[anti-abuse-wg] Draft Minutes: AA-WG Session at RIPE 71

Colleagues,

Here are the draft minutes for the AA-WG session at RIPE71. If you would 
like anything to be removed, corrected or added, please let me know.

In the meantime I would like to wish you all a very Merry Christmas or 
other happy and joyous sentiments as appropriate.

I look forward to working with you in the 2016!

Brian
Co-Chair, RIPE AA-WG

Anti-Abuse Working Group Draft Agenda
Thursday, 19 November 11:00 - 12:30

A. Administrative Matters [5 min]
     •    Welcome
     •    Scribe, Jabber, Stenography
     •    Microphone Etiquette
     •    Approve Minutes from RIPE 70
     •    Finalise Agenda
   B. Update [15 min]

•    B1. AA-WG Chair Matters

Tobias was accepted to continue as co-chair.

  •    B2. Recent List Discussion

- Foreign/Undelegated Route Objects (see section C) - no comments
- Data Verification & abuse-c contact methods - no comments
- LIR Contract Discussions - no comments - Brian has asked the RIPE NCC 
for more info on the claims that RIPE NCC is party to End User contracts.
- Sources of Abuse Contact Info Document - no comments


C. Policies [0 min]

- Foreign objects in the RIPE DB - Brian encouraged the group to 
participate in the discussions taking place in the Database Working 
Group (DB-WG).

D. Interactions [20 min]

  •    D0. Richard Leaning (RIPE NCC) will work on extending Law Enforcement
engagement

  •    D1. Update on RIPE NCC Security Outreach Activities - Mirjam Kühne
https://ripe71.ripe.net/presentations/5-SecurityUpdate4RIPE71.pdf


Sean Turner (IECA) asked whether the work between ICANN and the RIRs on 
IP and Whois accuracy and due diligence public safety has started yet, 
as per the ICANN meeting minutes. Marco Hogewoning (RIPE NCC) confirmed 
that RIPE NCC is involved with the PS WG.

Hans Petter Holen (RIPE Chair) added that lots of suggestions from ICANN 
meetings come up from misunderstanding existing processes. He suggested 
that they believe we have more problems with Whois accuracy than they do 
with domain names - he thinks it’s the opposite.

Marco confirmed that the RIRs continue to educate where needed.

Mirjam Kühne (RIPE NCC) added that the RIPE NCC is educating and 
engaging on how to use our tools.

Brian Nisbet (AA-WG Chair) commented that the MAAWG meeting was 
surprisingly good and that there was a positive reaction to the 
presentation and the openness of the RIPE Community - the relationship 
continues.

Mirjam reiterated that there is a continued need for more collaboration 
between the two communities.

Peter Koch (DENIC) commented that openness can be a barrier to 
collaboration.

Marco d’Itri (Seeweb) reminded the group of the open invitation from 
MAAWG to RIPE community members to participate.

Mirjam rounded off by adding that if RIPE NCC can help to bridge any 
divide, it is happy to and will continue to.

E. Presentation [45 min]

•    E1. Open Source Abuse Management for Network Operators - Abuse.io 
(Erik Bais)


https://ripe71.ripe.net/presentations/130-AbuseIO-4.0-RIPE71-AAWG-v1.pdf
(Bart Vrancken is on IRC to answer additional questions)

Marco D’Itri asked whether the system process ARF and legacy feedback 
group. Erik confirmed that they do include Spamhaus reports and ARF as 
well. You can also write your own parsers.

Bengt Gorden (Resilans) asked whether it was easy to get your own 
customer database included?

Erik confirmed that they did it manually, but there is an option to do 
lookups in your own administrative environment.

Bart Vrancken (via IRC) confirmed that there is built-in support and 4.0 
support for PHP.

Erik encouraged everyone to look at the website, join IRC and chat with 
Bart.

•    E2. The Traffic Amplifiers Great Hunt - ANSSI (Florian Maury)

https://ripe71.ripe.net/presentations/65-ripe71_antiabusewg_anssi_the_traffic_amplifiers_great_hunt.pdf
   Steve Nash (Arbor Networks) added that another thing people can do is 
to elevate management visibility so that the money becomes available.

Erik Bais (A2B Internet) asked whether the info from the scans has been 
made available?

Florian clarified that they haven’t performed any scans. They used open 
data, which is already available publicly.

•    E3. Helping Network Operators to Bring Down DDoS Sources - ANSSI 
(Markus de Brün)
https://ripe71.ripe.net/presentations/72-DDoS_Open_Services_Cleanup_Germany.pdf

Brian asked whether there is any feeling for when ANSSI would no longer 
consider this to be a problem worth worrying about? Do you ever expect
it to reduce to zero?

Markus explained that the goal is to get as far down as possible and 
that this will take a long time.

Florian Maury confirmed that indeed this would be difficult, but 
reducing the number of available nodes is a short-term action that can 
be taken now. But also longer term actions (such as working on 
anti-spoofing technologies and updating the protocols being used for 
these attacks) can be useful too.

Marco Hogewoning asked what triggered the ISPs into action? Was it the 
outreach or incidents happening?

Markus shared that early on, due to repeated communication, ISPs that 
were not aware of the situation took action.

Mohsen Souissi (AFNIC) asked whether DNS over DNS will ever become a 
full replacement?

Florian suspects that it won’t solve the problem but having DNS over TCP 
will probably help.

Will van Gulik (IP-Max SA) indicated that receiving reports from other 
countries (e.g. France) would be really appreciated.

Markus advised that they only have data for Germany, but perhaps his 
French colleagues would start an action like this.

Florian explained that their data came from worldwide scans, so if you 
provide the prefixes you are interested in we can share.

Brian reminded the room that the Internet has no borders.

Chris Baker added that the shadow serve foundation is available to give 
reports without country restrictions.

X. A.O.B.

Brian mentioned that there is still time to submit a lightning talk for 
tomorrow’s session.

Z. Agenda for RIPE 72