You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

Connect Working Group

Threaded
Collapse

[connect-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

User Image

Erik Bais

2021-05-18 21:52:15 CET

Hi,

As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default )

As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl

The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/  ) that states that we will all do our best to provide a better and cleaner internet.

As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view.
The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks.

What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. )

A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH ..
Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network.

Topics that should be included on the rating for the list :


  *   Phishing (hosting sites / domain registrations )
  *   Malware hosting ( binaries and C&C’s )
  *   DDOS traffic  ( number of amplification devices in the network compared to the number of IP address ratio )
  *   Login attacks / excessive port scanning
  *   Hosting of Child exploitation content
  *   Infected websites / Zeus Botnets
  *   Etc

So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014.

By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits.
And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra.

And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation.

So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers.

Your constructive feedback is highly appreciated.

Regards,
Erik Bais
A2B Internet

User Image

Harry Cross

2021-05-19 12:16:39 CET

Hi Erik,
Thank you for your talk yesterday, was very insightful.

I have an issue with the concept of tagging an entire ASN/IP block with a negative brush, but I suspect this all boils down into how you define a “bad” ISP/IP block and the criteria needed to earn a blocking/place on the naughty list (back in 2010, there was a very interesting comparison of different blocklists here: https://labs.ripe.net/author/jsq/asn-ranking-correlations-between-spam-blocklists/  but this does refer to purely spam email).

I suppose my major issue with this is collateral damage, for example say you’ve got a /24 with shared web hosting servers in there (which instinctively have lots of users on the same IP addresses, with no pre-filtering of content going online). I’ve seen situations where shared hosting domains with thousands of users have been revoked because one user hosted one malicious binary and I’d like to be assured that this can’t happen here, where one user is the downfall of everyone. I can easily see end-user eyeball ISP support getting confused with this, making un-needed blocks hard to remove. 

Thanks

Harry


> On 19 May 2021, at 11:00, connect-wg-request _at_ ripe _dot_ net wrote:
> 
> Send connect-wg mailing list submissions to
> 	connect-wg _at_ ripe _dot_ net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.ripe.net/mailman/listinfo/connect-wg
> or, via email, send a message with subject or body 'help' to
> 	connect-wg-request _at_ ripe _dot_ net
> 
> You can reach the person managing the list at
> 	connect-wg-owner _at_ ripe _dot_ net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of connect-wg digest..."
> 
> 
> Today's Topics:
> 
>   1. Input request for system on how to approach abuse filtering
>      on Route Servers - bad hosters (Erik Bais)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 18 May 2021 19:52:15 +0000
> From: Erik Bais <erik _at_ bais _dot_ name>
> To: "connect-wg _at_ ripe _dot_ net" <connect-wg _at_ ripe _dot_ net>,
> 	"anti-abuse-wg _at_ ripe _dot_ net" <anti-abuse-wg _at_ ripe _dot_ net>
> Subject: [connect-wg] Input request for system on how to approach
> 	abuse filtering on Route Servers - bad hosters
> Message-ID: <9515151D-5223-457D-8BFC-D9610CEDA340 _at_ bais _dot_ name>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default )
> 
> As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) ? abuse.nl
> 
> The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/  ) that states that we will all do our best to provide a better and cleaner internet.
> 
> As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view.
> The issue is that even if you don?t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks.
> 
> What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. )
> 
> A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH ..
> Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network.
> 
> Topics that should be included on the rating for the list :
> 
> 
>  *   Phishing (hosting sites / domain registrations )
>  *   Malware hosting ( binaries and C&C?s )
>  *   DDOS traffic  ( number of amplification devices in the network compared to the number of IP address ratio )
>  *   Login attacks / excessive port scanning
>  *   Hosting of Child exploitation content
>  *   Infected websites / Zeus Botnets
>  *   Etc
> 
> So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014.
> 
> By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits.
> And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra.
> 
> And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation.
> 
> So we don?t mind if we take their money as long as are not forced to peer with them via the routeservers.
> 
> Your constructive feedback is highly appreciated.
> 
> Regards,
> Erik Bais
> A2B Internet
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> connect-wg mailing list
> connect-wg _at_ ripe _dot_ net
> https://lists.ripe.net/mailman/listinfo/connect-wg
> 
> 
> ------------------------------
> 
> End of connect-wg Digest, Vol 56, Issue 2
> *****************************************

User Image

Thomas King

2021-05-19 13:10:14 CET

Hi Erik,

 

This is a vital topic! You focused a bit on the Dutch community. However, I think it is globally significant.

 

We at DE-CIX are very active in reacting to abusive peers on our IXPs. We have disconnected peers who were (repeatedly) not obeying the law or the DE-CIX Terms and Conditions. I gave a talk about what DE-CIX does in this regard during RIPE75 (https://ripe75.ripe.net/archives/video/103/).

 

Disclaimer: I am not a lawyer.

 

The European telecommunication law does not allow IXPs to look into peers' traffic on the application level (for a good reason, I believe). So, we do not know if a peer hosts malware or is sending out spam only. DE-CIX is only allowed to look into the operational data (e.g., Route or ASN hijacks) or behavior (e.g., unwanted traffic due to static routes on the Peering LAN). Based on this information, DE-CIX is acting.

