Anti‑Abuse Working Group
18 October 2018
At 11 a.m.:
BRIAN NISBET: Right. Hello. Good morning. And welcome to the doubtless roller coaster ride that will be the RIPE 77 Anti‑Abuse Working Group session. I am your co‑chair, Brian Nisbet. Unfortunately, the other co‑chair, Tobias Knecht, couldn't make it to this meeting and we will discuss Working Group chair things a minute or two. So I hope you have been having a good meeting so far and there will be lots of interaction and participation in the various things, the packed agenda that we have for the next 90 minutes. First of all I would like to thank the NCC staff who will be monitoring chat and scribing for the meeting, without whom I would have to to about eight different things at once, and that's about two more than I can manage easily at any given point in time. I would like to thank, as always, our wonderful stenographers who mean that I can look back at these sessions and so can you and realise exactly what was said, not just what we think we recall.
If you are speaking from the microphone, the lights are so bright I can probably barely tell who you are, please give a name and some sort of affiliation, whether humorous, or otherwise, because we need to record all of these things. All of this is being recorded and live streamed and it will be archived for future purposes, obligatory GDPR mention, or something like that.
So we had minutes which I am sure you all stayed up late to read from RIPE 76. Are there any comments in those minutes? No. In which case, they are being declared and approved and accepted and archived and all of that jazz. Before we proceed, any last things that people wish to raise for the agenda? Any AOB that anyone wants to flag up? No. Okay. Grand. Then we will proceed on.
So, B1, Working Group chair selection. So Tobias's term has ended as of this meeting and so we need to go through the process and in fact we are going doing through the full process for the first time. Won't this be exciting? So we have two candidates, now I sent the mail to the mailing list on Sunday, so
[Alireza Vaziri] and Tobias Knecht are the two candidates. The chair selection process which I am sure you have all memorised and I have just reminded myself because we have never gone through the full thing is that ideally, this session and it's the people in the room can make a decision either by acclamation or consensus after some discussion. If that doesn't happen, then we move to a secret ballot, again of the people in the room, which is why the wonderful NCC staff supplied me with a whole bunch of the Okura's notepaper and pens. Again, the vote is in the people in the room and that is the way the Working Group what is previously agreed this. So two candidates; the question is, is there consensus in the room, does anyone wish to say anything? And if we can't reach that we go to the vote which we will hand out the paper and then collect it at the end of the session and the NCC staff will count it so that I'm not involved. Or does anyone wish to say anything about either of the two candidates? Is there a consensus? Is there an acclamation? It's up to you. I can't tell what you to think or do here, folks. So you have to tell me what the situation is. Does anyone have any opinions at all?
AUDIENCE SPEAKER: (...off mike). ...consensus.
BRIAN NISBET: What consensus? If you have something to say, say it into the microphone, but there are two candidates so we have effectively two choices here, well three choices: Tobias, Alireza or both of them, the Working Group can have three co‑chairs if the Working Group would like, but again, this is not me, I am the current co‑chair, I cannot make this decision, or tell you what to think. Somebody here has to say it, say something ‑‑
AUDIENCE SPEAKER: Hello. Nick Hilliard INEX. Can you put it to a hum, please. Give us three options and we will hum.
BRIAN NISBET: Okay. Least scientific method ever. But Nigel is approaching the microphone so we will ‑‑
NIGEL TITLEY: RIPE NCC, board. We actually have four options. Tobias, the other person, both of them, or neither.
BRIAN NISBET: Yes, you are correct.
I mean, I would prefer if there was a co‑chair personally. I am so lonely. Please.
AUDIENCE SPEAKER: Marcus. This is my 15th RIPE meeting and I think you have been up there, mostly alone, because Tobias is often unable to attend a RIPE meeting. I don't know how much coordination and speaking you do, not on site, but like mailings, but I think it's probably a good idea to give you another co‑chair that would, so I would be in support of two additional co‑chairs which would share the workload that you have been bearing for, like, forever.
BRIAN NISBET: It feels like forever. No, thank you. I mean, I like the sound of my own voice, so I am very happy to speak, but I am not going to object to other co‑chairs, as well.
AUDIENCE SPEAKER: So do you want to be alone or not?
BRIAN NISBET: No, I would like at least one co‑chair. That would be nice.
AUDIENCE SPEAKER: Okay. So I would like to support this purpose speaker. Let's check with two new co‑chairs and how does it work and let's give him a chance. Tobias is always a good support, so let's go for three. If that works for you?
BRIAN NISBET: Sure.
NIGEL TITLEY: Hi, Nigel again. Yes, I would agree with that. We don't often see Tobias. It would be nice to have three, so that maybe, there is a good chance of having, actually, two here.
BRIAN NISBET: Yes, and given the ‑‑ and I say this very advisedly, but I think it has to be said in the light of this conversation, given the potential difficulties at the moment of Iranian citizens, which [Ali Zira] is, getting to various places where we have RIPE meetings. It's certainly a consideration, it would increase the chance of there being a second co‑chair here. You are still probably going to listen to me a lot, I am just going to warn you of this.
AUDIENCE SPEAKER: Hi. Carlos. The previous guy that said he ‑‑ it was his 15th meeting. Didn't he want to volunteer to be a co‑chair?
BRIAN NISBET: I mean, you know, sure. Okay. So, what I'm going to say rather than humming, but we might end up doing that, is there anyone who objects to us expanding the number of co‑chairs to three and having both Tobias and
Alireza Vaziri as co‑chairs? Because if not, that sounds a hell of a lot like consensus. Yea, right, decision made, none of you have to write things down on paper. Thank you very much, we will go with that then. So yea, three of us. Mischief managed, etc, etc. Thank you all very much.
(Applause)
And that took less time than it possibly could have, which is all good, because we have lots of good and interesting things to talk about. B2, recent list discussion, I mean there has been some, I don't know if anybody needs ‑‑ if we need to discuss any of it here, particularly. Some of it we are going to be discussing around abuse‑c, the validation of abuse‑c, the actual implementation of 2017‑02. That was a chunk of it. There will be the NCC's ‑‑ Jordi will grace us with his presentation and propose more things to do with abuse‑c validation. Is there any items of list discussion that anyone wishes to discuss here? Nope. Okay. In which case, we will move on to the presentation about how the NCC will be implementing 2017‑02, which was ratified during the summer, or consensus reached during the summer, so Angela, please.
