These are unedited transcripts and may contain errors.

Anti-Abuse Working Group,

17th of October, 2013, at 2 p.m.:

BRIAN NISBET: Hello. Thank you very much for coming. I think it's five past 2 so we should kick off. I would like to welcome you to the Anti?Abuse Working Group session for RIPE 67 here in a very differently climatic city to the last one we were in. I don't think we have ever had weather like this in Dublin, but I think they have better air conditioning here. I will use this for a moment.

So, we have some, a reasonably full agenda this afternoon so as I said, we will get started. I am Brian Nisbet. Tobia Knecht is my co?chair over there. And this is Athens and it is October 2013.

Administrative issues: Welcome. Thanks to the NCC for supplying staff for scribe and Jabber and monitoring video streams and things. Thanks as always to the fantastic Irish stenographers who are with us and I realise they have an easier job with me, but I am constantly amazed at their ability to translate what we say into text at that speed. This has been a big issue so far this week, if you are saying something at the microphone, declare who you are and where you come from, pick an affiliation, a humorous one, I don't care. I hear "a man on the street" is common these days.

Minutes of RIPE 66. I think there might have been a comment when we published them, but not since, unless anybody wants to say anything now, we will consider them approved, passed into record, etc.

No. And there has been no updates to the agenda, we have made a couple of changes and we may have to run some sudden changes to flip one or two things around but hopefully the agenda as it is will remain.

So, first thing, and this is the change we made, is the policy section. We swapped this around from its normal running order because the folk from NCC have to go into routing. We had our Working Group Chair's lunch where I mentioned that maybe next time we could not clash with routing.

The arrangement of the Working Group slots is an arcane science which certainly resembles a lot more ancient fortune telling and sacrifice of chickens rather than sensibly going about things. But what he will do first is talk about 2011?06, which is the abuse contacts in the RIPE database, and I will ask Denis and/or ?? just Denis to come up and have a chat about that.

DENIS WALKER: I am from the database team in the RIPE NCC. I want to give you a quick update on where we are now with the implementation and deployment of abuse?c.

So where are we:

When I did these numbers I got about 9,000 I believe, someone said the other day about 9,600 but roughly 9,000 LIRs. Abuse contacts have so far been added, 4,000 of them so still missing them from around 5,000 members.

This is, it's just a rough idea from a percentage of the amount of address space and number of objects that are currently covered by the abuse?cs that have already been set up.

We have listened to what you have been saying. We have ?? our customers services have received a number of e?mails from some of you. We realise that it's not been the easiest of things to set up this abuse?c attribute, so what we have done now is, we have created a very, very simple script for the members. It's access to the LIR Portal, so you log into the portal, you go to this page, there is one field and one button. You enter an e?mail address and click the button and it's done. The software behind it will actually set it off, create the role object put the e?mail in as the ?? modify your organisation object, reference the abuse?c object, all of this will just be simply be done for you. We have tried to make it now extremely simple.

The deadline for LIRs, it was agreed that by the end of quarter three all LIRs would have added abuse?c. Well, that is now. We have listened to what you have said, we realise that there is some problems so that is why we have now got this new user interface. What we propose is to extend this deadline to the end of November, so we will deploy this simplified user interface straight after the RIPE meeting. You have got about four to six weeks then extra where you can use this interface and if you have been struggling a little bit to work out how to set up the abuse?c now it's incredibly simple, we couldn't have made it any simpler other than come around and do it for you.

We agreed some time ago, anyone who hasn't yet added the abuse?c, we will add it for you. And then you will have to change it if it's not the right address.

The proposal was to start immediately after the LIR phase with the PI space. We are going to extend deadline to end of November delay starting end of PI phase until end of November. We will also provide, because the experience we have seen with the members adding this, we realise probably the PI space holders will also a problem so we are going to do another very simple user interface, obviously these people don't have access to LIR Portal so it will be three fields on this page, you can add your organisation object ID, your, the password for the maintainer on that to be show we do actually it's you who is asking to us do this and the e?mail address, click the button and it's done for you. We will create the role object, we will modify the organisation that you specified and add the abuse?c to that roll, you don't need how any of that happens, just fill in this form and click the button and it will be done for you.

Now, lastly, the references to abuse?c. Currently, you can only do it from the organisation object. We have heard some users saying that they find duplicating this organisation object is a problem. Where one size doesn't fit all and you want to have more than one abuse contact for different parts of your network, currently you have to create a new organisation object and reference that from the point in your network you want a different abuse handler. Some people have said they would like to be able to add the abuse?c in different places, i.e. put it in the INETnum object. Now, this also is a problem because the minute you start providing two different ways of or two different places to put this reference, we are back to where we were before we had the abuse?c; once you start multiple ways of doing it, it will get out of state, people will get confused, they will have forgotten that they put one here and go and change it over there, and we will end up with different e?mail addresses again. So, we acknowledge that this is a problem. What we have now isn't the ideal solution, adding it to INETnum is also not an ideal solution. What we would like to ask from you, give us a little bit of time, we will go away and have a serious deep think about it and we will try and find some way of accommodating the problems that everyone is having and we will come back to the mailing list with some suggestions on how we can actually cover all these different scenarios. So if you give us a little bit of time, we will have a think about it and come back with a suggestion.


BRIAN NISBET: So, any questions for Denis?

AUDIENCE SPEAKER: My name is ? I am from ?? University of Technology Poland.

