Connect with RIPE 59 : Facebook Twitter dopplr del.icio.us RSS linkedin

These are unedited transcripts and may contain errors.



The anti?abuse Working Group commenced on the 8th October 2009 at 4 p.m.:

CHAIR: Hello. And welcome to the RIPE 59 Anti?Abuse session. Thank you all for coming this afternoon. I will try not to create too long a time gap between now and you being able to get ready for the dinner this evening. For that would be a truly terrible thing.

We have a few kind of open discussion bits and a few presentations for you this afternoon and hopefully there should be some interesting conversation generated out of it.

First of all, I am going to say thank you to the RIPE NCC staff, who are doing Jabber and scribe activities and tech activities without whom I would be trying to be in four places at one and our wonderful stenographers without whom I'll try to remember the interesting things you said.

One addition, micro from NomiNet has been added into the agenda at the last moment because he didn't run away from me fast enough, with an interesting presentation about domain locks for fishing reasons and he will talk all about that.

The minutes ?? sorry, the one other thing I absolutely forgot is apologies from my co?chair, Richard Cox, he was all planning to be here this week, but sadly he fell ill at the last moment and so, he won't be joining us. So he sends his apologies on that and hopes to see you all in Prague for RIPE 60.

So, minutes from RIPE 58 were circulated. I don't think there are any comments on them. Unless somebody says now I am going to consider them to be approved, entered, etc., etc.

No? Excellent.

So, part 1, which I think is me doing some talking. The recent discussion on abuse contacts. There was an amount of conversation and there was an amount of conversation elsewhere about methods of people contacting ISPs for abuse reasons, and I have my own opinions on this, but now is not the place where I get to necessarily shout them from the hills, so I was wondering if there was anyone in the room who had any opinions on some of the more recent methods we have seen of talking about abuse and ISPs being contacted about abuse issues. And not specifically talking about the methods used by ABUSICS and the notion of sending an e?mail for every single incident they come across, but I am certainly alluding to methods of that kind. The ISP, from my work, the HEANET, sends out a very small amount of spam and we stop it very quickly. The odd machine is owned and some gets sent out but on a bad day we might get 30 e?mails from ABUSICS. I am guessing there is ISPs out there who get substantially more, auto far larger number of contacts regarding abuse and I am wondering if anyone in the room has any opinions on that, or anyone in the room has any experiences or indeed, any suggestions on how better people might suggest such things. Sadly yes, Marco the microphones are on either side of the room, so there is nothing in the middle.

MARCO HOGEWONING: It's Marco. Well, just it's an opinion, I did ?? I am one of the authors and people behind the abuse mailbox attribute which was introduced a couple of years ago and I do notice there is, again, an increase in people actually contacting everybody there, and from what I have seen currently, it seems that they are actually looking for admin contacts in the organisation attribute at the moment, and do other people experience that as well, because, again, I guess this keeps oncoming down to educate, educate, educate, educate, and put big signs up somewhere in the RIPE website, maybe use the RIPE labs interface to create some tutorials on how to actually, how to use the RIPE database to get to the correct contacts. But I see it slipping again. When we actually changed database to exclude addresss from standard queries, introduce the abuse mailbox attribute, things got a lot better but recently it's been slipping away again.

AUDIENCE SPEAKER: In fact, I had something to say back the way to ABUSICS, but even this one. I am on the side which ??

CHAIR: Sorry, can you just say your name.

AUDIENCE SPEAKER: /PAFL from SISNET. I am also ?? I am upon both sides. I am also on the side which generates the mail, which reaches the abuse mailboxes and we always try to use the right abuse mailboxes, but we also have to take into consideration that we sometimes have bad experiences with some of the networks or that some contact mailboxes which look perfectly valid, are in fact not. You get a response from mail server that mailbox doesn't work or so. So you have to escalate and try another means.

CHAIR: Right. But your default first action is to ??

AUDIENCE SPEAKER: Use the right box, of course.

CHAIR: Well, I mean, this is the thing. There is I suppose the additional question is we have the abuse mailbox in the object, and it's there, I suppose there is a question as to what level of checking or what level of, I suppose even sanction can be put in place if that address doesn't work, but that's a very much more complicated, very much more complicated thing.

MARCO HOGEWONING: May I respond? I think we went through this discussion a couple of times in detail, and like you said, there is actually not much, what we can do. We have some people showing up, putting objects into the database, and how can we check that ?? of course we can try at the moment to introduce the object. You can try to resolve the domain name, contact the mail server, see if it's actually responding. But it will probably, A, it will take a lot of work actually doing those kind of checks if you enter objects in the database; B, it will make your database perfectly slow. I have seen occasions where those checks simply fail. So you would never get to update your object. And even if we do check on the insertion, you have to basically get back every hour to see if that address is still valid.