ANGELA DALL'ARA: Good morning, everybody. I am Angela Dall'Ara, I am Internet resource analyst in Registration Services, at RIPE NCC and I am also the project coordinator for the implementation of the regular abuse‑c validation, the policy reached consensus last summer and it's published, as usual, on our web pages and it's giving the RIPE NCC the mandate to validate the abuse contacts we have, in the RIPE database. And especially to follow up on the ones that are deemed to be invalid.
Actually, what does it mean? That we need to check all the existing abuse‑c contacts that we have in the database that are mentioned in LIR organisation objects and end user organisation objects and also the ones that are mentioned in the single resources when different from the hierarchical higher organisation.
Then we plan also, of course, to check all the new addresses that are going to be added into the database, or via a new membership request or via change in the existing contacts. Legacy resources are excluded by, in this implementation, because they are not expressly specifically mentioned in the policy.
We made an initial test during the summer only on the LIRs addresses. What came out is that less than 20%, as you see, is 18% of the addresses were resulting invalid from our checks. The green part is what we would consider valid. The first part that you see, the darker green part are the ones that are actually coming out good from the check. The lighter green are catch all servers and this means that the message can be received, so for us, it would be valid. The other one, not okay is an address has not been found or not existing and so on while the ones with error can give different results like transient network error, delay time out, these kind of things.
Actually, we will check also the end users abuse contacts so we expect higher number of invalids. Not very much higher in the sense that many end users are using their providers abuse contact and also the abuse‑c contacts can just be the one that they use let's say for multiple resources and so this is not going to be, we expect, not going to be a big increase.
What are we doing or what we did was to prepare, the preparation, the testing are already almost completed. We had actually to set up all the logic to retrieve the abuse contacts from the database, following different criteria, applying to different situations. Then the coordination of different systems and programmes external and internal has been divided in different sections and at the moment we are almost ready to start with a trial, it should happen next week if everything goes good, on about 900 LIRs. We will publish the results afterwards. Once we can elaborate on the results of the test, we will propose different options to our Executive Board and we hope to have a decision or an indication of what we are supposed to follow as way forward to complete the procedure for the full validation.
If everything goes good we should start, beginning on next year, after the holidays with our process. What is requested by the policy is also that we validate periodically, at least every year, and this we start of course from next year.
This is the graphic representation of our time‑line that we hope to be able to... Here we are, in this area here, beginning of the trial phase.
The challenge of the project was to have a very highly automated procedure where the minimum intervention was required by the RIPE NCC and by the LIRs in validating their addresses so we are trying to reduce the disturbance that we can cause to our members, members that have already their contacts in order they will not notice anything the Valitation so we will not contact them. And we expect actually to have, to need manual intervention only when we have some issues so when the LIR asks for our assistance and this is going to be especially when they have secondary issues and this is something we see daily with all our tickets, so if there is a problem accessing their maintainer, LIR Portal we could find companies that are already closed, we could have a responsive resource holders, not because they want to ignore us but they have a lot of things to do, so sometimes we have to insist a bit to get a reply. In all these cases, we will apply the procedures that we have already in place, nothing new, so there was a bit of preoccupation about 'Will incorrect abuse‑c cause, have consequences on my membership, on my resources, my account?' It's not going to be directly your Abuse‑C contact that is out of date, most probably because your company is closed, or other reasons. For all the secondary issues, we will open a secondary ticket and once that secondary ticket is sold we will proceed with validation of the abuse‑c contact. This is more or less what we are busy with and we expect to update you with our results very soon. I wonder if you have any questions?
BRIAN NISBET: So, questions? Comments? And I will make this very clear, that these are to be questions and comments about the process of validation and what has been presented, not about 2017‑02, we reached consensus on that and if you wanted to discuss that, please find a time machine.
AUDIENCE QUESTION: Maxime.
I phrase the problem that, for some reason, we have listed as a ** ‑‑ for networks that we are not ‑‑ that are not our network any more, in case of this validation, how to sort it out, because of new owners of this network just ignore us.
ANGELA DALL'ARA: What I suggest is that if you have an address anyway that is not valid any more and is part of your allocation space or is one of your sponsored resources, you are going to replace that address with a working address, so it is anyway a detail that needs to be valid, that contact must be ‑‑ so it's up to you to decide which address you want to put there, as long as it is a full address.
AUDIENCE SPEAKER: The problem, I can't do it, because I have no password to do it. So when this mail for validation shall reach me, I should do what? Report to you and say it's not correct mail for this network?
ANGELA DALL'ARA: You will have two options, you will receive as an LIR an e‑mail saying we sent, we checked your abuse‑c contact, it looks like it's invalid, it's possible that our system is making a mistake, so we send you a validation link. If you click on that validation link, the ticket is automatically closed. If your abuse‑c needs to be updated, you can change the Abuse‑C contact, then the check is going to be repeated on the new address, you will receive a new validation link on the new address and clicking on that validation link is going to update ‑‑
AUDIENCE SPEAKER: The problem is I can't change it, because it's not my network anymore.
BRIAN NESBITT: Yes, so the problem we're talking about here is where the space is now somebody else's, but they haven't changed. That person has not updated the details in the database.
ANGELA DALL'ARA: But we still have the responsibility of the addresses lies with LIR. So it's up to the LIR to decide which address to use, to report abuse on that network. So, if ‑‑ the thing is that the LIR has to cooperate in having valid addresses, I understand you can have an address that is not valid anymore, but in that moment you should take responsibility because you have responsibility for the addresses and use one address that you know for sure that is reachable.
BRIAN NISBET: No, no, I think ‑‑ it's where the addresses were your responsibility, they are now no longer the responsibility of that LIR, but the details have not been updated in the database and the ‑‑
ANGELA DALL'ARA: Which situation can we have where an LIR is not responsible for his addresses?
AUDIENCE SPEAKER: Ah, somebody created abuse contact, managed to change this e‑mail. It's not mine, so I can't change it myself and it leads to a situation that happens right now, for some networks. So is it ‑‑ what is the procedure to report this situation to RIPE NCC, to fix it from RIPE side?
ANGELA DALL'ARA: That would be done... The case in which you're... You do not have any access, anymore, to your maintainer, to the maintainer of that abuse zero. In that case you can replace or ask for access to the maintainer.
AUDIENCE SPEAKER: It's not my maintainer ‑‑
ANGELA DALL'ARA: It's an existing procedure.
ANDREA CIMA: To add to what Angela said, in case you have transferred the resources to someone else and they have left your abuse‑c in there, contact us and we will take care of it, so it's a different situation.
AUDIENCE SPEAKER: I don't click on this e‑mail and instead of it just open ticket to the RIPE NCC.