 

I am highlighting this because I see issues if IXPs (or carriers and transit providers) are used as central infrastructure to filter data due to information they cannot verify or generate. Just think about the central DNS filtering and censoring discussion we had on a European level to stop certain abusive and harmful Internet services from being accessible.

 

Best regards,

Thomas

 

-- 

Dr. Thomas King

Chief Technology Officer (CTO)

DE-CIX Management GmbH | Lindleystraße 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net   |

Phone +49 69 1730902 87 | Mobile +49 175 1161428 | Fax +49 69 4056 2716 | thomas.king _at_ de-cix _dot_ net thomas.king _at_ de-cix _dot_ net>  |

Geschaeftsfuehrer Harald A. Summa and Sebastian Seifert | Registergericht AG Koeln HRB 51135

DE-CIX 25th anniversary: Without you the Internet would not be the same!

Join us on the journey at https://withoutyou.de-cix.net

 

 

 

From: connect-wg <connect-wg-bounces _at_ ripe _dot_ net> On Behalf Of Erik Bais
Sent: Tuesday, 18 May 2021 21:52
To: connect-wg _at_ ripe _dot_ net; anti-abuse-wg _at_ ripe _dot_ net
Subject: [connect-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

 

Hi,  

 

As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default ) 

 

As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl 

 

The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/  ) that states that we will all do our best to provide a better and cleaner internet.  

 

As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view. 

The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks. 

 

What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. ) 

 

A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH .. 

Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network. 

 

Topics that should be included on the rating for the list : 

 

*	Phishing (hosting sites / domain registrations ) 
*	Malware hosting ( binaries and C&C’s ) 
*	DDOS traffic  ( number of amplification devices in the network compared to the number of IP address ratio )
*	Login attacks / excessive port scanning 
*	Hosting of Child exploitation content 
*	Infected websites / Zeus Botnets 
*	Etc

 

So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014. 

 

By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits.

And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra. 

 

And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation. 

 

So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers.  

 

Your constructive feedback is highly appreciated. 

 

Regards,

Erik Bais

A2B Internet 

 

User Image

Thomas King

2021-05-19 13:13:44 CET

Hi Erik,

 

This is a vital topic! You focused a bit on the Dutch community. However, I think it is globally significant.

 

We at DE-CIX are very active in reacting to abusive peers on our IXPs. We have disconnected peers who were (repeatedly) not obeying the law or the DE-CIX Terms and Conditions. I gave a talk about what DE-CIX does in this regard during RIPE75 (https://ripe75.ripe.net/archives/video/103/).

 

Disclaimer: I am not a lawyer.

 

The European telecommunication law does not allow IXPs to look into peers' traffic on the application level (for a good reason, I believe). So, we do not know if a peer hosts malware or is sending out spam only. DE-CIX is only allowed to look into the operational data (e.g., Route or ASN hijacks) or behavior (e.g., unwanted traffic due to static routes on the Peering LAN). Based on this information, DE-CIX is acting.

 

I am highlighting this because I see issues if IXPs (or carriers and transit providers) are used as central infrastructure to filter data due to information they cannot verify or generate. Just think about the central DNS filtering and censoring discussion we had on a European level to stop certain abusive and harmful Internet services from being accessible.

 

Best regards,

Thomas

 

-- 

Dr. Thomas King

Chief Technology Officer (CTO)

 

DE-CIX Management GmbH | Lindleystraße 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net   |

Phone +49 69 1730902 87 | Mobile +49 175 1161428 | Fax +49 69 4056 2716 | thomas.king _at_ de-cix _dot_ net thomas.king _at_ de-cix _dot_ net>  |

Geschaeftsfuehrer Harald A. Summa and Sebastian Seifert | Registergericht AG Koeln HRB 51135

 

DE-CIX 25th anniversary: Without you the Internet would not be the same!

Join us on the journey at https://withoutyou.de-cix.net

 

 

 

From: connect-wg <connect-wg-bounces _at_ ripe _dot_ net connect-wg-bounces _at_ ripe _dot_ net> > On Behalf Of Erik Bais
Sent: Tuesday, 18 May 2021 21:52
To: connect-wg _at_ ripe _dot_ net connect-wg _at_ ripe _dot_ net> ; anti-abuse-wg _at_ ripe _dot_ net anti-abuse-wg _at_ ripe _dot_ net> 
Subject: [connect-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

 

Hi,  

 

As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by default ) 

 

As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl 

 

The companies associated with AAN setup and all signed a manifest ( in Dutch - https://www.abuse.nl/manifest/  ) that states that we will all do our best to provide a better and cleaner internet.  

 

As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view. 

The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with those networks. 

 

What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. ) 

 

A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH .. 

Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network. 

 

Topics that should be included on the rating for the list : 

 

*	Phishing (hosting sites / domain registrations ) 
*	Malware hosting ( binaries and C&C’s ) 
*	DDOS traffic  ( number of amplification devices in the network compared to the number of IP address ratio )
*	Login attacks / excessive port scanning 
*	Hosting of Child exploitation content 
*	Infected websites / Zeus Botnets 
*	Etc

 

So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014. 

 

By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP null-routing via Transits.

And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra. 

 

And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation. 

 

So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers.  

 

Your constructive feedback is highly appreciated. 

 

Regards,

Erik Bais

A2B Internet