Just a short request, not question: Could you please send few weeks in advance some kind of information to the mailing list about your going to start this abuse?c for abuse?c tool for PI owners, just for letting the LIRs inform the users that some guys from RIPE NCC will send the e?mail and ask them to set up some e?mail for abuse?c.

DENIS WALKER: I think you can probably take it we will start at end of November. We will send announcement out, yes.

BRIAN NISBET: Given that there was a delay previously, I think a definite notification of a date would be appreciated absolutely.

AUDIENCE SPEAKER: I am pretty much sure if my customers receive an e?mail from me that you guys will probably be contacting with them, they will probably not read the e?mail.

DENIS WALKER: Yes, we will definitely do that.

AUDIENCE SPEAKER: ...I was the one kicking up the discussion about more specific abuse contact, I will just clarify one thing, when I had issues with creating additional organisations it's not so much from doing it but from point of data hygiene, I think it's correct to duplicate inside the database. But then I have two questions:

The first one would be, considering that the more specific logic is something very, very common inside the RIPE database, I mean for all INETnum lookup why this here specifically different? Question one. And question two, is what is your advice for temporary solutions until you have good one?

DENIS WALKER: Well, I agree duplication of data in a database is a bad idea. However, this database was designed on the concept of massive duplication of data so this isn't just an abuse?c problem; admin?c, text?c, notify, maintain by, exist in three?and?a?half million INETnum objects and a lot is the same information so there is massive duplication of data, but that doesn't mean to say we should add more to it. So yes, we don't have a definite answer yet. Just give us a bit of time to think about it and we will come up with some ideas.

AUDIENCE SPEAKER: And temporary work around would be? Advice informally?

DENIS WALKER: Well the temporary work around is to create a new organisation object.

AUDIENCE SPEAKER: Laura, RIPE NCC. I have a question from the chat by Bill, while you were talking about the tool you are going to develop for PI holders asked if this would work with BGP signed objects?

DENIS WALKER: Probably not. But let us think about that one. It's difficult signing web forms, PGP works with e?mail basically. But let us think about it.

PETER KOCH: I'd like to go back to Jeal's question and especially Denis's response. I have difficulties understanding your assessment that the database was designed with massive duplication in mind. I mean of course there are multiple pointers but the design wasn't meant to have multiple of these or split them up any way. I have simply simply for Jeal's issue and problem here, the the point that I am probably missing is the threat model. You said if we change that to a more specific or covering object and stuff, people will be confused and in this whole debate this is coming up as the kind of killer argument over and over again, where do I find the concise description of who the target audience of this whole thing is, because when we get there we talk about automated systems and confused end users and tool writers and we will find any solution not fitting any particular one of these in the audience and thus, we are stuck. I think that is not a desirable situation to be in. So let's get the audience clear first.

DENIS WALKER: I think from the point of view of tool writers and people who want to find the abuse contact, we can provide the abuse fine tool or RIPE stack can do it where it's very easy to find it based on the logic. The problem I see with starting to put these things in different places is that people who manage the data, the people who enter these e?mail addresses, because you have got the default one in your organisation object and at various points in your network you now start adding INETnum ?? abuse in the INETnum object as things change over time you might forget to remove that reference. I know the same applies to adding in the organisation objects, that also doesn't help, so, things can ?? then the tool will follow the logic, starting from the more specific working up, it finds either an abuse?c reference in the INETnum object or another linked organise object and it takes that one. But if in, the meantime, you have forgotten that link was there and you have changed your e?mail address in your default you are now out of step.

PETER KOCH: Thanks for that elaboration. So maybe we should reconsider the idea to design the whole thing around the confused. I think what I am trying to say here, attaching this attribute to the organisation object is most likely the most significant breach of the database par dime to start with, because all the other attributes and contacts have been attached to the real object, and if that is confusing the data maintainers, I ?? yeah, I can fully understand that, and maybe it's time to make a step back there, and for the really confused, brackets, the end users do not rely on the database design but just dedicate tools which the RIPE NCC has done already.

DENIS WALKER: You said maybe it's time to take a step back with abuse but step forward with the admin?c and text?c and others.

BRIAN NISBET: Which I don't think we have even the vaguest chance of having the time to discuss right now or indeed in this Working Group. I think that certainly and sorry Jeals, we will let you ask your question, I think there is more for the NCC to consider in the design of this certainly, so none of the points are being ignored ?? I agree that figuring out exactly who we want this object to be for and how that is produced is perhaps something that we are now, which is being kind of thought about a bit more about this object than other ones have been in the past. Yes, so, you are going away, you are going to have a think about it and hopefully we can throw this into the mix as well and maybe it's database that comes out back in, maybe it's here but we will see how that goes. Is that fair?


BRIAN NISBET: If there is nothing else, what I will do is, before you leave the stage, is reference just the mail this morning from Frank about the contradictory abuse contacts and some stats. I know we talked about it just briefly before you went up, I am wondering whether you have any comment on that.

DENIS WALKER: Prior to having the abuse?c, we allowed abuse mailbox attributes in about five different object types, and I think it was person, role, maintainer, organisation, something else. These references still exist, so maybe even the 4,000 members who have now added the abuse?c, they haven't actually removed the old abuse mailboxes. So, now we are in a transitional period which is even more confusing because again we can write our own tools with RIPE stats or abuse finder but we know the logic and we can find these things but people who dig into the database themselves make their own queries, they are going to find these other abuse mailboxes splat erred all over the database. There isn't an easy answer to this either at the moment. We could start sending out more mass e?mails to all our members asking them once you have set up abuse?c, would you remove all the old ones? I am a bit reluctant to start more mass mailing asking people to clean up after just mail mailing and asking them to set it up and telling them if you haven't done it we are going to do it by default. I hope the message can get through by other means. Please, once you have created the abuse?c, whether you think that is the ideal way or not at the moment, it is the agreed way right now, so please, clean up your old data and remove all these old abuse mailbox attributes and all the comments that are all over the place where people said if you have an abuse complaint don't send it to this e?mail address but do to this one, these comments were very difficult to handle anyway.

