Re: [anti-abuse-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

[Erik Bais]

Hi Thomas,

Thank you for your reply and insight.

I’m not asking for IXP’s to look in the traffic.. I’m looking for a top 50 list 
of badhosts.. that is generated in a way that we as a community would feel 
comfortable with as a start.
Use that top 50 list .. as the ASn filtering, to get to a way of clean internet 
for the default Routeserver customer. ( secure by design / default )

If that customer would like to receive the unfiltered option, they could set 
that via the IXP portal in their member account and receive the unfiltered 
view. Or setup direct peerings ..

It is already possible to do this for someone if they know how to do it, via 
BGP communities or RPSL in the RIPE DB..
But the problem is that the list might not get updated .. and it is easier to 
do this for the whole group with regular updates, without re-configing all 
routers on a peering lan.

As we are now talking about this in the Dutch community, it should be possible 
to push this also to other regions .. and it should be open for everyone to see 
why they would be listed and what the qualifiers are that they are there …

That way we can avoid the real badhosts to pick out an internet exchange that 
doesn’t support filtering on this, just so they can push their bad packets into 
some networks.

Regards,
Erik Bais

From: anti-abuse-wg  on behalf of Thomas King 

Date: Wednesday 19 May 2021 at 13:14
To: Erik Bais , "connect...@ripe.net" , 
"anti-abuse-wg@ripe.net" 
Subject: Re: [anti-abuse-wg] Input request for system on how to approach abuse 
filtering on Route Servers - bad hosters

Hi Erik,

This is a vital topic! You focused a bit on the Dutch community. However, I 
think it is globally significant.

We at DE-CIX are very active in reacting to abusive peers on our IXPs. We have 
disconnected peers who were (repeatedly) not obeying the law or the DE-CIX 
Terms and Conditions. I gave a talk about what DE-CIX does in this regard 
during RIPE75 (https://ripe75.ripe.net/archives/video/103/).

Disclaimer: I am not a lawyer.

The European telecommunication law does not allow IXPs to look into peers' 
traffic on the application level (for a good reason, I believe). So, we do not 
know if a peer hosts malware or is sending out spam only. DE-CIX is only 
allowed to look into the operational data (e.g., Route or ASN hijacks) or 
behavior (e.g., unwanted traffic due to static routes on the Peering LAN). 
Based on this information, DE-CIX is acting.

I am highlighting this because I see issues if IXPs (or carriers and transit 
providers) are used as central infrastructure to filter data due to information 
they cannot verify or generate. Just think about the central DNS filtering and 
censoring discussion we had on a European level to stop certain abusive and 
harmful Internet services from being accessible.

Best regards,
Thomas

--
Dr. Thomas King
Chief Technology Officer (CTO)

DE-CIX Management GmbH | Lindleystraße 12 | 60314 Frankfurt am Main | Germany | 
www.de-cix.net |
Phone +49 69 1730902 87 | Mobile +49 175 1161428 | Fax +49 69 4056 2716 | 
thomas.k...@de-cix.net |
Geschaeftsfuehrer Harald A. Summa and Sebastian Seifert | Registergericht AG 
Koeln HRB 51135

DE-CIX 25th anniversary: Without you the Internet would not be the same!
Join us on the journey at https://withoutyou.de-cix.net



From: connect-wg 
mailto:connect-wg-boun...@ripe.net>> On Behalf Of 
Erik Bais
Sent: Tuesday, 18 May 2021 21:52
To: connect...@ripe.net; 
anti-abuse-wg@ripe.net
Subject: [connect-wg] Input request for system on how to approach abuse 
filtering on Route Servers - bad hosters

Hi,

As I asked during the Connect WG today, there are discussions currently going 
on in the Dutch network community to see if there is a way to get a cleaner 
feed from routeservers on internet exchanges. ( by default )

As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – 
abuse.nl

The companies associated with AAN setup and all signed a manifest ( in Dutch - 
https://www.abuse.nl/manifest/  ) that states that we will all do our best to 
provide a better and cleaner internet.

