RIPE 82 Anti-Abuse Working Group Minutes Date: Wednesday, 19th May 2021 10:30 - 12:00 UTC+2 Chairs: Brian Nisbet, Tobias Knecht, Alireza Vaziri Scribe: Matt Parker Status: Draft A. Administrative Matters The recordings are available at: https://ripe82.ripe.net/archives/video/562 https://ripe82.ripe.net/archives/video/563 Brian Nisbet welcomed attendees to the session. The minutes from RIPE 81 were approved and the agenda for RIPE 82 was finalised. Alireza Vaziri talked about the Working Group Chair selection process and announced that Brian Nisbet has been re-elected as Co-Chair for another three-year term. B.1. Recent List Discussion The presentation is available at: https://ripe82.ripe.net/archives/video/564 Brian addressed the discussion in October 2020 about policy proposal 2019-04 and commented that some useful information had been shared. Brian also highlighted an interesting cross‑post from Erik Bais, A2B Internet, in relation to abuse filtering on IXPs. The discussion started at the Connect Working Group on Tuesday and Brian encouraged people to read this and provide input via the mailing list. C.1. Continued Open Discussion on Abuse Validation and Next Steps The recording is available at: https://ripe82.ripe.net/archives/video/565 Brian explained that in light of policy proposal 2019-04, which did not reach consensus, there had been some discussion about abuse validation and the next steps. He asked an open question to the Working Group whether there was more work that they want to do on abuse validation at this moment or if there are other areas of policy that needed attention. Michele Neylon, Blacknight, suggested that the Working Group should not discuss this further unless somebody proposes something exciting and new. He would be more interested in further discussion around the topic of "bad hosters" and "bad traffic". Jordi Palet Martinez, Moremar - The IPv6 Company, commented that he was working on an alternative proposal but it may take some time. D.1. The DNS Abuse Institute (Introduction) Graeme Bunton, The DNS Abuse Institute The recording is available at: https://ripe82.ripe.net/archives/video/566 Nigel Hickson, DCMS, UK Government, asked whether a site that is pretending to be legitimate and then directs users to pornography is included in their definition of abuse. Graeme replied that it would depend on the type of attack being performed. Pharming, where the DNS is poisoned so that the request for one site is being redirected somewhere else, would fall under the definition of DNS abuse. However a standard redirection attack would not. Michele commented that we have to be very careful with the definition of DNS abuse. There are examples of things that people can do in the DNS that are not pleasant, and might lead people to go to unexpected places, but it is not up to operators to police this. He cited the difference between a website being hacked and legitimate users being redirected somewhere else and somebody registering a domain name and redirecting it to pornography. Sia Saatpoor, Logius, asked how far The DNS Abuse Institute had progressed with delivering services or products to combat DNS abuse. Graeme answered that they have nor progressed very far at all because they are three months old. They are still doing research into what is useful and valuable for the community that they are trying to serve. They have a roadmap and an Advisory Council in place and they expect to pivot from planning to action in June/July 2021. Sia asked whether Graeme could talk about the roadmap and when we can expect prototypes of the tools that they want to make to combat DNS abuse. Graeme replied that they will be starting with a centralised reporting tool which will figure out which registry a domain name belongs to, what type of abuse is being reported and collect all relevant information before sending it to the appropriate place. He expects to have that up and running in six months to a year. Sia also asked about the overlap with other organisations that have the same mission (such as VeriSign and ICANN) and how the cooperation with these organisations was going. Graeme responded that he is meeting with VeriSign but that they have a very different mission and that historically they have been very hands-off on things like DNS abuse. He went on to explain that ICANN does not really have a mandate here and that the DNS Abuse Institute wants to address the ccTLD community as well as the gTLD community so they are in contact with Center and other such organisations. Niall O'Reilly, no affiliation, asked whether the tools will be open-source. Graeme replied that this was yet to be decided but that open-source is close to his heart and that it would be appropriate to do that in a number of circumstances. There were no further questions. E.1. DDoS Never Dies - An IXP Perspective on DDoS Amplification Attacks Daniel Kopp, DE-CIX The presentation is available online: https://ripe82.ripe.net/archives/video/568 Erik Bais, A2B Internet, commented that most of the larger DDoS traffic sending BGP peers are not patching their systems and asked whether Daniel had looked at the impact of cleaning up the peer list or asked the peers to clean up their number of amplification abusable devices to IP address ratio. Daniel explained that they had not looked into which networks had which kinds of reflectors and that they had not spoken to the networks directly. He commented that this is something that they can maybe look into in the future. Gert Doering, SpaceNet AG, made a couple of comments on the use of OpenVPN as DDoS reflector. Firstly, he explained that this is mitigated by using TLS-Off or TLS-Crypt in the server conflict. Secondly, Gert mentioned that OpenVPN seems to have fallen out of favour with the bad folks since the spike observed in May 2020 and he is seeing far less attempts at reflection abuse. Sia Saatpoor, Logius, commented that DDoS is getting worse and worse and that perhaps it is time to admit that we are not going to win this battle. Sia went on to question whether we need to regulate differently, or allow the openness of the Internet to slowly move towards a closed community with members who trust each other. Daniel stated that as an IXP they are building tools to both defend against DDoS attacks and gain knowledge about them. He stressed that it is important to share such insights within the anti-abuse community. Daniel does not agree that we should say we lost the battle here and stated that it is important to help targets to better defend themselves against these kinds of attacks. Marek Zarychta, Państwowa Wyższa Szkoła Techniczno-Ekonomiczna im. ks. Bronisława Markiewicza w Jarosławiu, asked about encouraging ISP to widely deploy BCP 38 enforcement for their networks. Daniel replied that he does not believe it is so easy to deploy BCP 38 and that most networks arę already aware of it. He added that it would be interesting to look into that in the future. Marek also asked whether the RIPE NCC can motivate networks to deploy BCP 38. Brian questioned whether this would be something that the RIPE NCC should be doing but did not want to speak on their behalf. He encouraged Marek to take a look at the MANRS project if that was something he was not already familiar with. There were no further questions. X. A.O.B. Brian asked whether there was any other business that people wished to bring up. There were no questions/comments. Brian thanked the presenters Graeme and Daniel for their contributions, thanked the attendees for participating and closed the session.