BRIAN NISBET: I think I would agree certainly as someone who used to be the co?chair of the anti?spam Working Group that sending out vast amounts of more mails, I do think personally that at some point in the future, possibly not that distant the future but equally not before November, that it will be a good idea to look at that again, but I don't know if anyone else or it can be discussed on the mailing list or anyone has any thoughts now.

DENIS WALKER: We can't do an automatic clean?up yet until we have enforced it on PI objects because if we asee a ?? that is reference to the maintain law on application it might also be maintained of PI space so we can't assume ?? we would have to do a huge amount of heuristics to are they only referenced on objects that have abuse?c, clean out would be rather difficult.

BRIAN NISBET: OK. So unless there is anything else, and I know you guys have have to run away. Thank you very much.


So, 2013?01. Which one of Sander or Shane lost the coin toss?

SANDER STEFFANN: I am going to keep it short. I will just stand here. Basically, there has been no comments on the mailing list about the last version, so we are going to send one reminder to the mailing list. If people want this then they have to speak up, otherwise I will just assume there is no support for this and we will withdraw.

BRIAN NISBET: Sorry, are you picking a pick date before which people need to...


BRIAN NISBET: When you send the ??

SANDER STEFFANN: I will send out a mail, leave a few weeks for people to respond. If no one is supporting it ??

BRIAN NISBET: The expectation would be early to mid?November. Yes. OK. Thank you very much.

I would encourage everyone both here and indeed those listening at home to take a look again at the policy, which is on the RIPE website and has been put on the mailing list, and if do you have any opinions, please, this is now the absolutely vital time to speak up, because as you see if nothing else is said it will just fade away into history until we start talking about this again at some point.

So, anything else anyone in the room wants to say about 2013?01? No. OK. I will stand back up here again.

So, recent list discussion. We have talked about the abuse?c, obviously we have talked about Frank's mail this morning so I don't really want to go through that again. The other kind of large piece of mail or conversations were about allocations, assignments, audits, who is doing what with whom, what the NCC do in relation to things, what practices they take. Again, the bit we are missing here is someone saying, I would like somebody to do the specific thing to address this problem that I have. There is often a lot of conversation in the mailing list which spirals into, I am not entirely sure, someone hoping someone will read their mail and be inspired to start proposing a policy, that is not the way it happens and I think most people are aware of that, certainly people who have been around for more than a few months.

I don't know if anyone in the room wants to say anything about any of that discussion. Unfortunately, we had kind of started a potentially promising conversation about some of these matters but the person in question who we started with decided to not progress it any further so we haven't got anywhere, but ?? Wilfried?

WILFRIED WOEBER: Just speaking for himself. I think it is a very sound health check that nothing happens just because someone sends a message to a mailing list and expects all the others to do the legwork.

BRIAN NISBET: Absolutely. And I am not for one moment suggesting that a mail should spawn somebody automatically reacting. We have policies, we have procedures, informal, formal which have worked fors us for a very long time and I think we should continue with that. It is expected that people take action. And I think what we do need to do, possibly, to a certain extent, is reaffirm that people will be listened to, that they don't need to have a special badge or hat or anything else to be able to write a RIPE policy.

So yes, have I forgotten anything from this discussion which people think should be discussed here today? No.

I mean, I am assuming some of you have a passing familiarity with the anti?abuse working group mailing list. So fair enough. We shall pass on from that, then.

So, in Dublin, myself and Tobias said we would take a look at certain points that people had raised with the charter and make a few changes to just reflect reality as much as anything else. I wrote this slide before what happened in EIX happened this morning and I am now scanning to make sure Bijal isn't here in case it cause /TH?Z Working Group to cease to exist. The plan is still to write it, the plan is still it will not be a major change and we will absolutely undertake to have that completed before we meet again in Warsaw. I could give you a list of expenses but fundamentally my dog ate my word processor. And we would hope to have that out a sufficient amount of time for consideration on the mailing list before Warsaw in May.

So, they were all the ?? this should be a quick one as well. Interactions with Working Groups. Tobias and I came up with a plan to write some stuff, we have not written it. This sounds very, very familiar all of a sudden. So we have still some plans and theories in regards to policies, they haven't been /PWREUT written yet so there is nothing there about them and we suspect they will be better suited in database than in anti?abuse, for obvious reasons, but just to say if anyone is wondering where /KWR* there is no text or it has not been mentioned it's because there is no text and we are not ready to go yet.

Flying through all these middle bits. Not a lot to add on the NCC/LEA interactions. The NCC are continuing to interact. We are as well. There hasn't been anything that myself or Tobias has been involved in or the Working Group has been involved in recently. But there are still many conversations going on and we have, and it's great to see the continued involvement and appearance of law enforcement personnel at the meetings. And Dick is reading his e?mail. So that is great, it's continued, but there is nothing particularly huge to talk about there.

