who cares about abuse? rodney tillotson, janet-cert apnic, august 2001 united kingdom education...
TRANSCRIPT
![Page 1: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/1.jpg)
Who cares about abuse?
Rodney Tillotson, JANET-CERTAPNIC, August 2001
UnitedKingdomEducation &ResearchNetworkingAssociation
![Page 2: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/2.jpg)
Three points
• UBE is like other abuse• Only global consensus will stop it
• We would like to talk with AP
![Page 3: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/3.jpg)
RIPE
• Réseaux IP Européens• Anti-spam Working Group• WG chair
![Page 4: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/4.jpg)
RIPE view
• Originate no spam• Persuade originators to stop
• Block and filter
![Page 5: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/5.jpg)
Originate no spam
• Contracts with customers• Penalties available• Act on reports of abuse
• RIPE-206http://www.ripe.net/ripe/docs/ripe-206.html
![Page 6: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/6.jpg)
Problems
• Free accounts• Cybercafé use
• Competitive advantage
![Page 7: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/7.jpg)
Block and filter
• Local choice• MAPS• Other blacklists
• Outbound blocks
![Page 8: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/8.jpg)
Filtering
• Content-based• Subjective, always changing• Can help with other abuse
– Viruses, porn
![Page 9: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/9.jpg)
DNS blacklists
• Test IP addresses• Hooks in most mailers
– (but not Exchange)
• Getting on/off the list– Who decides?
![Page 10: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/10.jpg)
Other public blacklists
• ORBS not now operating• Several others
– A variety of behaviours
![Page 11: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/11.jpg)
MAPS
• Paul Vixie, Dave Rand• Highly respected• Thorough, not fast
– Will let through some spam
• Pressure on originators
http://mail-abuse.org/
![Page 12: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/12.jpg)
MAPS update
• Subscription only from 1 Aug 2001• Costs
– DNS operation– List management– Legal
http://mail-abuse.org/feestructure.html
![Page 13: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/13.jpg)
UBE
• What is spam?– Usenet
• Unsolicited• Bulk• E-mail
![Page 14: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/14.jpg)
Pressure on originators
• RBL– Realtime Blackhole List
• Focus for consensus and conflict– Advice on good practice
![Page 15: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/15.jpg)
Other abuse
• The issues are the same• Consensus is better• Compliance is about the same
![Page 16: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/16.jpg)
Who said this?
“I don’t want to report spam to the spammer’s ISP.”
“I want to report it to my own ISP, or if I am an ISP then I want to report it to my own peers. They ought to verify my identity and the complaint format and then pitch it on to their peers or upstreams or customers or whatever and so on …”
![Page 17: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/17.jpg)
Who said this?
“… until it finally gets to the owner of the the address space which is being abused. If that owner won’t act, then they ought to lose peering or be dropped as a customer or whatever, because the standard contracts among Internet peers and between customers and their ISPs ought to require proper response.”
![Page 18: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/18.jpg)
Who said this?
• Paul Vixie– To a private list, June 2001– (quoted with permission)
![Page 19: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/19.jpg)
UBE issues with AP
• US is the major source• Many relays in AP
– Increased early 2000
• Little response from abuse@domain
![Page 20: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/20.jpg)
Code Red
• Many sources in AP– Fewer in US (still too many)
• Unclear where to report it
• Lots in JANET, too!
![Page 21: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/21.jpg)
JANET-CERT
• Coordinate security responseshttp://www.ja.net/CERT/
• Contacts at customer sites• Network blocks if needed
• Contacts with other CSIRTs
![Page 22: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/22.jpg)
0
500
1000
1500
2000
2500
3000
Num
ber
of In
cide
nts
Dec-99 Jan-00 Feb-00 Mar-00 Apr-00 May-00 Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01
Month
OverloadDenial of ServiceSnifferPassword capture/etc/passwd grabbedRoot compromiseUnauthorised useVirusProbeSpamProbes (not escalated)Spam (not escalated)QueryPresentationInformationOtherUnclassified
![Page 23: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/23.jpg)
Other CSIRTs
• FIRSThttp://www.first.org/
• TERENA Trusted Introducerhttp://www.ti.terena.nl/
![Page 24: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/24.jpg)
AP CSIRTs
• Useful responses from AP CSIRTs– AUS-CERT, JP-CERT, KR-CERT etc
• Whois data usually available– Not easy to find abuse contact
![Page 25: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/25.jpg)
My guess
• Fast-growing networks and user communities– Support lags behind– Many small companies
• Expectations are different• Guidance is in (bad) English
![Page 26: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/26.jpg)
Those points again
• UBE is like other abuse• Only global consensus will stop it
• We would like to talk with AP
![Page 27: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/27.jpg)
My questions
• How should we make contact?• What problems do you have with
the RIPE region?• Do we need a new forum?• How can we help?
• Who cares about abuse?
![Page 28: Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association](https://reader036.vdocuments.net/reader036/viewer/2022062404/551495f3550346ea6e8b544d/html5/thumbnails/28.jpg)
Your questions?