As members of the member organisation of the largest Internet Exchange, AMS-IX, 
we like to start with the discussion on asking the AMS-IX to filter certain AS 
numbers from the default routeserver view.
The issue is that even if you don’t peer with certain networks directly, the 
change is very real that you will receive or that the other network receive 
your prefixes and that you may not want to peer with those networks.

What we like to have is an independent way of generating a list with badhosts ( 
say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the 
Dutch infrastructure as well.. )

A couple years ago there was the list of HostExploit .. or one could have a 
look at the drop-list of SH ..
Personally I would like a proper model that one c

Re: [anti-abuse-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

[Ángel González Berdasco]

Hans-Martin Mosner wrote:
One problem with the approach is that there isn't a single measure of badness, 
as the topic list already shows. It's a multi-dimensional vector, and its 
dimensions are not easily defined in a non-controversial way. The criteria for 
including a network in a top N list will therefore be unavoidably subjective.

In the process of thinking about ways to tackle e-mail abuse (which doesn't 
even show in your list, probably because it's not really a problem for network 
operators but only for mail operators) I came up with some ideas about a 
distributed reputation network that might have some desirable properties:

  *   Separation of network and resource owner observations and policy 
decisions:
It would be very helpful to have multiple independent and reliable sources 
listing type and severity of network abuse in real time, but I'd like to define 
my own policy rules and use those abuse metrics as input for policy decisions. 
As a mail operator, I might be personally very concerned about malware hosting, 
but the things that would affect my blocking policy are spam volume and mail 
account bruteforce attacks (and to some extent, DDOS traffic). Network 
operators may have different policies to protect the integrity of their 
networks and implement legally required rules.

I agree. There are two points. First to agree on a list of 
observations/metrics, so that everyone categorises things the same way. This 
should be relatively simple.
And then, hopefully, some kind on agreement on a recommended threshold. Or a 
set of thresholds depending on the tolerance (which also allows initiatives 
like AAN to start gradually).



  *   Distributed P2P database:
I'm thinking about something like a cryptocurrency blockchain or the PGP web of 
trust, which avoids having a single point of failure and also avoids a single 
hierarchy of trust. Cryptography provides some excellent tools, but apart from 
the ubiquitous TLS (and the mentioned blockchain systems) it's used much too 
sparingly in securing information integrity.

Cryptocurrency blockchains are not a good tool, but I completely agree.
Validation should be included from the beginning. It can be as simple as 
including signatures. Similar to Certificate Transparency servers.

Note you also need to define who is allowed to send there if you expect 
"everybody" to consume it. This is similar to your following point:


  *   Reputation metrics:
It should be possible to assert not only observations of network behavior, but 
also reputation statements about the publishers of such observations. This 
makes evaluating the trustworthyness of a reporter possible, and with enough 
participants could provide a relatively unbiased view.

although I was thinking in a bad actor flooding the database with useless 
observations in order to make it inoperative.



Best regards



--

INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: 
https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys 
 
INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law 
entities, other entities not included in the subjective scope of application of 
the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as 
well as digital service providers, operators of essential services and critical 
operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, 
de seguridad de las redes y sistemas de información" that transposes the 
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 
July 2016 concerning measures for a high common level of security of network 
and information systems across the Union. 
 In 
compliance with the General Data Protection Regulation of the EU (Regulation EU 
2016/679, of 27 April 2016) we inform you that your personal and corporate data 
(as well as those included in attached documents); and e-mail address, may be 
included in our records for the purpose derived from legal, contractual or 
pre-contractual obligations or in order to respond to your queries. You may 
exercise your rights of access, correction, cancellation, portability, 
limitationof processing and opposition under the terms established by current 
legislation and free of charge by sending an e-mail to d...@incibe.es. The Data 
Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. 
More information is available on our website: 
https://www.incibe.es/proteccion-datos-personales and 
https://www.incibe.es/registro-actividad. 

Re: [anti-abuse-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

[Thomas King]

Hi Erik,

 

This is a vital topic! You focused a bit on the Dutch community. However, I 
think it is globally significant.

 

We at DE-CIX are very active in reacting to abusive peers on our IXPs. We have 
disconnected peers who were (repeatedly) not obeying the law or the DE-CIX 
Terms and Conditions. I gave a talk about what DE-CIX does in this regard 
during RIPE75 (https://ripe75.ripe.net/archives/video/103/).