ANDREA CIMA: It's indeed because the not your address space any more so we want to have correct information on it so you inform us and we will contact the current holder and make sure they put the right abuse‑c on it.
AUDIENCE SPEAKER: So there will not be link like I get this e‑mail, I receive it
ANDREA CIMA: Until it's there it will be checked. The system, like Angela mentioned, is non‑intrusive. We will not contact you unless it seems that there seems to be an issue with the e‑mail address. If that on there is fine, then, you know, then nobody will receive an e‑mail. As Angela mentioned if there seems to be an issue with the e‑mail address, then we will send you an e‑mail and ask you to click on a link but if you say hey, I am not responsible for those addresses any more let us know and we get in touch with them.
ANGELA DALL'ARA: Also, if the resources are not any more in your registry you are not going to be contacted for those resources at all.
AUDIENCE SPEAKER: Liam Glover from the UK National Cybercrime Unit. Not coming from the perspective of chasing criminals, that is not what I do over there; we receive lots of victim data so this is really good for us because times we really struggle to contact victims that we become aware of via the stolen private data and infection data so this is good for us to be able to contact victims and get victim data out. That's great.
ANGELA DALL'ARA: Thank you.
BRIAN NISBET: Cool. Any other comments, questions? And as always, you can speak to the lovely NCC people and registration services or otherwise if you have any specific questions about yourselves, your allocations. Etc., etc..
AUDIENCE SPEAKER: Peter ‑‑ did I understood you correctly that the system will send you a link and if the link will be clicked that the ticket will be closed, yes?
ANGELA DALL'ARA: We will send you an e‑mail to your LIR contact and then a link to validate to the abuse‑c contact. So you will need to validate it from the abuse mailbox. Just clicking on the link.
AUDIENCE SPEAKER: Just clicking the link will ‑‑
ANGELA DALL'ARA: ‑‑ close the ticket.
AUDIENCE SPEAKER: No challenge response like ‑‑ so some e‑mail just follow the link so they will automatically click for the link? So just clicking the link in an e‑mail close the ticket, so May many user agents will do that for you without your conscious.
ANGELA DALL'ARA: But the message should be received.
AUDIENCE SPEAKER: There should be some challenge, at least to write a word or click to the button on the web page but not just clicking the link.
ANGELA DALL'ARA: If the link is went, to a mailbox. To click on that link ‑‑
AUDIENCE SPEAKER: But it has to be clicked behind your back by the mail agent ‑‑
BRIAN NISBET: I think we are not going to solve this in this forum. You have a ‑‑ if you have a technical concern with I suggest you speak to Angela and an dry why and talk about that. I think the motive is all the same. If there is a technical impediment that the NCC haven't thought of, speak to them directly. I think you know who they are. I think that is the best way of solving that if there is a genuine issue there rather than trying to do it here. (Directly). Okay.
ANGELA DALL'ARA: Thank you very much.
(Applause)
BRIAN NISBET: And I look forward to, you know, not seeing any of this, which is the great thing. So, next up, so Carlos Fricas speaking about ‑‑ a couple of points for thought and discussion.
CARLOS FRIACAS: Hello. I work for the Portuguese ‑‑ in Portugal, I moved from networking to security back in 2015. But I keep doing, I keep having the role of managing our LIRs since early, the early 2000s. The other thing I usually do is look at the P T stats and I normally do that from RIPE NCC public data, and I, for some cases, clicked on this kind of awkward situation which is the LIR from outside the RIPE NCC service region which was already mentioned on a previous presentation yesterday from someone at the RIPE NCC.
And to start this small presentation, it's important to note that this is perfectly normal to have LIRs from outside the service region as long as they declare to use the addresses the resources inside the region. So my question is, well, I suppose there is someone really checking that this is happening so there shouldn't be anything strange here. We could debate that if we should keep allowing this to happen because other requires are not allowing for this so, they require a company to be registered within their service region to be able to get resources.
Okay. So, some numbers as I said I like stats. So ‑‑ what came to mind was, to my mind was, so are there many LIRs from outside the region or not? And the figure I got from last week was around 4% which, well, it seems rather okay. So there were last week 20,171 LIRs, if you check, and this is kind of funny if you check the same web page now on labs.ripe.net, you will see this number is a smaller and we can talk about it with the NCC probably on the discussion on the questions phase. So, for percent, because this is a text file and some like 20 or 30 line scripts I could to the break out by country or by ISO, 3166 codes, so there you have it, so United States, Seychelles, Hong Kong, but there is a big difference between the you United States and the Seychelles‑based LIRs and Hong Kong and British Virgin Islands. You also have the break out for RIRs. Once again, this is data from last week. So, what jumped to my eye on this, on this table was the second item, the second row, which was the Seychelles, so it's very small country, everybody can check that easily, I haven't been in the Seychelles, which is a serious fault, but well, it's really a small economy. So, going further, I also looked at the company addresses from the 244 LIRs I found last week. This data is public, it's published under dot ‑‑ ripe.net. So, I went to the trouble of looking at the addresses and I only found 38 of those, more than 200 LIRs to have really a Seychelles‑based addresses. So you also see the break out on the right, there is a great variety of countries that have, well, the LIRs are based at the Seychelles but they have a public address showing at different country. I also remember that, well, Seychelles is in Africa, in the Indian ocean, so the usual that there are companies request resources at AFRINIC. So I went to the AFRINIC website and surprisingly, there are only 23 members from Seychelles at AFRINIC. So, you can see the numbers, we can discuss about it.
And well, the point here is that it's ‑‑ it's another issue, the LIR, the country with an LIR because in an extreme example you can have the LIR and then you have an address associated with the LIR and then if you have a customer after that, it could be a third country or a third jurisdiction and, well, I have been following the mailing list and there is also a proposal about trying to determine the place where to serve a warrant, and this is a case where serving warrants is kind of complex situation. So, I can also ping or trace route my expert and network engineer can lead me to yet another country, so, well, it's complex. So, this is where the ‑‑ these were the questions that I had on my ‑‑ on this very short presentation, so does the country code still means anything? Should we see these as another way of trying to evade jurisdiction so to make life harder for law enforcement? And last but not least, what needs to be changing with policies, should we align with the other RIRs and try to in some way make life a bit easier for law enforcement? Thanks.
AUDIENCE SPEAKER: Some comments. First of all, resource ‑‑ LIRs is not resource empty compared to a local list on a website and ‑‑ local list file contains only allocations as far as I remember, but also may hold autonomous system number, provider independent resources or be sponsoring LIR for something else or most probable this is freshly created LIR for last /22 and further transfers so I think must probable opinion.
