holders. As part of that ecosystem they looked at the hosting infrastructure. By non-compliance they meant a no response to email or no action to comply with takedown requests from copyright owners. It is very much a small group of operators they have this narrowed down to.

He provided a breakdown of different types of hosting content, of which live TV streaming fairly down on the list at 3%, the majority of hosted content was phishing, malicious use and malware. beIN wanted legal clarity on the obligation of hosting providers to take down live content in real time.

On top of the digital services act, the EU was looking at a number of options to mitigate these risks. Critical issue of live piracy of audiovisual content. They are looking for collaboration and help across the Internet ecosystem.

There were no questions or comments.

The €30 attack box: inside the Android TV botnet ecosystem

Jérôme Meyer

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/7AETZG/resources/RIPE_92_-_Nokia_Deep_T2jCpjR.pdf

Jérôme Meyer, a security researcher at Nokia, examined the rise of Android TV-based botnets and residential proxies, which now play a major role in large-scale DDoS attacks. He explained that low cost Android TV devices often arrive already compromised, allowing attackers to build botnets that can generate terabit-scale attacks and provide access to residential networks. Meyer stressed that operators should look beyond attack traffic and focus on detecting command-and-control activity. He concluded that network-edge disruption can be effective, but requires coordinated action from operators.

Lutz Donnerhacke, IKS Service GmbH, said that they had an ISP running numerous NAT devices and have had the same problems. They noticed that their devices were being broken and that they looked for outgoing packets without an active connection, and generated statistics which helped them track down devices in customer networks. He said he is interested to hear from others in how they detect such devices.

Jérôme replied that they have observed that a lot of proxy exit nodes were very chatty, and have a lot of long-lived TCP connections, and a combination of these two behaviours was a good way to detect proxy nodes.

Victor Guerrero, VGS, said they were suffering this on the server side. They had a large customer base and they had begun to see large traffic coming from Brazil since last August.

They blocked traffic from America but then the attacks started to come from Africa. He asked for ideas on how to detect this pattern before it hits the server. He said they could block traffic once there was at least one ping to the server and they were not attacking the infrastructure, but the server. He added that it can generate requests from 30,000 IPs in less than 5 minutes. It’s impossible to deal with that in an effective way, and that he is open to ideas.

Jérôme replied that they should not single out Brazil and although it’s the top source of traffic, it was really from everywhere. It was trivial to rotate between tens of thousands of IP addresses and there had been efforts to characterise the traffic that was proxied through those nodes. He added that there may be a way to have a signal do some detection.

Trust but Verify: An Assessment of Vulnerability Tagging Services

Szu-Chun Huang, TU Delft

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/PKWTAR/resources/20260519_RIPE-SzuChu_vq1HsEn.pdf

Szu-Chun Huang presented research evaluating the accuracy of three Internet vulnerability tagging services. The study compared reports against independent vulnerability scans and controlled testing using intentionally vulnerable systems. The results revealed significant discrepancies between the services, raising concerns about the completeness and reliability of vulnerability reports used to assess Internet security risks.

There were no questions or comments.

Security WG RIPE 92 Outro

Brian Nisbet

The presentation is available at:
https://pretalx.ripe.net/media/ripe-92/submissions/3DE9KC/resources/Security_WG_RIPE_92__LBialY1.pdf

A.O.B.

There was no other business.

Agenda for RIPE 93

Brian then closed the session and encouraged the audience to use the Security Working Group mailing list for discussion.