 

Disclaimer: I am not a lawyer.

 

The European telecommunication law does not allow IXPs to look into peers' 
traffic on the application level (for a good reason, I believe). So, we do not 
know if a peer hosts malware or is sending out spam only. DE-CIX is only 
allowed to look into the operational data (e.g., Route or ASN hijacks) or 
behavior (e.g., unwanted traffic due to static routes on the Peering LAN). 
Based on this information, DE-CIX is acting.

 

I am highlighting this because I see issues if IXPs (or carriers and transit 
providers) are used as central infrastructure to filter data due to information 
they cannot verify or generate. Just think about the central DNS filtering and 
censoring discussion we had on a European level to stop certain abusive and 
harmful Internet services from being accessible.

 

Best regards,

Thomas

 

-- 

Dr. Thomas King

Chief Technology Officer (CTO)

 

DE-CIX Management GmbH | Lindleystraße 12 | 60314 Frankfurt am Main | Germany | 
www.de-cix.net   |

Phone +49 69 1730902 87 | Mobile +49 175 1161428 | Fax +49 69 4056 2716 | 
thomas.k...@de-cix.net   |

Geschaeftsfuehrer Harald A. Summa and Sebastian Seifert | Registergericht AG 
Koeln HRB 51135

 

DE-CIX 25th anniversary: Without you the Internet would not be the same!

Join us on the journey at https://withoutyou.de-cix.net

 

 

 

From: connect-wg mailto:connect-wg-boun...@ripe.net> > On Behalf Of Erik Bais
Sent: Tuesday, 18 May 2021 21:52
To: connect...@ripe.net  ; anti-abuse-wg@ripe.net 
 
Subject: [connect-wg] Input request for system on how to approach abuse 
filtering on Route Servers - bad hosters

 

Hi,  

 

As I asked during the Connect WG today, there are discussions currently going 
on in the Dutch network community to see if there is a way to get a cleaner 
feed from routeservers on internet exchanges. ( by default ) 

 

As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – 
abuse.nl 

 

The companies associated with AAN setup and all signed a manifest ( in Dutch - 
https://www.abuse.nl/manifest/  ) that states that we will all do our best to 
provide a better and cleaner internet.  

 

As members of the member organisation of the largest Internet Exchange, AMS-IX, 
we like to start with the discussion on asking the AMS-IX to filter certain AS 
numbers from the default routeserver view. 

The issue is that even if you don’t peer with certain networks directly, the 
change is very real that you will receive or that the other network receive 
your prefixes and that you may not want to peer with those networks. 

 

What we like to have is an independent way of generating a list with badhosts ( 
say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the 
Dutch infrastructure as well.. ) 

 

A couple years ago there was the list of HostExploit .. or one could have a 
look at the drop-list of SH .. 

Personally I would like a proper model that one can explain why a certain 
network is listed on a certain list with a clear method explaining of what kind 
of abuse is noted in the said network. 

 

Topics that should be included on the rating for the list : 

 

*   Phishing (hosting sites / domain registrations ) 
*   Malware hosting ( binaries and C&C’s ) 
*   DDOS traffic  ( number of amplification devices in the network compared 
to the number of IP address ratio )
*   Login attacks / excessive port scanning 
*   Hosting of Child exploitation content 
*   Infected websites / Zeus Botnets 
*   Etc

 

So yeah, something similar as the Top 50 of HostExploit ranking .. but 
HostExploit stopped producing these lists in 2014. 

 

By filtering a top 50 of badness hosters on the Routeservers would remove the 
cheap IXP option for network connectivity at the better Internet Exchanges and 
provide a way to remove any DDOS traffic via BGP null-routing via Transits.

And companies that would still want to peer with a certain network, can still 
do so by direct peering setup via the IXP infra. 

 

And it will not bring the IXP in a position where it will be asked on why they 
are still offering services to certain parties .. as that might become legally 
difficult especially in a membership organisation. 

 

So we don’t mind if we take their money as long as are not forced to peer with 
them via the routeservers.  

 

Your constructive feedback is highly appreciated. 

 

Regards,

Erik Bais

A2B Inter