Having got there all of that in record time, there is now the question of whether I ask someone who has just walked into the /TPRAOPL they want to give a presentation or not. Because I am a kind and pleasant Chair, what we will do is we will ?? we have these two presentations, pieces of information, and I think what we will do is swap them around and give Thor Thorsten just a few more minutes to be happy, unless you Des ratly want to, presentations are still being uploaded. So we are going to flip these around and Tobias is going to talk about x?arf and then we will talk about the ACDC project. This has been touched on a number of times already this meeting, the aim with this presentation is to go hopefully down a bit more deeply into the technical matters around it. So Tobias, do you want to come and have a talk about x?arf and we will see where we go from there.

TOBIAS KNECHT: Hello, I promised last time already that I will do a presentation about x?arf, last time we ran out of time so we moved it to today, which was a good decision, because there is so many work about being done on the x?arf specification and RIPE two days before the day, I got an e?mail from several people who are working on the specification with us that we do some other bigger changes so I had to redo my presentation this morning and get rid of all the technical specifications and make it a bit more generic.

So first of all, x?arf, maybe some of you are already familiar with A RF which is abuse reporting format which was built for e?mail and for spam reporting. It came up when big ISPs like Yahoo and AOL started to implement these feedback loop mech /TPHEUFPS where an end user can click on a button and the mail will be sent back to the sending ISP so they can figure out what is going on here. A RF was mainly built for e?mail. We thought why do we need x?arf if there is already A RF and several other other mats out there so we were looking at the formats out there and we were figuring out that IOTA, for exaqmple, is way too complicated, I think about 120 pages RFC specification, completely XML based. When we went to people to say, please use this format to report abusive behaviour on your network or somebody attacking your network, they were looking at the specification like, no, this will never happen. So I will not read through 120 pages of RFC and figure out how I can report somebody doing SSH dictionary attack on an SSH server. ARF, as I said, was only for e?mail. So the community, the security community came more and more to the conclusion that it's not only about reporting spam, it's not only about reporting really overblown formats, we need a specification which is able to get all kinds of different abusive behaviour, a space to be reported over e?mail or any other transport layer.

So, that was kind of the main idea of the XRF specification at the very beginning. So it is pretty easy, it's mainly based on ARF because it is a good format and really lean and usable and easy to implement. We made some changes which we came up with kind of a container format which means that you have to do a special or the transport for example, is specialised or specified, you have to do it via e?mail at the moment, we can do it over other protocols, something we are working on at the specification at the moment and the workload is put into so?called teams so we can define different types of scheme and do it for spam and phishing sites and terrorist content, so we can define them in whatever way needed which makes the whole format pretty flexible for the future.

Where we want to go, as I already mentioned some of these things, mail is kind of interesting platform, it's reliable and working for a long time. But sending out thousands or millions of e?mail every day to report spam to other ISPs or to to report attacks or other parties is not the way to go over time. So we are working on different transport layers. We are working together with some European US or northern American, German ISPs like Deutsche Telekom are contributing constantly to the specification and so there is kind of a big community or big group behind that working on the specifications and improvements of this.

Since I said I don't have that much about the technical specification, if you are interested in that you can go to x?arf dot org and there is the actual specification which is a little bit outdated because we are working on it at the moment. But I want to bring up some use cases and for what we can really use XARF and how does reporting and this global reporting of abusive information and data sharing is working from our perspective. As I already said, you can report abusive content and do synchole clean?ups. And law enforcement is using it, you can do typical attack reporting and many more. We have seen blacklist providers being listed and delisted with XARF, there is plenty of room because you can define the schemes as you need it.

What we do as abuse ?? we are working together with some people and we got access to some sync holes, especially I took the three Grum is one of the sinkholes we have access to, Black Energy and then the Alena software which is attacking ?? which is used to attack computers. As we know, Grum is already shut down for a while, I think two?and?a?half or three years ago was shut down, but there is still clients out there which have been infected with Grum bot which are still connecting to the sinkholes where we exactly know from this point of view somebody's computer at home or in an office is still in infected with some malware. The question why we want to clean this up is, pretty easy because the guys who wrote Grum bot put some kind of holes into the services that are installed on the computers or on the zombies, so if something like the Grum bot take?down happens they can attack these computers again and sneak into their own security holes and overtake the computer again.

So, that is one of the reasons why you want to clean this up. The same as with Black Energy and Alena is kind of the same thing.

So this is overview over the last eight weeks or 8 or ten weeks, something like that. So this is kind of overview of where most of the, what we see, most of the compromised BOT computers are sitting which are not active at the moment, sitting mostly in the US and Brazil and Russia, a lot of them in India as well. That is the top five ?? four or five. What we do is, we are fetching the log files from the sinkholes, we unique the IP addresses over an hour so, the log files is an hourly log file, we unique the IP addresses and package all information into XARF and look up the correct abuse contact that is why it's important to have the abuse?c and then we send out the report to the responsible abuse department. The good thing is, this process is pretty easy, we can do this with all kinds of log files with all kinds of information, so we have already set this up. If somebody is interested to do something similar or is having data and doesn't want to do it by himself please contact me, we are happy to do this. We are doing it for free, it's to prove a point and show that a globe reporting and data exchange part is working and is helping to clean up the Internet a little bit.