So, first of all, we are not here to make law enforcement light easier. We are here for IP connectivity. Yes, as a supplementary thing we could think about this, because that is a major point. And now explanation, because for some reasons, and historical, RIPE NCC is not responsible for checking validity of registration, I already ‑‑ H docs with Nigel I think when he was chair and it was some years ago, it was another issue which will make law enforcements not Europol.
CARLOS FRIACAS: I am not from law enforcement. I usually as I a lot because in my sister capacity ‑‑
AUDIENCE SPEAKER: Crimy I can't if you want ‑‑ Kosovo, from the European Union side. So, in this case we discuss this with RIPE NCC executives and saying no we are providing IP addresses and we are not checking legality of whatever else. It does not hit with RIPE does ‑‑
CARLOS FRIACAS: Do you think this is the case that the guys in Crimea or Kosovo started to do registrations in they were in.
AUDIENCE SPEAKER: As far as I say accept Ukranian and Russian documents and if you start, well, policing this, that become an issue. It's just an example.
CARLOS FRIACAS: It's not policing, it's just something weird for me.
AUDIENCE SPEAKER: It's something weird for in European ‑‑ something normal in European Union but looks something weird in Russia, but region accepts all cultures, so, in this case we should not look like ‑‑ well, let me make a prediction, after this talk there was guys from policing Europol will run here and try to enforce RIPE NCC with RIPE policy to check legality of these documents. I am strongly opposed, to any discussion of doing this, done in this community. Community is for IP networking not for law enforcement. Thank you very much.
BRIAN NISBET: Okay.
CARLOS FRIACAS: As a community member, I should, I would like to voice that law enforcement can be also a part of this community.
BRIAN NISBET: And I would also say that while absolutely, objection to policy and all of that, objection to discussion is something I'm, as a community member, I am less ‑‑
AUDIENCE SPEAKER: It's a part of discussion.
ERIK BAIS: Standing here with my broker hat on. One of the biggest issues that I have besides the fact that they actually should go to AFRINIC if they are from Seychelles where the company registration is, is actually that what I find worrying is that they are using con trees where specifically it is used to avoid to show who the director is, and so in that case who is the owner of the company and the holder of the resources? And as a broker, that actually is becoming an issue because we need to check who actually holds the resources. We have very strict policies internally and procedures on how we try to, you know, make sure that we do this with the right people and if companies are trying to avoid to show who the director is that is definitely an issue. There are a lot of countries even in European Union and even in the RIPE region that provides sufficient ways to avoid tax or whatever, we are not talking about that, but knowing where, you know, who is actually behind the company is definitely something that we need to try to say, you know, we immediate to curb some of this stuff. I think this is very worrying, this development.
BRIAN NISBET: As an Irishman I have no idea what mean about companies trying to avoid tax.
ANDREA CIMA: I will try to avoid the tax discussion. This is a very interesting presentation and I liked hearing it. It's also something, discussion that I think is good that the community membership has.
CARLOS FRIACAS: That was the role, just to raise some discussion.
ANDREA CIMA: I think it's fair to have a discussion, it can be ‑‑ there can be different perspectives on it. One thing that we have noticed is indeed from Greece from certain countries out of region, the faculty we have with due due diligence, proper due diligence for due diligence and fend enter due diligence on documents that we receive from certain countries, this has resulted in investigations, these are the numbers that you show, they are, indeed you said from last week. Last week we also have closed 150, about 150 LIRs from out of region because of the documents that we have received that are very difficult to verify and that in some cases turn out not to be completely correct or not to be what they say they are. So indeed, we are internally dealing with this, it is difficult sometimes for us to do our work, but indeed, what does that mean and what should that result that something else? With regards to companies that are not registered in our region but get resources from us, I saw a lot of valid examples. We have the example I like to make is we may have an American company, contracted company doing work in Iraq, for example, and they cannot get full block from ARIN to have their ‑‑ run their operations in our region. So, you know, these are also valid examples of companies that need IP addresses and registered in other region and use them in our region. And we ask for proof that they are using the resources in our region. They must have a network element in our region, of course it's easy to come sometimes with a contract from a data centre, you know, of a couple of months. So it's ‑‑ it's again but we make sure that there is some kind of proof that they will be using the resources in our region but indeed for some countries out of the region it's very difficult to to due diligence and we are putting a lot of effort in that and that was also presented yesterday during the NCC Services Working Group.
CARLOS FRIACAS: So but the audience feel that the country code is still valid for something or... no, it's almost meaningless? Because this can also ‑‑
AUDIENCE SPEAKER: On RIPE lapse and RIPE Stat it's not so important. I am also analysing this data and for for example, I have funny examples that interface provides some resources which I used in Uzbekistan as Ukrainians, it's just a, I reported this ‑‑ it doesn't matter. It's one point. And second point about there was example with Seychelles and Russia but I will give you a little different. In Russia, because of possibility of criminal capture with abuse of law enforces, yes, that sometimes happens. Some ISPs, the fact of working ISPs do not ‑‑ do not register resources on themselves, so there is LIR which is ‑‑ which looks in database, easily searchable database completely different from the company, from a legal entity.
BRIAN NISBET: We need to get to the point, sorry.
AUDIENCE SPEAKER: Sometimes it's required. In your country maybe not. In mine, yes.
BRIAN NISBET: Okay.
AUDIENCE SPEAKER: From RIPE NCC. I just want to answer your first question there on the slide about country code in ‑‑ and understand we talk about RegID here and the idea for that was just an identifier for a member, it was never to be meant as identifier of the country, and it looks like country code is in the beginning of it but it actually many times it wasn't a country code or not a legal country code so I would say it was never an idea to use that as a geolocation or any other location of a member.
CARLOS FRIACAS: Okay. From my experience and well that is question, from my experience if an require for some reason wishes to change its RegID that is not possible, it has to open a new one and close, that's right, still, that is still the case or...
AUDIENCE SPEAKER: Well again the RegID is sort of an internal identifier and publicly ‑‑
CARLOS FRIACAS: It's internal but it's exported to the public so...
AUDIENCE SPEAKER: Yeah, but you should mot use it for any identification so we could arbitrarily pick it up, I could explain how technically we pick it up so it's not really easy to change it but if you want to have an idea where IP addresses are used there is an attribute in the RIPE database which is more accurate information about this. And this is just an ID which you should not use for anything else other than identifying the specific entity. That's it.
CARLOS FRIACAS: Okay.
BRIAN NISBET: We are really short on time, Ingrid, very quickly.