So what do you do? We can take it out again. But do we take out all points of contact from the database then or do we simply drop the database object? What should the sanction be if it becomes invalid? That's the main part. Technically of course you can run checks every once in a while, but what would the sanction be if it turns out not to be valid? And maybe it's a temporary error, just a mail server that's not responding tore miss tonne figured for an hour or so by the time we do the check, and take away the objects? I don't see what we can actually do from that perspective.

AUDIENCE SPEAKER: In fact you can't. I didn't want to say that it's your fault. It's in fact the wide world.

CHAIR: Wilfried.

WILIFRED: I am seeing two developments here. It seems to be fashionable to install some sort of automatic tools which tie into intrusion detection or whatever. And for each and every line or each and every incident that machinery creates an individual complaint. The natural reaction on the receiving end is to just configure the mail disposal mechanism, and just throw them away because it's just another form of spam. It's actually ?? if you get that from too many sources at the same time, it's actually sort of a denial of service attack. That's sort of one observation. I had that just recently. And that leads me to the other thing.

Like, some parties, not naming any particular one, some parties seem to be of the opinion that it is appropriate to do some sort of search words to the responsibility root of a structure, whatever, and then claim that those parties responsibility for those resources actually prefer receiving an individual notification. I still have to find a single organisation which agrees to that claim and which sort of supports that assertion. That's one of the reasons why I ask you to put this onto the mailing list, because I really want to get a feeling what the reality in the world out there is, and what is just a view of a particular action.

A couple of weeks ago I have been at a security forum in Talin, I was asking more or less the same question there during a discussion, and the answer there was everybody shaking their heads and say no, that's not the way to go.

So I am looking at this opportunity and at this community to ask that question once again. Is there anyone who agrees sort of with that model of fighting abuse that you find the most detached, the most remote entity up some nutrition tree to the root and try to start complaining there and hope that this entity does some magic to resolve the issue? So I'd really would like to see some show of hands or ??

CHAIR: That was one of the follow?up things.

Okay. I am just going to ask a couple of questions in a minute, but sorry, was there another point?

AUDIENCE SPEAKER: Lance Wright, Chocolate Redhead. What we have actually found, as far as dealing with spam ?? don't get me wrong we are looking at technology and maybe we are looking in the wrong direction ?? we are trying to build a better mouse trap. The reality is why are people sending spam and if you deal with the reason, it's because they make money doing it, if you can deal with the reason, you deal with the spam. I actually work with a number of companies that actually have solutions that literally are a box. It's a community based system. If you find a piece of spam you mark it, it tells everybody else a part of that community. Because if it's not relevant to you it's probably not being to be relevant to someone else. You are not going to be getting anything on anybody else's e?mail address but the idea being, it finds where it's come from, it sends it back where it's come from. It actually deals with spam on the financial level, which basically demotivates people and we find that they leave us alone.

CHAIR: How big an organisation are we talking about? What kind of number of mailboxes?

AUDIENCE SPEAKER: In the United Kingdom, you are probably looking at about 150, 170 thousand presently and we get very little spam now.

MARCO HOGEWONING: Did you mention you send it back where it's coming from? How do you verify where it's coming from because in 99 percent of the occasion the envelope prompts are actually fake.

AUDIENCE SPEAKER: That is proprietary information, but if you are glad to sign an NDA I am glad to discuss it with you.

CHAIR: Okay.

MARCO HOGEWONING: Wonderful these community meetings.

AUDIENCE SPEAKER: I am just waiting if the discussion goes back to the starting point.

CHAIR: This is the thing. So I suppose there is a number of questions. Now, as Marco said, there is very little way of I think of saying you have entered an e?mail address, therefore it must always be valid in perpituity. I know I can't think of a way of testing that. I am fairly sure if the RIPE NCC had thought of one, they would have mentioned.

So, I suppose the question is, one of the questions in the room is: Is it appropriate or would you feel it's part of your natural spam fighting reaction, that if the abuse contact that's listed in the database bounces or times out or whatever, that you would then go searching for other admin contacts, or do people feel that they'll make a default decision that the, the abuse contact is less likely to be real and therefore go for an admin or a billing contact or otherwise?

Before your point Marco, I am just wondering, is there anyone in the room who feels that they would go automatically to the admin contact and just not bother with the abuse contact at any time because they feel it may not be valid or otherwise?

AUDIENCE SPEAKER: It depends on the spam.

CHAIR: It's been cast, so if you don't speak.

AUDIENCE SPEAKER: It depends on the spam, because in the early days, the fact of the matter is most people sending this out, unless it's malicious, they want to sell you something. So ultimately, you go back, because they are giving you, they want you to buy something from them. You deal with with that source, because the person that's dealing with the technology will not basically take, you know, any responsibility. They are just saying I am doing my job, we are offering a service. You go back to the people that are actually looking to profit from it, you get a lot more response.

CHAIR: I am not standing here with a fund of answers. I am looking for feedback for recording and for further discussion. Marco?