The interesting thing is, this is the stat about the unique IP addresses we have seen and as you see, it's on one BotNet, we have 25,000 unique IP addresses about eight weeks and a decrease of 25% of compromised hosts within the networks of ISPs within less than eight weeks, which is a pretty good number. That is much faster than any other clean?up mechanisms out there working at the and this is just easily sharing data, sending it to the right place, hoping that the party on the other hand wants to do something and wants to clean up this, and really, I think it's good numbers and it's helping a lot. We have for example got e?mails from rugs ISPs which told us that they have whatever, 7,000 in another reporting mechanism, that they have 7,000 IPs being reported to them and they cleaned them up within four weeks so they contacted about 7,000 customers of themselves, told me hey, there is something wrong with your computer, please fix it and they fixed it completely. We don't get any reports from them any more about this specific BotNet. So there is people out there who want to do; I hope everybody wants to be or do his part in cleaning up his own network and helping others to clean up and share the data. So and that is exactly the call for action. If you want to know more about the XARF, there is a mailing list attached, contact me, contribute ideas, help shaping it and bring in ideas so we can make the protocol or make it a standard. And if you have sing holes attack data and you want to report it, feel free to contact us or gave us the data and we can report it for you. Thanks. Any questions?

BRIAN NISBET: So any questions? Well, I suppose, I have a question myself. So you are saying that things are changing now, people are updating the protocol and things. So, how stable is it at the moment and do you have any sense of is there likely to be continue to be tinkering with it for some time to come or is this a name to get it into another stable state?

TOBIAS KNECHT: You mean from the XARF specification?


SPEAKER: At the moment it's stable, it's used on the website at the moment, it's used a lot, I know Dutch telecom, Comcast, AT&T and for transferring data to other parts and to report incidents to others. The European cert community was already talking about it, the German cert, all these kind of things so it's pretty stable and out there and it's running in a stable way. We see that it works. And what we did is we just collected a lot of input from others like don't send e?mail to it over Jabber, do it whatever other protocols and so at the moment we are working on this and trying to get this done and solving ?? getting this solved. I think there will be and we already talked to some of these guys from IETF that we want to put this into an IETF standard probably within the next two to three years but we want to really make sure that it's not like an in other scenarios we write an RFC and we change it and change it again, so we want to have kind of a really stable, really broad used standard to put into RFC, to put into IETF and make an RFC out of that.

BRIAN NISBET: OK. Cool. I think that it would probably be good if at some point in the future again when these changes have been made, you came back and talked to us, I think the Working Group has expressed an issue for the technical information as well and the technical content.

TOBIAS KNECHT: I am sorry for that, it wouldn't have made sense today.

BRIAN NISBET: Just timing, it's the thing. Are will any other questions, comments at all? No. Are many people using this? Sort of.

TOBIAS KNECHT: At least two.

BRIAN NISBET: Is there a reason why it's only sort of?

AUDIENCE SPEAKER: I am from ?? Sweden. Yes, we have a lot of customers that have PI space and we ?? I am figuring out a way to use the XARF when ?? we get about 10, 20 complaints in a week and I will need to streamline this in some way and I think it's a good way to do this and I want to be a part of it but I am not there yet but I am starting.

BRIAN NISBET: Right. Good to hear, thanks. I am going to be slightly unfair because you were talking there again about interactions with law enforcement.


BRIAN NISBET: And use of this. And I am wondering if, Dick, if you have any ?? if, you know, you see this kind of thing, if you guys are using it, if you have any knowledge of what is going on there, the automation of these kind of tools and information, if there is anything which fits into what you guys are doing on a formal basis. No can be a per factually valid answer. Come over. Sorry for cruelly picking you out.

Dick: EC3. No, we haven't, but I will be interested to speak to you afterwards because we are using tools but not necessarily this one, so I have no knowledge of that, so I would like to take that off?line with you if I can.

BRIAN NISBET: Cool. Excellent. OK. I probably won't pick anyone else randomly without of the Working Group audience. So thank you very much Tobias.


So, our second presentation today is, as you can see, Thorsten Kraft on the ACDC project. This has been talked about a couple of times already this week, lightning talk and there was a BoF on Tuesday. What I am hoping, selfishly as the Working Group Chair, we can cover tomorrow of the things that I have covered and go into bit more detail about what is behind the entire project, technically speaking if nothing else.

THORSTEN KRAFT: I am the project manager of ACDC, is standing for Advanced Cyber Defence Centre, as we try to fight BotNet between different stakeholders. Therefore, we have placed ?? therefore, we have placed a proposal for an EU funding for the letters that wasn't chosen by me, and EU funded project it's 50/50 funded so we have received half of the money from the EU which was set up in bigger group of companies, a project on the topic of fighting BotNet. The project has been started on 11th of February, and currently we have 28 partners from 14 different Member States involved in setting up a centralised way in fighting BotNet.

This consortium, you might see, is from different stakeholder groups, you see we have involved some certs like the defence or from Spain, Internet service providers like Telefonica banks and postal services in Bulgaria,  security technology windows, and so on, academia and law enforcement agencies, all trying to fight on the same topic, on the same data set.

But we like to, we would like to have a centralised way in sharing information between across all of the consortium partners. Without any limits of countries, without any limits of networks. So if, for instance, Deutsche Telekom is setting up honey pot system or something like that and they normally throw away about 99% because they are not out of their customer she can shoot the data into the system and we try to distribute the data to the relevant stakeholders.

Therefore, we will provide a complete set of solution, this means that we want to if, we mitigate a problem, then we want to have a solution for the end customer itself, we want to have a tool that can be used by the end customer to clean up the situation, and we would like to establish law enforcement things, the legal framework about data privacy issues, we would like to address this. And in this group we have a couple of Member States, they have very strong data privacy law like Italy or Netherlands, where mainly the approach is in which way can the data be shared between each other, is an IP address a private data, yes in what case?

As this is in pilot, we have ?? we would like to run it in a smaller group but we would like to be open and for all the others, and what you see here is the members or the Member States which are involved. You see two different colours, one is a light blue and one is a dark blue, the dark blue area or the dark blue countries will establish national support centres for end customers which might be reached out by the ISP for receiving support if the customer is not ?? if the customer didn't have any clue how to tackle the incident and with the light blue we have some consortium partners, like, for instance, in Britain where we have Cyber Def com involved.

The toolset itself should start at very first beginning, we would like to involve the customer itself to report incidents to our infrastructure by giving out tools for him so that he maybe can report a spam e?mail to our centralised database. We would like to store and analyse the data in a centralised way with the knowledge of the partners. Like Tobias told, to the ISPs or to certs or whatever, and notify the end customer in some way. This can be by a mobile phone if we see infected photograph or something like that that we have a tool installed (mobile phone) to put the notification on the mobile phone itself or a website like we have set up a couple of months ago with DNS change where customer can visit the website and he is receiving instant feedback out of the data set. In some way. It's not really defined. The approach is to mitigate and to prevent, to help the customer to not getting ?? to find a security leak on his PC and to close the security leak by update or whatever.

So what we see here is a solution, how the system should work. We would like to detect it, for instance, by spam campaign, a spam e?mail and we often analyse this we find out it is an e?mail sent out by Kath well for instance, because we have seen the same campaign on infected machine we have monitored or we monitor. Then we would like to report it it to a centralised database. This has been pushed in the database, maybe by a spam trap, maybe by the customer. And then we would like to report the findings in existing standards, like XARF in the direction of the ISP or the IP E holder or by using the third ?? the reporting format I owe diff, the cert framework to notify them if we have a command and control server involved or in different ways that is needed to do that.

And at least ?? last but not least, provide support to the end customer or to the ISP in tackling the ins tent.

Within this pilot, we have to run a couple of experiments, what you see here we have defined some experiments, we would like to show that we can tackle this kind of incidents, we would like to detect the Spambot and Fastflux involved end clients, infected websites that are spreading by exploits, DDoS attacks where the DDoS come from, who is the originator, where is the command and control server behind, what are the infected machines used by that and a mobile bought. Mobile BOT is a little bit difficult, but maybe in ?? because this project is running, the next two years maybe we are able to find mow B OT and we don't have any idea currently but it's one experiment we want to do.

That is from my side. Because the presentation itself or the project itself is on, in a developing phase, it's not running, there is nothing running at all. We have a database currently with about 80 million records tackling per day, and doing the first performance tests, how ?? when our database crashes and so on. And with 80 million records we can do something and we currently have access to sinkholes, especially to do by U L and we try to find some way how to tackle it. How to be able to work with this volume of data in a way that is useful. That is the current state.

BRIAN NISBET: OK. Thank you very much. Do we have any questions?

AUDIENCE SPEAKER: Alexander ?? do I understand correctly that main source of data is end user reports, right?

THORSTEN KRAFT: Not end user, IT can be a notification to an ISP. Because there is command and control server located in this network. It can be a server owner because the box is doing S H H attacks, it can be a DNS provider because he has an open resolver that is running a DDoS attack on an infrastructure. So it's much broader. The only thing I have shown is one way of the solution to the end customer because the mitigation, this is the hardest way to do it with the end customer directly.

AUDIENCE SPEAKER: It's really nice to see that we came over from just end user PCs because we are not talking about only PCs as a threat, right, but what would you do in the scope of your project with set top boxes and DSL modems and other vendor?specific stuff that does have vulnerabilities and constantly used in different kind of activities nowadays because with guys like, I don't know, are we dealing it's really hard to get the soft firmware updated because for end users that holds possession of box, it's rather 1, 2, 3, easy way to do this update firm war.

THORSTEN KRAFT: If we find something like that and we will involve the cert that is the nearest to the vendor, to contact ?? to contact the router provider and inform him about. There is no, in this set?up, we don't have in this consortium any vendor besides Cisco. I think Cisco is involved indirectly but you have to think about it's a project that is a pilot, we just have to show that it threaterically works, to interact between different stakeholders on one single database.

AUDIENCE SPEAKER: And another note about BotNets, you said control centres but with influx of human immigration of BotNets which don't have centralised control, use peer to peer.

THORSTEN KRAFT: You mean like the version, what is the name of it ?? at the peer?to?peer thing.

AUDIENCE SPEAKER: What your strategy will be, because the challenge is already there.

THORSTEN KRAFT: Because it is EU funded thing we will not shoot any updates on the boxes. This is legally not allowed.

AUDIENCE SPEAKER: Thank you, that is about it.

BRIAN NISBET: So, I have a couple of questions. Some of which I'd talk to about earlier in the week. What I suppose I am struggling to understand here, and this is partially possibly because I haven't made myself all that aware of what is traditional in large EU funded projects, this is the pilot, it's a two year funded project. What is the end goal, in two years' time what do you expect to have there from a concrete point of view?


BRIAN NISBET: Sorry, what do you expect to have, what is the end goal

THORSTEN KRAFT: It's not a project that ends in two years. It should definitely ?? our goal is to have an existing thing that can be extended, but we want to build up a toolset, not, we call it in Germany ?? German ?? we do not want to have complete infrastructure at the end, it should be ?? everyone should be able to extend it in some way. And to run it afterwards, maybe over the rest of Europe or the rest of the world, or something like that. It's not a project that is over in two years. That is definitely.

BRIAN NISBET: OK. I presume there will be some review phase at some point from the EU's point of view to continue to fund it?

THORSTEN KRAFT: This is definitely an approach we have in the proposal itself, that we have to find a way and we have to give a proposal to the European Commission, how we are able to run this project afterwards. So to find business models like who is the target, oh, the banks are the guys who have the most success out of it or something like that, and to find, to define business models on that to keep it up and running.

BRIAN NISBET: And the expectation would be to keep talking money for just a moment, the expectation would be that those people who are using it would be involved in funding it on an ongoing basis.

THORSTEN KRAFT: Definitely. We are not closed. We are open for everyone. Everyone is, everyone who is willing to join us and give us some ideas or to help us is very welcome.

BRIAN NISBET: OK. The other thing ?? I have some notes. Then, you can happily interrupt me.

AUDIENCE SPEAKER: Patrik. Will you make your data sets available for legitimate interested parties?


BRIAN NISBET: How are we defining legitimate interested parties? I am not asking you, Patrik, more what counts as a legitimate interested party, so fares you are aware.

THORSTEN KRAFT: He is legally allowed, for instance. The data provider has ?? for instance, abuse six gives us the data and says no it can only be used for mitigation, it is not allowed to share it with someone else, then we will not do that, but all data which are legally allowed, the people who contribute to it, we share the data. If it's legal lily allowed.

BRIAN NISBET: You are saying you are open and anyone can get involved. What level of openness in regards to the technical measures, the tools, the precise processes and things like that?

THORSTEN KRAFT: Completely open because we do not want to build something in a black box; we really want to set up something that can be used afterwards.

AUDIENCE SPEAKER: One more questions. There is actually a couple of more initiatives similar infrastructure, Spamhaus, whatever, how you diversify yourself from the previously existing structures like that except for this time it's funded by EU technically, how you would diversify and you are better than them.

THORSTEN KRAFT: We are not saying we are better and do not want to say that. We want to set up something that is open and for everyone. Community build.

AUDIENCE SPEAKER:  ?? of course.

THORSTEN KRAFT: Maybe. If you see a closed source as something that is worse, then yes we want to be better.

BRIAN NISBET: I have one last question myself ?? sorry, this intrigues me, it's something we are thinking about a lot in a completely different section of my own company. Who do you see as the primary users of this project, the primary end users of the project? Are you mostly aiming it at companies, at law enforcement, at citizens? Is there any kind of concept there?

THORSTEN KRAFT: All I have mentioned here.

BRIAN NISBET: So it's just all of those groups.

THORSTEN KRAFT: All. If we have more ISPs involved in there, then it will be an ISP initiative, if there are more banking sector guys involved, then it will be more banking sector focused so we would like to have a very broad area of contributors to the project, to be not into one specific direction, we want to reach out all.

BRIAN NISBET: Sorry, that doesn't quite ?? as I may well, not have been clear. Or I may well, not be understanding. So you have the six groups up there, they are all ?? they are organisations, corporate or publically funded or whatever else, and a couple of slides later you have the train down through with hopefully bringing users to the individual users, the individual citizens to the citizen and to mitigation and things like that. I suppose my question is, how much is ?? how much of the focus of your time and your tools and your plans is looking at the final end user of any one of those services and there I could mean the customer of an ISP or indeed a professor in a university or whatever it may happen to be.

THORSTEN KRAFT: I think in everything we are doing it will be our primary focus, the end customer.

BRIAN NISBET: OK. Any other questions? No. I think ??

WOUT DE NATRIS: I would like to look back at what I did Tuesday, of course we should have had ideally this presentation first and then the session I had, but having seen what you have seen you will understand that if there is no participation by anybody this is going to stop on the 1st of August 2015 because simply there will be no data available to share with anyone. So it's going to be extremely important to get all these sort of groups hooked on to this project and that can only be if we convince to you participate in it as RIPE community or as individual companies who participate in it.

I would like to end up is please give us your business cards if you are interested to hear more, the only thing you will get from us is information on ongoing projects, and when it becomes of interest to you you have the opportunity now to participate and adapt this programme with something which makes it work for you because at the 1st of August 2015, is going to be finished and the funding at least as it looks now is gone and there is no more working within the project, it has to be there so. Please join us in this and that is the open invitation that Thorsten and I and the other members of the consortium to give to you because now is the opportunity to work with us and change perhaps this problem forever. So, that is our message and I hope it's of interest enough that you share cards with us and we are able to reach out in the future and see what we could do together so. Thank you.

THORSTEN KRAFT: One message I would like to add: If there are any claims in two years that the project is not doing that what was expected, then the first question I shoot back is have you been involved in that? Have you contributed to it? And if there is a no then I can say, OK, that was your fault.

BRIAN NISBET: OK. Unless there is anything? Thank you very much, gentlemen.


I have noticed that you have moved it this time. Thank you. So, that is our formal agenda. And to make a difference from the last few meetings, we have, we are actually still have some time. Does anyone have any AOB? Please.

AUDIENCE SPEAKER: I have ?? Gordon, Sweden. I have ?? I am not really sure if I should bring this up on the mailing list first, but anyway I am here now. I have a problem with ?? we have sort of 800 customers with PI space and we sort of sometimes they fall into the category they end up in a block list at ?? huge block list at often American on?line. The PI space they have wasn't theirs from the beginning, it hasn't been advertised, it hasn't been in the BGP table but American on?line still has it as a block and my problem is that I can't convince American on?line to actually delist these things; they say they are going to delist it sort of one IP address in a week and they have 16 /24 so it's going to be sort of 68 years or something like that.