INGRID WIJTE: Very short comment because we are talking about country codes, mentioned different sources where you can find them. Yesterday in Address Policy and this afternoon in database I will present on the current situation with country codes in RIPE database and in the extended delegate stats so if this is something you are interested in please join us there.
BRIAN NISBET: Thank you very much for raising these points, Carlos.
(Applause)
So because ‑‑ because he hasn't got enough policies active in the RIPE community at this point in time, Jordi ‑‑ sorry, it's back to the agenda, sorry. You can stand at the microphone, Jordi is going to talk to us more about validation of abuse‑c.
JORDI PALET MARTINEZ: So, where this come from? You probably remember that we have long discussion because the previous abuse‑c policy proposal, so during the discussion I was thinking this is not enough, how we can improve that. And I was somehow taking notes from all the people discussing in the list, of course I don't necessarily agree with all the comments so I tried to put through my own vision on that and even if I have already complete policy proposal I am only having here a single slide which is the main part which I am going to comment about that. Basically, what I am trying to say is, what are the objectives or what I think should be the objectives of the good validation of the abuse‑c contacts and I do it this way because initially I started which policy proposal drafting exactly the specific pressure to do the validation and then when I submitted that policy proposal to other registries they told me don't tell us how we should operate it. Tell us what are the objectives your validation and we will do it the best way we believe it should be done. In any case, in my drafts, I am including an example of how I believe the should be in case it helps them at least to clarify the view that I have.
So, the goals of my validation proposal is to simple, to avoid the helpdesk that is taking care with abuse‑c validation is not having troubles not thinking there is a security problem if they click a link. The idea is I understand abuse help desk are mostly automated but I want to make sure, I think it's necessary that at some point if the automating ‑‑ automated validation don't works there is a way for a human to actually validate the thing or check the abuse complainer or whatever depending on the case. When we are doing the validation, I want to make sure that who is clicking in the link that is getting from RIPE is knowing what he or she is doing, so I really think it should ‑‑ there should be web page where he or she states I know what I am doing, I know the policy. My initial proposals started with a validation period of I think it was three days and then two days for escalation or on the other way around, and as this policy I will explain it in the next slide was sent also to all the other registries except Aideen, the feedback I am getting is it's too short, two business days and plus three business days is too short. I don't think that's the case because if you have an abuse help decks you should be responding quickly in hours, otherwise the case may be so big that you are creating a problem to your neighbour ISP but whatever, I am changing had a to it 15 days and additional 15 days for escalation and then I was thinking we should do this validation four times per year and the feedback I am getting is just do it twice per year.
What is the status of my policy proposal in other registries, in APNIC, what is happening in APNIC is almost at the same time I was submitting my policy proposal, somebody else after which I don't know if he is in the room but it has been around ‑‑ yeah, it's on the back, submitted also another policy proposal so we decided to match them, and actually the timing that I am using right now, it comes from after proposal I think most that have or something in the middle between my proposal and his proposal.
So, in APNIC, it reached consensus first in the policy meeting that it reached consensus according to the PDP in APNIC in the General Assembly meeting, I think is the name, IMM, and then it passed two days ago the last call. So it's just pending from the board I think.
One additional thing that we did from my original policy proposal was, instead of going through the process of reclaiming the resources if the validation is not done and so on, we did give an additional option which is we block the MyAPNIC so if you are not validating your abuse‑c records what you will be able to do when trying to access your MyAPNIC was, will be only to validate that and until do you that you are not able to do anything else. So it's a good way to say, hey, you do this or you cannot keep going on. So following this approach, I submitted a new version because it didn't reach a consensus in the previous LACNIC meeting, basically because the same things: The community was thinking the timing is too aggressive, of let's change the timing, the ‑‑ in APNIC. I sent a couple of days ago version to ‑‑ I sent something which comes from the LACNIC community which is allow the staff to change the timing. If you start with twice per year, allow the staff to say hey the first year we need more time. Let's do only one validation in the first year and most of the contacts are up to date then we can increase the number of validations per year because it will be a fully automated almost process, it will get only maybe two, three, four, I don't know, whatever percentage of broken records. And I think that's a good idea. So we are allowing to do that flexible.
I have a similar proposal in AFRINIC that I am going to update probably during this weekend to reflect also the changes that I did in the version 3 of LACNIC. And may idea is to submit that also obviously to this Working Group. There is, you cannot read right now the draft that I have for RIPE, but you can read because it's practically the same concept, but you have been in APNIC, I will add the thing of the slowest start so the stuff is able to change the timing when it comes possible. And my goal beyond this and there is a possible idea that I was discussing actually with one of the co‑chairs Tobias, is it will not be better if instead of every different ISP in the world having a specific format for abuse reports to have a standard one ‑‑ I am done ‑‑ so that is my open question and I am happy to cooperate with other people interested in working on this in IETF, I don't know when I will have some time to address it but I guess that before end of year I will have a draft for going to the IETF which is specific format and again, talking about Tobias he told me, hey, there is a possible idea of that and we are already considering that so that's ‑‑ you have here the link in GitHub if you want to check it. And that's it. Questions?
BRIAN NISBET: So ‑‑ and thank you very much, all joking aside for bringing this. What I would like to get right MoU, it's really based on what Jordi has said is a feel from the room, there will be a proposal, we can get into the details of that on the mailing list, really it's about a feel from the room about whether this is something that we are ‑‑ you know, that the Working Group is interested in taking forward at this point in time. Amongst any other discussion you wish as well.
ERIK BAIS: Jordi do you have an idea how many ISPs actually process their abuse fully automatically?
JORDI PALET MARTINEZ: No idea.
ERIK BAIS: That raises the question then, why don't you want us to do this fully automated? Because I would actually have a problem if you want to do manual validation. The only thing that I would say is, you know, do it at a certain time where the RIPE NCC is auditing us anyway during the ARC because then you will, which is on a once or twice per year you get invited very strongly to actually show up and they do an audit and they validate all the technical counts and the administrators. Doing ‑‑ just sending at a random time an e‑mail to an abuse mailbox is actually counterproductive because now we have to look it up and we do full automated abuse handling.
JORDI PALET MARTINEZ: I understand that. But as an SME I have many times problems trying to solve abuse from other networks and I think it's not my fault neither the cost of dealing with those abuse records that are broken or that the people is not reading their mails or processing the abuse reports or whatever. I don't think it should be borne on top of the smaller companies.