MARCO HOGEWONING: Well, I think it's clear that everybody more or less in this room kind of like behaves itself and actually looks for abuse contacts and in effect, if that abuse contact or any other associated address is bouncing, then yeah, you start contacting the admin or tech contacts in that object, but yeah, that's the sensible thing to do. But I personally and I have to deal with these guys, like Wilifred already mentioned it's almost as annoying as spam because usually the spam gets filtered and the complaints don't. So that's the main point here and as soon as more and more people actually like, don't take the appropriate stuff and simply like by default send abuse contacts, good luck, you are filtered also.

CHAIR: So, and that leads into, that's a fair enough point and I mean that leads ??

MARCO HOGEWONING: It actually goes on beyond that, because where do you go next if everybody starts filtering admin contacts?

CHAIR: Absolutely. And I mean the next question is, as Wilifred said is, is there anyone who feels that the way they should go way about addressing these things is to go to the highest point of registration and start talking there, or would people normally do what they should be doing, in my opinion, which is going to the most accurate object, and contact from there?

No? So, again, the same as what we have seen elsewhere from that point of view.

MARCO HOGEWONING: I guess it's a simple case of breaching for the requirements ??

CHAIR: Absolutely, it's a case of trying to figure out what is normal.

MARCO HOGEWONING: Maybe we should ask the question tomorrow in the plenary, bigger audience there.

CHAIR: I know you said go back to the beginning. I am not sure if I have addressed ??

AUDIENCE SPEAKER: /PAFL: I think it all started with with the company whose name cannot be said.

CHAIR: Okay. This is the thing. The third question is: Are there people in the room who operate, whatever size of abuse desk, who think, yes, mass mails based on one pair incident or a high volume per incident work well for you? That you will get an amount of abuse mail, hopefully to the right contacts obviously, concomitant to the amount of spam that's been sent out? Or would you prefer single mails, you know single points? Is there anyone who looks at their ?? and I am going to say it again and I don't mean to kind of drag it through again, anyone they look from the e?mails they get from ABUSICS and say that's exactly the way I want to receive these e?mails and that's awesome for me?

AUDIENCE SPEAKER: Absolutely no.

CHAIR: Fair enough so. So you'd prefer individual ??

AUDIENCE SPEAKER: /PAFL: Well, I'd prefer the behaviour which most of the teams in the community use and most of other teams who complain in some way, they just aggregate the complaints in some way. Yes, it is some more of the work, but in effect, if you take each and every spam and generate a complaint, then you, by definition, generate spam too.

CHAIR: That's a fair enough comment, absolutely.

AUDIENCE SPEAKER: And you are creating one more of collateral damage.

CHAIR: So?

AUDIENCE SPEAKER: When you steal my watches, okay, I think it might be you, so I go and steal your parker pen. It's not okay. It might seem that now we are even, but we both committed a crime.

CHAIR: Thank you for those comments. So, I think they are the questions that I wanted to ask now and I wanted to get a feel for. So, I am kind of inclined ?? I know I have sanctions written up there, and I think that's something I am going to go back to at a slightly later date in the agenda, because there is been a bunch of discussion already on that this week, and about what the community, what the NCC or otherwise can do in the cases of network abuse. So I am going to leave that till a little later in the agenda.

So unless there is any other recent list discussion or otherwise items that anyone wants to raise, we shall move on to our first presentation, which is from Marco, so he gets to have to keep on standing up, but he gets to use this microphone. And I will step away.

MARCO HOGEWONING: I'll introduce myself already, you may know me as the v6 guy. Security is not really part of my job, although I am involved as I said, sometimes involuntary because I am an admin contact for the LIR rerun. Brian asked me, because I am actually, well, one of the few people involved in this, and also present here to do a small presentation on this.

It's BOTNET covenant. They are a disclaimer, as I am not into the subject totally, these are not my slides, and this is not my spelling mistake. In fact, it is Dutch. We are a weird bunch of people putting Ns everywhere.

So what is this? It's an effort to cooperate and the abuse link focusing on innocents in particular. This was done by a major ISPs and Opta, which is the Dutch Telecoms regulator. Now 14 ISPs have joined this initiative, and these are the participants. Now, you may get smart and say like these are not 14 ISPs, because some of them actually are brands of the other. Obviously KPN, HEAnet and Telforth are one company, but if you do the maths, this is ?? well KPN serves about two and a half million customers. I think Zigo has 1.8 the UPC has about a million, roughly this boils down to about 6 or 7 million broadband connections in the Dutch market, which is I think about 75, almost 80% of the residential connections in the Netherlands are part of this group of people are actually in the market share. There is quite a big coverage, even with only 14 people. So quite well coverage.

Well, why do we do this? That's the main question asked and I have also seen this going around lately. Abuse fighting is obviously necessary. It's about cleaning your own mess. Our customers misbehave. We have to clean up for them. It's a natural thing. We are good citizens.

The other major part is proactive. We better do it ourselves before some regulator steps up and makes legislation because usually what happens is that the legislature gets it almost right, and misses out on like some tiny points.

And third and major part, is actually the media attention. It creates awareness. People will have to understand that if that browser comes up saying like mime type evil/zombie isn't recognised, do you wish to download the plugin and click on yes, don't. And if you do, it will have consequences. We will take down your Internet connection until you solve your problem and actually get that stuff off your computer again.

So, that's one of the primary reasons there. Get the word out there that there is some about actually like being a responsible citizen when you connect to the Internet.

So, how are we going to do this? Well the ISPs will filter and block infected customers and the ISPs will actually share knowledge and inform each other if you notice that some PC in the other guys network is part of a zombie network. This is completely natural behaviour, you think that you are here in the anti?abuse Working Group and you behave. In fact, for us this has been a reality for us for years and years, if we do get a complaint and it's documented in the rightay, push a button and the customer is given a ticket, the customer is e?mailed and put in an sand box until he fixes the problem. Some of the other people, this is less natural. They don't have the mechanism in place. They have to react by hand and find a way to stop this and since that's costing money, maybe they are only doing it if the complaints insist. So that's...

It seems totally natural, but still some people have to learn this and have to be taken by the hand to go there and actually tell them what to do and how to do it and actually respond to those complaints.

Sharing knowledge. Yeah, you send out abuse complaints, but there is something to it. We wanted more or less documented. There is some legal threat if we just shut you down and we have no proof whatsoever and there is legal liability for us. Some people do share that information. But it's something like, yeah, people coming around there. You have to build?up the trust that if somebody comes to you and say like hey, this machine is part of a botnet, that we actually trust them to be right and take action upon it.

So, the when. Lately there is been quite a ?? actually it was signed in July already. Major press coverage was done in August, so it's a bit late. The reason that filtering should be operational by Jan 2010. And the exchange of knowledge and info, it's a bit strange because obviously when we start filtering, we are already exchange information, but there is some plan in February where we are actually like talking about the subject and what things encounter and stuff that needs to be covered.

Like I said, I am not the one behind this all, so if you have any questions, these are the e?mail addresses. If you want more contact this is e?mail address of my colleague who is happily answering your questions from his office in Amsterdam. So that's it. Thank you. Any further questions, I might be able to answer them.

CHAIR: Thank you very much. Are there any nice easy questions for Marco? No? Nothing at all? Okay. Thank you very much.

(Applause)

CHAIR: Now without going all the way back up to my agenda I am going to ask Ian from NomiNet who I grabbed even more recently than I grabbed Marco. Marco got grabbed on Monday and had many days notice. Ian got grabbed yesterday when he foolishly told me he had been talking to people about the Phishing lock project that NomiNet had in place. I asked him what he was doing around four o'clock this afternoon. He got excited and realised it was my Working Group. So, without going any further into that, Ian is going to talk about his Phishing Lock project.

IAN: As Brian said this was a rehash of a talk I gave on Sunday. I have extended it a little bit because Sent?Tech is an audience of people who work for top domain named registry. I can't assume that you are that. Some of you it might be a little bit pedestrian.

A little bit of background. Phishing Lock itself. It's intended to be a tool that can be used to take domain names involved in phishing off the Internet. So that will become clear in a little while.

I'll give a short introduction. Why NomiNet started this project. A little bit about how we have done it. And some talk about how it's being used, the scale of use so far. The potential for misuse and what we do about that and where we are going to take it going further.

So NomiNet. We have .uk domain name registry. At present we have got just short of 8 million domain0 names. We operate what's called a thick registry model. What that means is besides storing the technical information about domain names, which allows them to be looked up in DNS or some details in WHOIS, we store the social information. We store the details about the people who have the domains. That's important because the Phishing lock itself can operate on both a domain and on an account. So that's the an account is, it can be registrant. It can the people who are registering domain names.

So, we have two registration interfaces. So this is used by what we call registrars, who are usually ISPs, to register domain names on behalf of registrants. They use either an XML based interface which uses an open standard protocol called EPP, this is meant as a common interface across registrars between different domain name registries. There is another interface which is uses PGP signed e?mail. Both of them allow a sort of common set of operations, both have been put into a single registry. And an important thing to note is that registrars can only modify their own domains. You can't use this Phishing lock on somebody else's domain. It's only ones that you have, you have registered on behalf of your registrants.

Domains can exist in effectively three states. They can be live either registered, they are, they are paid for, they are in the zone file. They can be suspended, or they can be cancelled. Now suspension, traditionally was a phase between registration and cancellation, once the renewal period of a domain had expired. Now, for our domains, renewal period is two years. After the two year live registration period. If the renewal has not been paid for they get put into a suspended state where they are not available to be registered by anybody else but they are not included in DNS either. So they drop oft Internet, but if you are the legitimate owner, you can renew them and they'll go back in before anybody else gets a chance to grab them. If they are not renewed during the suspended phase, they are cancelled and then they are available for anybody else to register.

And what the Phishing Lock does effectively, it suspends the domain, it holds it in place so that (H M I is, H I N go,) it's not visible in DNS and it can't be used by anybody else. It's used to lock accounts. If we get a report about somebody consistently doing that, the lock imposes on them.

So, the motivation comes from our vision which is probably goes beyond layer 9 and on to include 9. Basically we have got a vision of the Internet as a trusted space which has a positive impact on people's lives. You can tell that's engraved on my heart. And what we wanted to do as a result of this is use what influence we have on the domain name space for improving the quality of the experience that people have. And this is probably one of the first things that we have done on this. It's an easy win. Phishing involves domains and we have control over domains, so it's something that we can easily deploy to make sure that we can take action against these things. What we have done is provide a tool that empowers the registrar to take these down. It can be used by us as well if we are approached by law enforcement agencies but it's tended to be used primarily by registrars. And what it does is it halts reregistration, so you can't ?? if your domain is ?? has a Phishing Lock imposed on it, it can't be cancelled, it can't just hop off to somewhere else and reappear again on the Internet. Just in case, you are aware, these Phishing domains tend to look like typos of valid domains, so I mean, popular UK and Portuguese bank is Barclays, a Phishing domain might be Barclays with the L replaced with a 1, so it's not immediately obvious somebody has this kind of domain. It is valuable to the people doing this to sort of preventing reregistration reduces the use of that domain.

We store our registry in a database. It's an oracle. And we have, as part of any operation that takes place on the database, what's called a do not allow matrix. Now what this is, it's just a set of views and tables inside the matrix which allows us to build a matrix of cases against operations. So, for Phishing, that is a case and it prevents certain operations to be done on a domain name. So you are unable to cancel the domain name, you are unable to transfer it to another registrant, or transfer it away from the registrar that it's on. Or and you are unable to renew it. It just holds it in place. If you put the Phishing Lock on an account, then it qualifies for a different set of operations, and that's ?? it allows the account to create a new ?? it prevents the account from creating new demain names, it prevents them from modifying details on the domain names that they have registered under that tag. So the account it can't modify the domain names or the account details itself, so they can't make it look like it's somebody else.

And this DNA matrix existed for a good while now. We use it for other operations such as the account holder has been dissolved of this company or deceased if they are dead, or whether the domain name's been put into our dispute resolution service. So, adding this extra check was very simple. It's an easily extendable part of our registration system. So it's had no performance impact. It has no side effects in the way we operate.

In terms of the way that it's being used, at the moment it's very unused. We have had, the time I wrote the original slide deck, we had had less than 60 uses in the five months that it's been operational and at the moment, that's running at about two to one, NomiNet versus the registrars, we being the people who have been approached to impose this lock on suspect domains. Looking at the reasons why it's not being used so much, it's probably registrar education largely. People don't realise that this operation is there, or they don't, if they have got a Phishing domain on their associated with them, they want to get rid of it quickly, so cancelling is an easier option. There may be something we have to look at to do with the charging because at the moment it's free to cancel a domain in a certain amount of time after registration as opposed to this, imposing a Phishing Lock which will involve you being charged on the domain, but we can review that.

We don't have any automated system for checking for abuse, we rely on people making reports to us. We haven't had a recorded instance of abuse yet, by abuse I mean somebody targeting a legitimate domain and claiming its use for Phishing so that it's taken down by a registrar. We are leaving it up to the registrar to police that kind of activity. So we are pushing the power to them. If we get some kind of rogue registrar who is imposing Phishing locks on legitimate domains for, I don't know, extortion reasons, presumably, we would, we have sanction to say remove their ability to function as a registrar. Remove their right to register domain names and effectively prevent them doing business.

When we introduce the Phishing Lock, we intended it to run for six months prior to a review. We also intended it to be used as a tool which would then become part of a noose thing that we were bringing on which is a Phishing feed, we are going to be taking a feed from net craft to produce a list of domain names which are associated with Phishing and we are going to provide ?? we'll be able to do a crosscheck against the registrar, provide that information to the registrar and say look we think this domain is involved in Phishing, we would like you to take action on it. That service itself isn't coming out probably until mid?2010.

As part of the review, we are going to review the effectiveness, or any instances of abuse ?? review whether there is been an increased potential for abuse, what we also want to look at is extending it beyond Phishing to look at other criminal activity and one thing that maybe the Working Group could help is make suggestions about what kind of that activity might be. We have looked at maybe extending it for people who are selling counterfit tickets or not, you know, not fulfilling sort of other contractual obligations like that, that's probably going a bit too far, the obviously selling criminal goods is the thing I am talking about. There has been possible discussion of hosting of malware. But we have no idea how we'd be able to detect that and make it work. If anybody has got any other ideas, I'd be glad to hear them.

And that's it. Are there any questions?

CHAIR: Any questions for Ian? Anyone any suggestions of other things it might be used for? No? Apparently you made absolutely perfect sense. Thank you very much.

(Applause)

CHAIR: Back to the agenda. I can get to sit straight back down now. The section we have under technical measures has changed a few times over the last couple of days. But, the NCC demoed some wonderful tools. I got to see them a couple of weeks ago, and they demoed them. One of these was recognises the source explaining err and I asked the NCC to come along and give a presentation here today, well a live demo, to show just what these tools can do from the point of view of Anti?Abuse and fighting abuse, because I just really wanted to make the point because I think they are a fantastic idea and I think too many people might look at them and go, ah yeah, from a registry point of view or whatever else, or checking my own routing, but I really wanted to make the point that these are really useful from that point of view.

So if I could ask Emile to do whatever you need to do with your laptop. I think we have hopefully got interesting net blocks to take a look at. I haven't seen what net blocks Emile is going to plug into this.

My point was more that I haven't seen what they are and we haven't done a WHOIS on them, if they happen to be yours, then such is the luck of the draw, and somebody is doing something wrong in your network somewhere.

SPEAKER: Emile abben. Thank you for giving us the opportunity to demo this tool again with with a little more detail for Anti?Abuse. I work at RIPE NCC at the science group and helped develop this tool.

So, briefly what is this tool? First of all it's featured on RIPE labs, so the URL is here again and it's probably on the back of some T?shirts in the room. So please visit it. So the resource explain err is, you can find it there so you can actually, if you want to do live right now on whatever prefix you want, feel free.

So, this will give you current and historic information about a resource, currently we only do v4, but v6 numbers are also planned. This is a prototype service so please let us know what you think of it and how we can improve it. One of the next steps we want to do with this is have a user type specific views and one of the interesting views there and very topical for this Working Group is law enforcement and security.

So onto the live demo...

So I looked at a couple of prefixes and these are some that I found interesting. For instance, this was one that was associated with infamous rushen business network. I put the start date a little back. Usually the resource explain err only takes a year of time frame by default. So, if you go look up this prefix and, you can see currently it is with the planet. This is the routing module of REX. Currently ?? the green section is the current section, so the information as current as we have it, this is fairly normal, but if you look at the history of this, of this prefix, you can see, that sometimes in the end of 2007 a couple of more specifics from being announced by several autonomous systems and then everything stopped. Then you see a large gap and then you see it being announced again by another prefix by another autonomous system. And this AS number, this is actually the AS number that the rushen business network used. So you can, with this interface you can correlate the information with what happened in black lists.

So, currently, the planet is currently doing a good job of keeping the stuff clean and for the lists that we have in the current prototype of this tool, this looks very clean. But if you look at the history, you see that there is two resources from this/20. In the drop that router appears in the SPAMHAUS, you can look what the prefixes are, dig in the details of these, and below you can see the number of entries in a specific black list and the coverage, and because one was a more specific of the other, that first block is actually 100%. And you can also correlate to geolocation information. So, right now most of it is in the UK. It's got a little bit of stuff everywhere, but if you look at the history, you see something interesting, I think. But in the end of 2008, this block was still geolocated according to the database, partly in Russia, which is the green, partially in Panama, which is the blue, and partially on the Sachelle islands. You sort of get a feel for what a block is really being used for by just combining information from various sources. Then there is a gap and then you have it all in the UK and actually if you look at the last one up here, you see that there is a little use in different countries as well. And of course, this zero location databases are not a hundred percent accurate, but it gives you a sense of the block, of its cleanliness.

Another example, I have just picked and entry from the SPAMHAUS drop list. So again in the routing module here, you can see a little bit of what it currently is and routing history, nothing spectacular here, but if you go to the black list section, you can see that the UC protect level 1 list actually has two resources listed, currently it doesn't have this listed any more, and again you can see the details. For the history you can sort of see what's happening here. So this UCE protect list, found a little bit of activity, so it was put in this list, and then apparently it was put in the drop list at some point. And taken out again. But if you look at the coverage, so, the drop covers the full prefix that I put in, the /22, where the UCE protect only has /32, to specific IP addresses, so with these two graphs you can actually see the difference on information like that.

And the third one I wanted to show is one that I picked out of a list of command and control servers that's associated with ZEUS, which is a crimeware kit. So if we do a query there again, apparently this is currently not routed. But it has been routed by this particular autonomous system and you can actually see where it stops, yeah, somewhere in 2009. And it was part of a /23, so if you go to that /23, you can actually see that that was also, again, in the drop list. And still is apparently. So...

That's it for the live demo. Now to the safer stuff hopefully.

These examples were based on data that we currently have in our back end data store, which is called INRDB. So, for the spam list I showed, we only started tracking some data earlier this year around it's especially true for the UCE protect lists, that we only started tracking in June, and we found some historic information about the SPAMHAUS drop list so we have information going a little bit back further.

If people know or would like us to include any useful data, anything that it has sort of a time component and a resource component in there, then please let us know how we can make this tool better and how we can make this tool better fit the needs of the Anti?Abuse community. So one possible issue there is licensing. Of course we are working with databases where stuff like that might be an issue. So if you have any suggestions on things like that, or have any suggestions on how we should improve this resource explain err prototype. Please let us know. Speak up here or, and talk to me or talk to anybody else in the science group or in the NCC or put your comments on RIPE labs of course. So... that's it for me. Thank you for listening. Any questions?

(Applause)

CHAIR: Are there any questions?

SHANE KERR: I just have a question. Have you had anyone approach you with concerns that you maybe making them look bad by publishing this in an easy to get format? If I have a network, I may not want my customers to know that I have lots of blacklisted entries in it, for example.

SPEAKER: We haven't had somebody approach us yet. But the thing is this is all publicly available data any ways, so ??

SHANE KERR: Yes, but there is a difference between ?? that's like saying the DNS is public, so I can do whatever I want, which is not strictly true. Anyway, I will discuss this with you over drinks tonight perhaps.

CHAIR: On that point I can imagine that people may not, which from my point of view is a terrible pity for them. You know, if ??

SHANE KERR: I agree. It's just, because it's an NCC activity, if I was an RIR who was getting bad information published about me, I might be a little bit annoyed.

SPEAKER: For us, it's also sort of ??

SHANE KERR: I am not saying don't do it, I am glad you are doing, I am querying if it's happening.

SPEAKER: It's exactly why it's on RIPE labs. It's a prototype. We could get call kinds of technical questions on this. Any other kind of question on it, so this is not a production service. If there are serious issues like that, we can take it down. We don't intend to, but we could.

SHANE KERR: That's fair.

CHAIR: Thank you very much Emile. I, for one, looking at it, especially considering some of the conversations already taken place this week about the purchase of address space and about temporary address space assignments that took place in Address Policy there just before, just after lunch indeed. You know those car sites where you can type in your, the car registration to see if the car has been written off or the car has been whatever else. The same thing for net blocks, if we get to a point where people are purchasing or trading net blocks or they are taking temporary assignments, then here is a very simple tool in figuring out what your potential net block has been up to for the last while, which admittedly may cause the same problems Shane is talking about because the seller may not want you to know, but I think it's a very lovely way of going caveat emptor and this is how you find out.

So, we have a few other things I'd like to discuss. Under the heading of interactions. The first one is the one I have actually listed there which is the database Working Group and IRT objects. There was some conversation on the mailing list and in other males about the matter of abuse contacts and abuse contacts in RIR T objects and it was what I was touching on earlier, and Wilifred, in database, said that Anti?Abuse hasn't discussed it yet and at that point in time I mentioned that from my point of view, there wasn't a lot for us to discuss in Anti?Abuse. The last conversation I had with the person who was raising this was that they said, well, the abuse contact is there, it's mandatory. And we are recommending you know and obviously we are also recommending in general that people provide accurate abuse contact details. And the person who raised that point seemed happy enough with that as, so we were kind of going well that's what's there. So we don't see any further action on Anti?Abuse or indeed object database. It's been raiseed to do anything with that.

So, unless anyone in the room thinks I am horribly wrong, I am quite content to kind of close off this action point and inform database officially that we have done so. Would I cynically say until the next time somebody raises it on the mailing list, but hopefully not. So... unless there is anything else there? Okay.

And I see Wilifred nodding so I am happy enough with with that.

The other sort of interaction which was touched on by Axel in the NC services Working Group yesterday which I neglected to add into my latest version of the agenda, was touching on the point of, which I then ?? sorry, I then have it under D 4, which was the point of registry closures.

Now, there was some conversation in NC services yesterday about it, and Axel again outlined what ?? briefly the reasons the NCC could close a registry, which basically comes down to, and Joacim can jump up and tell me if I am wrong, basically comes down to them not paying or ceasing to exist and therefore not paying. A number of people have mentioned in conversations at various times, how it would be just wonderful if there was a big button that someone could press and said you no longer exist, you can no longer do anything. We revoke your resourceses, we revoke your certificate if such a thing comes to pass or otherwise. But there was a lot of conversation in NCC services yesterday about how, well, A) we don't particularly want anyone to have a big button which can switch off the Internet, and B) even if we did, it wouldn't work. That while people still root resources to a certain extent, it's not that it doesn't matter what RIPE NCC say about them because obviously a lot of people listen to them, but there is nothing that we can actually do to stop people rooting resources or stop people advertising them.

So, we have been trying to explain this to a large number of groups of people and this comes under some of the law enforcement interaction as well, and I suppose the point of raising it here is to mention that this conversation has been ongoing, and to ask the room if anyone has any kind of comments on that whole aspect if there is anyone here who, I suppose, anyone here who would like to raise or turn around again and say RIPE NCC, why can't you do something about these net blocks, or, you know, ASs or otherwise. I wanted to ask, is the message clear enough that at the moment, they are the tools that the NCC has.