But anyway. The problem I had is that I can't convince them and I tried to do it with every means I have so I will have a discussion how would we, could we have some kind of discussion about how will this forum do something that might ?? maybe RIPE NCC could set the mark on and say that well, this is cleared now, so we can have some more, little bit more about it. I am not really sure how to ?? I would like some help.

TOBIAS KNECHT: Interesting enough, I have heard this very often and interesting enough, I have heard it always with the same ISP in the US. So it's ??

BRIAN NISBET: They do dial?up or something, it's phones.

TOBIAS KNECHT: Yes, we were talking about exactly the same problem at other meetings, for example, Mac's message Anti?Abuse Working Group, they have a big pain with that and get new IP space and sometimes the IP space is listed on whatever, 55 different blacklists and then they have to get bid of that. What we figured out while talking about is that is you have two problems: One thing is can you clean up space? Just because you had a spammer in there before or a lot of Bots within there before it changed the users are gone, the network is completely clear, that is fine. Then you can say it's clean. But for example, if you have IP addresses in there which were C and C servers which are now working as sinkholes you still have kind of compromised hosts on AOL or Comcast doing the same. They won't believe you that this is a synchole now and we have seen the ?? these reports for a long time. Saying that IP spaces whatever, dirty and not any more. The question is more or less, how can we ?? there has already been work done at MOGs, how can we make a procedure for receiving parties to find out if IP space is now clean or not, and it's not done just because this was the first idea, it's not done by just making a flag into the RIPE database and say this IP space was changing users completely at this date. So that is not enough for the ISPs. I have this on my radar at the moment because next week, month rale, there is a MOG meeting again and this will be topic again. I hope that there will be a resolution over time but it doesn't look like AOL and Comcast and AT&Ts and even in Europe ISPs are kind of very helpful at the moment in stepping forward and bringing up what you can do to clean up and to get the reputation of your IP space re?setelled.

AUDIENCE SPEAKER: That is a big problem with the IP reputation because my customers go to a site where they search for the IP numbers and they get bad IP reputation, they say. But that is not really ?? it's not the IP that is bad; it's someone who has blocked them to make the IP bad.

TOBIAS KNECHT: It's on the other hand the same, you look at hosting providers or BP S servers, they have exactly the same problem, if they are giving out a new IP address to a customer and usually they take it back eight or six or ten weeks before they give out again the IP address and they have exactly the same problem because they are listed in Spamhaus or whatever back list and these IP addresss are spread all over the place and they or their customers, the new customer of the hosting company tries to get these things cleaned up and I have heard from several hosting companies that they had to change IP addresses afterwards for the customer because he said I can't use this IP address because it's listed on 50 blacklists and I can't get rid of it so it's not your fault ?? not my fault, I am not giving you stuff which I can't use. It's a really big problem reputation?wise. I have the feeling that some people try to wait until IPv4 is not used any more, so maybe it could take a while, I don't know.

AUDIENCE SPEAKER: Sort of a nice driving force for IPv6.

TOBIAS KNECHT: Exactly. I think it's I don't want to do something and we wait or have a stupid excuse for that. But yes, as I said, at MOGs there is talk about that, I hope that this time in Montreal we get a few steps further with this and can come up with a kind of part leap solution or even an idea how we can do it. And as I said, the biggest problem is how can we specify that the space is clean, so that is exactly the point, so where is the measurement that somebody can say this /19 is clean now, and that is why I can promote it to the outside world and say this is new, this is clean, this is new, you can delist it from everything and wait if you see anything else then you can list it again and that is exactly the measurement, how can we check exactly this part and that is pretty tough and pretty hard.

BRIAN NISBET: To add to that to a certain extent, one of the things which has been talked about a lot over the last few RIPE meetings especially as IPv4 brokerage and all this kind of stuff continues to gather pace, is that the accuracy of the registry is one of the most important things that anyone in this community can work towards because accurate information and precise information is what we are aiming for. And that will help you with your issue, it will help a number of people with their different issues. RIPE has been making available through RIPE stat and other other locations for some time very accurate information on when an address block changes hands, who has had it, where they have had it from, and there are some tools around that, and while I would not wish to speak for the NCC in any way, shape or form, bearing further policy or ?? barring further policy or the community asking them to act in some nebulous way, that is what they can do right now, so, if there was a wish from the community for them to do something else, then there would have to be that vocalisation of that wish to do that and and as I mentioned, anyone in the community is allowed come up with those policies or wishes and certainly Tobias and I and the policy development people in the NCC are willing to help with that. But I think that is what is there at the moment.

Anything else? No other AOB.

OK. So, people should obviously start thinking now about agenda items for RIPE 68, which is next May in Warsaw. So we are suddenly going substantially further north than we are now. And we will be sending out e?mails and obviously minutes will go out and all the rest of that kind of thing. You ?? yes, I should have said at the beginning, if you wanted to put yourself forward for the RIPE Programme Committee you are now too late by about 25 minutes, maybe if you receive the e?mail in the second 30 seconds but I suspect not. So all it leaves me to do is to thank the NCC staff, the AV staff, the stenographers and, most importantly, all of you for coming to the meeting and we will see all of you in eight months' time. So thank you very much.