RIPE 73 Anti-Abuse Working Group Minutes

Minutes from the Anti-Abuse Working Group session at RIPE 73 in Madrid.

Thursday, 27 October 2017, 12:00 - 13:30
WG Co-Chair: Brian Nisbet
Scribe: Marco Hogewoning, RIPE NCC
Status: Final

Brian welcomed everybody and apologised on behalf of Tobias Knecht, his co-chair, who unfortunately could not join due to attending a MWAAG meeting, which unfortunately overlapped with the working group.

Minutes for RIPE 72 and the meeting's agenda where both approved

The agenda is available at

B2. Definition of Abuse

Brian introduced the recent list discussions and explains he is not going to represent any of the ideas. Unfortunately there was nobody available to talk about the recent discussion on the definition of "abuse".

Brian reminded the working group about the RIPE Meeting Code of Conduct and mailing list etiquette in relation to the recent discussions.

Brian opened the floor for any comments regarding the recent discussions, he explained he will contact the proposer to see how he wants to move forward and if there is consensus in the group to see if this can be made into a RIPE Document.

Brian mentioned that he felt the questions concerning RIPE NCC contracts had been answered and considered the discussion closed.

Peter Koch (DENIC) asked about the chances of reaching consensus on the definition of Abuse.

Brain said he didn't think there is, but his role as chair is to explain and guide people to the process.

C. Policies

Brian mentioned Policy proposal 2016-01 had been withdrawn, and explained that it is difficult to apply policy to legacy resources. Brian said he did not think the anti-abuse working group is the place to discuss the meta question on this topic and referred the work to other working groups.

D1. Working Groups

Brian said there had been no recent interactions with other working groups. Some information regarding abuse handling has been supplied to Database WG upon their request, but no follow ups have been made since then.

D2. RIPE NCC Presentation: “What information we will and won't reveal” - Athina Fragkouli, RIPE NCC

The slides for this presentation are available from

Alexander Isavnin (The Open Net) asked whether the Dutch law differentiates between members and non-members, as for members information is internal to the organisation.

Athina explained that information about a particular member would not be disclosed to other members and the evaluation is done on the basis of security and privacy considerations alone.

Peter Koch (DENIC) wondered if the presentation in this working group was reaching the right audience and asked if Athina could explain what she meant with “abuse by members”.

Athina answered these are are cases of fraud or misguiding the RIPE NCC by a member.

Peter further asked if a single incorrect object in the RIPE Database would be considered abuse.

Athina referred to the procedures to close down an LIR, which contains thresholds on this.

#E1. Europol EC3 Presentation - Gregory Mounier

The for this presentation are available at

Following the presentation, Brian advised Gregory to engage with other working groups and the broader community on this topic.

Dmitry Burkov raised some concerns that law enforcement agencies across the globe have different interpretations and for instance there was still some pressure on ICANN to become a “network police”.

Gregory answered that some countries having different standards should not prevent the RIPE NCC from doing something, but that he was very careful in not trying to put the RIRs in the role of network police.

Dmitry said it was not the RIPE NCC's role to be involved in national legislative processes.

Tim Armstrong in a personal note mentioned he was concerned about extending the liability for the operators and enforcing the proposed measures might be difficult.

Gregory said those were valid concerns.

Alexander Isavnin (The Open Net) stated RIPE NCC was not an enforcement agency and asked for statistics on the amount of cases as presented by Greg.

Gregory responded that they already had a discussion about this and finding such information is very hard, but they will try.

Sascha Luck (remote) asked if the police already had issues unraveling the network of relationships, how an ISP would be expected to do that job.

Gregory stated it was not his intend to have ISPs to police work.

Wolfgang Tremmel raised a concern that often commercial reasons would prohibit the publication of customer data, companies being afraid to disclose information to their competitors.

Gregory pointed out the data is already there, but wrong.

Hans Petter Holen (RIPE Chair) agreed with Gregory that the policies were already in place and that the community was just bad at following up. He said that there wasn't much policy needed, but the community should discuss how to meet their own goals and objectives.

Nick Shorey (UK, DCMS) said the proposal is not asking for anything new and the community is already doing a great job. The big issue being the timeliness of keeping data up-to-date. He further stated that liability was not an issue.

Max Tuylev (Netassist) asked if there were any plans to validate database changes ex-ante.

Andrew de la Haye (RIPE NCC) responded there were no such plans, but this could be discussed in the Database Working Group.

Brian closed the discussion with a call for volunteers to help Gregory with drafting his proposal.

E2. Website-Targeted False Content Injection by Network Operators - Gabi Nakibly

The slides for this presentation are available at

Sergey Gorinsky (IMDEA Networks Institute) asked whether the injections should be considered abuse or just as a business model

Gabi responded that any action to alter traffic in transit should be regarded as illegal.

Sergey further asked Gabi to clarify what the non-edge ISPs were he mentioned.

Gabi responded those were any ASN that was in the path of the packet.

Max Tuliev (Netassist) mentioned that the same injections could also be performed using BGP hijacks to reroute traffic. He further asked in which countries the problem as described by Gabi was illegal.

Gabi acknowledged the BGP hijack scenario, but mentioned it was hard to filter those out. He said most incidents were observed in China and he had no knowledge of the legal situation there.

Will van Gulik (IP-max) mentioned he observed injections being done by the HTTP daemon and that transport layer encryption would not protect against those attacks.

X. A.O.B.

Brian mentioned that unfortunately there was no time to address the elephant in the room, denial of service attacks, at this meeting and suggested to make some time for that during RIPE 74.

Brian thanked everybody for their attendance and closed the meeting.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum