<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:122115052;
mso-list-type:hybrid;
mso-list-template-ids:-1095452190 1158584274 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:730423681;
mso-list-template-ids:-734220374;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-IE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt">Hi, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt">In het licht van de discussie die we recent hadden op IRC mbt hoe we bep. badhosts makkelijk(er) kunnen de-peeren op de internet exchange routeservers, heb ik de onderstaande email gestuurd naar
zowel de Anti-Abuse WG als de Connect-WG ( voor IXP’s ) van RIPE. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt">Ik hoop dat we vanuit de community informatie krijgen om van daaruit deze discussie met oa AMS-IX op te nemen.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt">Aangezien AMS-IX het AAN Manifest heeft ondertekend, is het dus aan ons als community om ook te vragen om daad bij het woord te gaan voegen.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt">Ik zou het prettig vinden om deze discussie iets breder te trekken dan alleen de AMS-IX en denk zelf dat er meer IXP’s een soortgelijke methode zouden kunnen accepteren, net zoals we dat ook met
RPKI filtering by default hebben opgestart. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt">Uiteraard is het handig als jullie dit idee zouden supporten of als jullie je input hier (maar ook ) via de onderstaande 2 ML’s zouden kunnen delen.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Mvg,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Erik Bais <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A2B Internet <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Erik Bais <erik@bais.name><br>
<b>Date: </b>Tuesday 18 May 2021 at 21:52<br>
<b>To: </b>"connect-wg@ripe.net" <connect-wg@ripe.net>, "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net><br>
<b>Subject: </b>Input request for system on how to approach abuse filtering on Route Servers - bad hosters<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi, </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">As I asked during the Connect WG today, there are discussions currently going on in the Dutch network community to see if there is a way to get a cleaner feed from routeservers on internet exchanges. ( by
default ) </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – abuse.nl
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The companies associated with AAN, setup and all signed a manifest ( in Dutch -
<a href="https://www.abuse.nl/manifest/">https://www.abuse.nl/manifest/</a> ) that states that we will all do our best to provide a better and cleaner internet.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">As members of the member organisation of the largest Internet Exchange, AMS-IX, we like to start with the discussion on asking the AMS-IX to filter certain AS numbers from the default routeserver view.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The issue is that even if you don’t peer with certain networks directly, the change is very real that you will receive or that the other network receive your prefixes and that you may not want to peer with
those networks. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">What we like to have is an independent way of generating a list with badhosts ( say a top 50 ) .. ( and with our Dutch infrastructure we have a couple on the Dutch infrastructure as well.. )
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A couple years ago there was the list of HostExploit .. or one could have a look at the drop-list of SH ..
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Personally I would like a proper model that one can explain why a certain network is listed on a certain list with a clear method explaining of what kind of abuse is noted in the said network.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Topics that should be included on the rating for the list :
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Phishing (hosting sites / domain registrations )
</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Malware hosting ( binaries and C&C’s )
</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">DDOS traffic ( number of amplification devices in the network compared to the number of IP address ratio )</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Login attacks / excessive port scanning
</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Hosting of Child exploitation content
</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Infected websites / Zeus Botnets
</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-size:11.0pt">Etc</span><o:p></o:p></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">So yeah, something similar as the Top 50 of HostExploit ranking .. but HostExploit stopped producing these lists in 2014.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">By filtering a top 50 of badness hosters on the Routeservers would remove the cheap IXP option for network connectivity at the better Internet Exchanges and provide a way to remove any DDOS traffic via BGP
null-routing via Transits.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And companies that would still want to peer with a certain network, can still do so by direct peering setup via the IXP infra.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And it will not bring the IXP in a position where it will be asked on why they are still offering services to certain parties .. as that might become legally difficult especially in a membership organisation.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">So we don’t mind if we take their money as long as are not forced to peer with them via the routeservers.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Your constructive feedback is highly appreciated.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Erik Bais</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A2B Internet </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
</div>
</body>
</html>