BRIAN NISBET: Okay. So ‑‑
ERIK BAIS: So there is a difference between a network operating centre which is looking at the mail boxes all the time and the abuse mailboxes where all the phishing stuff goes into and is automatically processed. So, it's a lot easier to do this through the network ‑‑ network centre than for us in this case for the abuse.
JORDI PALET MARTINEZ: You need to understand the point of the rest of the people. That is the thing. I mean, it's not just ‑‑ what is really strange is that, sometimes I need to feel a totally different form for every different abuse report that I need to place instead of having a standard thing.
BRIAN NISBET: That is the conversation with the IETF. Okay.
PETER KOCH: DENIC. So, the amount of information in your presentation was stellar, however I am probably in the confused side of the receivers here. We have got the abuse‑c validation in place now and we are going to see a pilot and so on. Now, what I think I understand is that you want to expand this. What I don't understand though is why we wouldn't wait for experience from what we have just heard, the RIPE NCC is going to set up next? On the standardisation and I think that goes in the line of what Erik just said, certs and ISPs and so forth they work well together and have been working together on standardised submissions collecting information, triaging the information and doing this already and things going on, I fail to understand what that part would have ‑‑ what place that part would have in a RIPE proposal.
BRIAN NISBET: I think we can make it very clear, it doesn't. So that is a separate part, let's not worry about that.
PETER KOCH: I am glad, that baggage was the part that confused me. I heard between the lines oh, yeah, let's throttle or limit the access to the portal for people who don't follow this. If that is part of the proposal or if you think that is part of the proposal then I would respectfully suggest this is not the place to discuss this. This affects NCC services and then the proposal ought to go there.
BRIAN NISBET: So, and please ‑‑ obviously take this on board and we will have a look, we haven't seen the draft proposal and when of course we to, we will look and see, obviously with any proposal as to whether the particular Working Group it's submitted to is the correct one, whether we heed to have discussion elsewhere and/or the whole situation. Just as a matter of interest because we have heard two reasonably negative things, before we move on and we to have to move on, is there anyone in the room, put your hand up or you can say something at the mic or otherwise, who thinks this is a great idea or even just a good idea? I am not feeling a lot of love.
JORDI PALET MARTINEZ: We will see. I think probably the presentation was too short, I understand that, but I knew that I have just five minutes and I think that people need to read, for example, the link I provided for the incompetent nick one which is basically the same text to be able to provide suggestions in the list.
BRIAN NISBET: We wait with bated breath for the full draft report.
(Applause)
Right. And last but very definitely not least, so Dhia Mahjoub, criminal abuse in RIPE IP space.
DHIA MAHJOUBl: Thanks for having me here, I am glad that I am coming last because I appreciate the initiative of abuse‑c validation and I am coming after Carlos, I am going to echo a lot of the things you discussed. I run the R&D system at the Cisco Umbrella Security Labs so I will introduce what we do but I have been doing security research for a while. And then with open DNS which became Cisco Umbrella after the acquisition we spent the last six years finding threats online at scale and investigating in depth all of the criminal infrastructures that are affecting us as individuals and enterprises.
So, a reminder: Cisco Umbrella, to see what we are doing, we have a recursive DNS infrastructure worldwide, 30 data centres, eleven in Europe and then we see around 150 billion DNS queries a day and that amounts to about 24 terabytes of DNS data a day. And the idea is that that allows you to see a lot of the threats that are affecting us. That is kind of the key thing here. I am going to speak about facts, things we have been seeing for the past six years and I'm very interested in conversation about what we can do about this.
So these are like the points of presence we have, especially in Europe as you can see. And then the things we have been doing is that since we see a lot of DNS traffic both recursive and authoritative, we focused a lot on metadata analysis at scale so we are not looking into proxy or malreversing in particular, we are trying to find threats by looking into DNS traffic both below the recursive and above and that gives you a lot of insight because you can build a lot of systems that are agnostic to the threats. Here we have certain methods like Lexical, predictive IP monitoring and photograph based, they allow you to catch threats that are happening right now but also the threats that will come later ‑ ransom ware, phishing, spam, trojans, you have crypto mining pools being heavily involved in crypto mining campaigns.
So, this is kind of the state of things. Nowadays, if we are talking about IP space and especially RIPE IP space in addition to the other rear IP spaces, we are talking about the toxic hosted content, that is what most people look after, if you are talking the cybersecurity community or law enforcement for that matter and we are dealing with malware command and control, cybercrime forums, marketplaces selling stolen credentials, can help you launder money and have a lot of Jabber serves catered for criminals. On the other side you have a lot of traffic coming out of certain IP space that is in nature toxic, you are talking about trying to find vulnerable or open machines, DDoS attacks, at that, spam sending etc.. so the idea is that you have to look into both these sites of the IP space to understand if a certain IP range or an ASN is being used if the complicit or if it's kind of in a shady area where, like I heard earlier, certain part of the world where things are not that clear.
So, before I get into the specifics of RIPE space, we came up with a toxonomy for cyber crimes, you will see that you have goods basically all of the commodities you can buy, stolen credentials and credit cards but you have the products. These are the tools you will see to go hack or infect individuals and enterprises, you are talking about the rats, brute forcing tools, Trojans, etc.. in the middle you have the services, these are those, I will say services that allow everything else to come alive, and specifically both hosting providers. These are the ones I am going to discuss in this presentation.
So what is a bulletproof hosting provider. It's a criminal hosting company that will shield its customers from abuse complaints and take down action as much or as long as they can and they will use different methods for doing that. Now, the spectrum of hosting providers varies so you will have the good ones to that side and then you will move slowly to the abused ones so these are good or legit ones and they happen to be maybe understaffed or they don't have a clear let's say definition of their services and then you will move all the way to the bulletproof ones or the criminal ones and some of the ones I mention here have already been taken down like ‑‑ so are not just speculations, these are facts after these enterprises were involved in cybercrime and infecting people and companies.
And the debate here is that the ones in the middle, how can we help them maybe clean up their space or have a more defined way of dealing with these threats?