The other point by Axel of course was raising and which was mentioned, is that if the community wanted the NCC to attempt to do anything more, whether it would be useful or not useful, then obviously the policy would have to be, would have to be raised by the community, and it was clearly identified that Anti?Abuse was one of the Working Groups through which that policy was most likely to be raised. And I suppose I am just confirming that in case someone in the room was wondering I wonder which Working Group I go to about having my next door neighbour shut down. So I don't know if there is any comment that anyone wants to add to that, but I just kind of wanted to raise it, say it's there and we are talking about it and I'll touch on more of that under D3 and D3 in a second. Excellent ?? not excellent, obviously I'd like lots of people to talk but possibly not for hours. So this does tie in with D2 and D3, the law enforcement interaction and indeed the LAP?CSNA.

LAP is the London Action Plan and they have having a joint Working Group with CSNA in Lisbon this week. So, we have been having conversations with a bunch of people. Law enforcement. We had a round table meeting as an adjunct to the global round table meeting which took place two weeks ago or so in schipol, and myself, NCC staff, including Joacim and Axel including a number of other representatives of the community including Wilifred, and Nigel Titley and David Freedman, sat down can with a number of representatives of law enforcement agencies, including the Dutch police, Dutch Ministry of Justice, people from the UK, representatives from the FBI and a few other representatives there as well, there is bits of this meeting, makes it sound terribly special that we can't discuss. But the main thrust of the meeting, and indeed the main thrust of what we are going to go to talk to London Action Plan about tomorrow is to tell these people that the RIPE community and the RIPE NCC exist, and I am specifically talking from the point of view of the RIPE community, and what we do and how we do things. As was said in NCC services, it's not like we are aware of all these problems and all these law enforcement people and people like that talking about the Internet and doing nothing about it. We are doing an all of lot about it, and we'll going and telling them this is how you make policy. You are more than welcome. You are part of the RIPE community as well. And while we don't necessarily expect law enforcement to turn up on mass to Working Group sessions or otherwise, a number of representatives have come in the past, and we are making it very clear what the avenues are and that even if the way they communicate with with us is through me or through the NCC, then there are those avenues of communication into the RIPE community. We are friendly. Open arms, very welcoming. That we have technical knowledge and technical experience that they may not have and we are more than willing to share all of it with them, all they have to do is ask. And that we are not unaware of their, of their requirements and their needs.

Now equally ?? nor are we saying, fantastic we'll do whatever you want, because that obviously isn't the way we act. And we are not suddenly changing our procedures to be however they would like to act. So it's very much a case of meeting them in the middle and making sure, to a certain extent as Marco said, making sure that we are informing the people who are making decisions on a national and international level, and making sure that RIPE community plays a very large part in that and a very active part in that. Obviously what we say to them is informed by yourselves.

So if there are any points that you feel that it would be useful to carry forward from the Anti?Abuse Working Group into any of the conversations that we have with such groups, then you can obviously talk to myself at any point, my co?chair, or indeed people like Joacim in the NCC or you can raise the points now or on the mailing list. But I think it's very important to be aware that that communitycation is ongoing and will continue to be ongoing, and it's I I have got to say right now, it's through the good offices of the people in the NCC that we have had the opportunity to speak to these people, because it's not normally the case that I am in a room with a lot of people in suits who have powers of arrest, thankfully.

So, there isn't really very much of a specific point hereof a question to ask. But are there any comments or questions that people have. Are there any groups that people think we should be engaging with that you think we aren't? Are there any people in the room that we aren'ten /TPWAEUPBLGing with in a proper fashion that you think would be useful to talk to. You all feel appropriately engaged with? Excellent.

The last actual full point I have on my agenda here is documentation. Anyway the B CP documentation. We stated very clearly that we were going to, in Amsterdam, that we were going to update 409. A small group was formed to do that. It hasn't done it yet. That's ?? I will quite happily hold my hand up, regretfully hold my hand up and say that is my fault. My job got demanding over the last six months. We didn't have the time to do it. I am hoping that we will have a draft document of the updated B CP to reflect the widening of the charter in Prague. That's what I am really hoping to say now. We have, there is only five or six people there, but there is a lot of knowledge and experience so we are hoping that we can present that to you shortly before the Prague meeting to give you all enough time to read it and then hopefully not tear it to pieces in the Working Group session.

And the IRT abuse recommendations and requirements will be clearly included in that document to reflect what the community has asked us to do. (/EURT)

So, AOB? There doesn't appear to be any. I'll move on past that and say that agenda for RIPE 60. Sadly a number of people had to pull out of this agenda, so I am hoping a number of them will come back. I'd like to you take the flavour of things we have had here today such as some things which the speakers maybe didn't initially think it would be interesting to the Anti?Abuse Working Group, and I'd clearly like to show are. So if you have any similar projects or otherwise which you think might be of interest for us in May in Prague, that would be wonderful. And obviously if there is anything which would sit better in the EOF, in the plenary rather than the Working Group, well then there is space for that as well.

So, I think that's largely that. I think that it's a quarter past five now, which is it seems very appropriate.

I think that's done for me. So thank you all very much and we will see you at RIPE 60 in Prague.

(Applause)