So we actually see two types of bulletproof hosting providers and we see the bulletproof and host based ones. Before that, there is this recipe that we came up with where the practically easy to come up with a criminal hosting enterprise. This recipe here is actually the same for any hosting company, the only difference is that the intent behind the scenes. Because you could register a business offshore like we heard earlier, you can get an ASN from RIPE or from ARIN or any other, some IP space and set up a website or stay underground, you want to have any public presence and bring in customers and you will start doing business so either sending traffic or hosting content and if you start getting the abuse complaints then that's where you can say if you like bulletproof hosting or good one. If you are a good one you will go talk to the customer or clean the space after you talk to him or maybe work with law enforcement if it's something around let's say cybercrime or child porn or some other toxic content and if that becomes too much four, then you can shut down and move somewhere else and we have seen this as a fact for the past six years, a lot of the criminal enterprises when they get too much heat they just shut their operation and move somewhere else and you will see the same recipe repeat again. And the cost is pretty low because for example, registering a company in those offshore jurisdictions sometimes for one dollar you can get that service. So these are some of the technical features we came up with. I am going to go over all of them. The first is leaf ASN, a very well known concept in our network engineering, it's also what we called stub and an ASN has only up‑streams and no down. This is not criminal, but we just saw it repeat a lot with lot of these rogue or grey hosting companies. Because it offers a lot of agility and flexibility in setting up their operation and moving somewhere else. What I am showing are not criminal ASNs, they are the ones that have a lot of leafs, meaning they are ASNs with no down streams but only up‑streams to kind of advertise their prefixes.
But then we also see that the AS sent to company mapping is not one to one, so we can see a lot of hosting companies that will use IP space from various ASNs in RIPE but also in ARIN and maybe some other years. King Servers happens to have been involved in a variety of toxic content hosting and I am not going to get into the controversy of saying they are criminal or not but that is kind of stating facts here. The other one is that, for example, World Stream, a known Dutch hosting company, again they are widely ‑‑ they are popular and they offer their space to a variety of I would say hosting companies, that is how IP space works, because you break it into different small ranges and companies, but then for Maxided, they have been abusing because they were recognised as criminal and they were taken down recently. So just like to trigger the conversation, these are things we need to pay tension to, if I may.
Now the offshore business registration, we are talking about all of these countries in spaces where actually when the Panama papers offshore leaks came out we saw a lot of overlap. These are some of them, have good people in all of these countries, it's just they have been abused for specific technical features of their let's say legal system or other facts in their ‑‑ in these countries. So again, we immediate to pay attention to these things. I saw in Carlos's presentation, Seychelles has a lot of companies registered and they use RIPE IP space. And we saw this feature for a lot of criminal hosting companies. It's not speculation. Now, the fact is, this is what helps them protect themselves against take‑down, law enforcement, investigations, etc. You use the best servers or connectivity in the world and RIPE and ARIN space, the operators will be from certain regions of the world, these are fact based on the arrests that happened, a lot of the actors happened to be from these countries, but then they can be from any other place. And then the business will be in offshore jurisdictions like Panama and Seychelles so this helps you have these three layers of protection that offers a lot of resiliency and you can have a thriving criminal operation.
Let me talk about a few examples here. This one is a botnet‑based one, we have been tracking it for a few years. It happens to be around ‑‑ a few tens of thousands of common machines in Ukraine ‑‑ you have many other countries. Like residential machines like wi‑fi access points, how many routers things like that and they are being sold in the underground as a Fastflux proxy service meaning you will buy the service for few 100 dollars and offer your domain and the actor will give you IPs to use for your resolution. And they act as proxies to redirect the traffic or the connections to the back‑end that is protected. It's typically a criminal Cloudflare or Akamai for criminals basically. And they have SSL certs deployed on the proxy nodes so you can have also secure communication between the victim, the crime or consumer and the back‑end that has the content. For example, it's been used a lot for cybercrime forums, dump shops a lot of ransom ware and phishing.
So, in this case we are talking about compromise residential machines, these are not I will say hosting providers. We also have hosting providers that are using dedicated machines VP Ss etc.. I take a couple of countries here, the Swiss base, just as an example because I gave this presentation last year at the, one of the Swiss conferences, this is a good example of a, I will say popular company offering offshore hosting, they are not criminal but they happen to be abused a lot. So that is the problem we have, a lot of these hosting companies, they actually offer a great service for those who are trying to evade censorship and trying to have content that is in terms of free tomorrow of speech, and unfortunatley the bad guys will go and get into those cracks and abuse these type of infrastructures. In this case private layer a well‑known Swiss hosting company they have in number two, this hosting company called layer shift or pay licence and they are known as Veraton projects and from the RIPE database you can see it's registered ‑‑ Veraton happens to have many ASNs that they are using this space from, and a few of them are involved in a lot of criminal content hosting.
And they offer hosting space in many countries.
This is how you can get this information from the RIPE database with text search ways very useful feature here. The second case is, server that I just showed, it has been involved in a lot of criminal content like browser based ransom ware and some other toxic content and we see a lot of other good I will say or useful hosting companies like offshore dedicated, these will help you host like I was saying, anticensorship content or help you like live your freedom of speech kind of experience. So, the problem is that you will have the criminals go into these kind of type of technical cracks and try to abuse these type of infrastructures. This one is an Iranian hosting company that happens to be using private layer space and they are involved in those type of attacks you see there, like ransom ware, brute forcing, etc..
And then key hoster happens to be another from Bulgaria, they register their business in Belize and they have many, many ASNs and have been involved in lot of toxic content.
These are like some other examples of, I won't say legitimate or hosting companies that are out there, but then they happen to be abused heavily, every once in a while. So just like to have that in mind.
Like this one, for example, so at the top I put the illegal stuff but at the bottom it's things that we want to use as well like in this kind of growing economy so all of the Bitcoin mining and anything based on crypto currency is not fessly criminal but you will see it will be living in the same space as the MCA infringement or fake drugs and fake merchandise, etc., those are usually for money‑laundering like I was saying.
So let me get into the touch space. So an interesting fact here is that this company has some IP space in the Dutch, I will say space, and it's interesting to look like earlier we were checking about, talking about verifying the companies behind these IP ranges, well they happen to be a Bulgarian hoster with a UK business registration and in fact their address was, has shown up in the Panama paper offshore leaks database and the address is right there and if you check you will see hundreds of other companies, some of them are legit and some of them are shady in grey under the same address so why are they using this type of service, like a company formation services that are very widely spread and I am kind of inviting you to take a lot at these things, we should not just ignore them because you will have users but a lot of criminal abuse. If you look at the ASN structure here, you see it has three and all of them are leaves back to that feature I mentioned to isolate these suspicious one and involved in criminal content, the spam, the scam, fake rogue software etc.. another example here of a Dutch hosting company,ality US host, they have leafs, so it's actually the upstream of a few other leaves and you can see the example of all of the content involved. I will call this sometimes like a ring of related ASNs that happen to be involved in a variety of toxic I would say initiatives.
This someone interesting because all of the addresses I mention they showed up in the Panama papers offshore leaks so they have been used by people trying to launder money and evade taxes, like you were saying. And king servers happens to have space in many ASNs, they have an upstream in host D server which is also involved in CPE and adult porn. You have data club who is an address in Belize, you have a company that will spread their space in many ASNs and all of them will have the same mirrored content, EC A T EL have been involved in toxic content and share address of another that had been involved in a variety of criminal intent.
This one is interesting, in fact talking earlier about the space that is used for brute forcing and attack, not necessarily just hosted so DMZ Host, they are a downstream of quasi‑networks, which is the new name of Acatel Quasi Networks, and Novogara, has three leafs or three stubs, one of them is DMZ Host, heavily involved in ‑‑ website for all of these services they offer, if you check their Whois information from the RIPE database you will see the company's name is Jupiter 25 and that will lead you to another ASN okay servers which is now shut down but they have been involved in a lot of brute forcing in the past and you can track the creation of the company of the ASN and then how it stopped advertising prefixes last month.
So, this is a lot of interesting kind of open source intelligence you can apply to learn more about these companies.
So you can see here from the UK I will say database you can see that the company was incorporated in 2016, dissolved earlier this year. And you can track the entire registration of the business until its demise. So these are some other data points to include in your research when you to this type of investigation. The RIPE database is useful because it helps you see the comparisons between the 2016 and 2018 snapshot so that is like another cool feature to use.
So the last couple of examples I am going to share, so Joker's Stash, for those in the banking and financial this is a known actor in the under ground selling a lot of the freshest dumps meaning breaches of big companies so you will be, he will be delivering millions of stolen cred credentials and accounts and he happens to have been protecting himself behind Tor ‑ dosh do the mapping between his to main name and IPs so that is another layer of protection now that has been around. But then the IP space or the IP that his to mains resolved to, they are on this known DDoS protection company called DDoS guard. Now, again, they are registered in Belize, they are Russian company, potentially they are abused maybe they know or don't know, but the fact that ‑‑ they are protecting this, one of the most criminal touch shops out there. So again, like, that is just like to keep in our minds. So maybe we can talk to them and ask them why is that.
And then finally, more like the example before the last, Joker's Stash has been using the IP space of other few hosting companies in RIPE space, in Ukraine, be it's Portuguese but known as blazing fast.io and Sinaro, which has another name called Marine Host, repeated for toxic host. Are they being abused or is it complicit. That is the open question. Some of these examples were confirmed criminal cases that were taken town or the law enforcement agencies are investigating currently. But that is again something to consider in this community because I know we all share the Internet but then it's also used for some bad things.
The final example is, Maza is a well‑known tier 1 cybercrime forum. You cannot get into it easily and happen to be using the IP space of RIPE but recently using the IPs of Iranian hoster that has been identified as a bulletproof hosting company. In fact we spoke about this a couple of years ago at black hat in 2016 and the ASN is ‑‑ host is Butterfly Media, that is the website you can read, and the actor has been identified as Abdullah webhost. I can provide you with the slides and presentation if you have questions, we describe as actors. So the point is, you can have ‑‑ vary along the spectrum of good, abused and criminal hosting companies and you have a lot of technical features you could use to identify these, but then also there is, I will say some open questions, meaning we cannot just rely on reactive, to wait for take‑down notices and warrants, I know that is how the law is right now, but then criminals are abusing that reactive mode. I don't have the answers but that is kind of an open question. Share more detail and information with law enforcement. Just because they will go abuse like authority but if they are ‑‑ they are trying to do a job, they are trying to protect you and your children and your company against abuse. And then the three, four and five, I guess some of the conversations I heard this week are very useful and I have like some other thoughts like ask for more scrutiny of the ASN and IP space requests, the policy work with RIPE on checking the emails for abuse, then maybe for co‑location requests you want to double‑check who are you giving ‑‑ who are you peering with and giving co‑location service to because often times that is where criminal operations will take advantage of.
So some of the related work, if you have any questions I will be happy to answer them and I want to thank a few friends who helped along the way with this research. Thank you.
(Applause)
BRIAN NISBET: That is a lot of people and it's 12:30. Very short.
AUDIENCE SPEAKER: Could you please return to this slide ‑‑
AUDIENCE SPEAKER: My question is why in one line this child porn ‑‑ abusers you have free speech?
DHIA MAHJOUBl: Why did I put them together? I didn't mean they are the same.
AUDIENCE SPEAKER: It looks like.
BRIAN NISBET: I point that I heard ‑‑ the point I heard certainly was that some of these people are doing these things which are not bad like these other things I think.
DHIA MAHJOUBl: They are not the same, absolutely, they are not. I see your point. Yes. Point taken.
AUDIENCE SPEAKER: Thanks for the presentation. Ben Jordan from ‑‑ Sweden. I just want wonder from what perspective do you say when you say the unlawful, which jurisdiction do you talk about? Is it Russia, is it EU, America? US?
DHIA MAHJOUBl: So based on the previous cases, we saw that they will, like I said, register in those offshore jurisdictions, they will use the space in RIPE or ARIN and the operators will be in certain countries. So European, American, south American, southeast Asia, it variation. But based on the stats, like the cases where there were arrests, that's what we saw.
AUDIENCE SPEAKER: I am not really sure but you say that they were taken down
DHIA MAHJOUBl: Yes.
AUDIENCE SPEAKER: That was in north career I can't
DHIA MAHJOUBl: The recent cases were most eastern European actors using RIPE or ARIN space and having business registered in those offshore countries I mentioned, to be specific.
AUDIENCE SPEAKER: For market company. Look, what is the situation in United States for example? Because in RIPE region it's very easy to identify the company and the IP space holder because they have very clean Whois, but in other regions it's from time to time very difficult because registries are not so comfortable?
DHIA MAHJOUBl: You are saying what is the difference between ARIN and RIPE?
AUDIENCE SPEAKER: No, I mean what is the situation ‑‑ you talk about RIPE region. What is going on in other regions ‑‑
BRIAN NISBET: I don't think we have time for that, we had half an hour on RIPE unfortunately, speak at lunchtime. Speak afterwards.
AUDIENCE SPEAKER: Carlos, just one out of my 30 or 40 questions. You mention the Portuguese company, which we have peering relationship. But ‑‑ what is your advice about that? What should we be doing or ‑‑
DHIA MAHJOUBl: I am not like ‑‑ I am not here to tell you how to to your job, I am here asking for advice and for feedback. So if that Portuguese company happens to be legit, then enlighten me why we see a lot of toxic content on that blaze ‑‑ I will be happy to share with you and you tell me if you can talk to them and see what is going on.
BRIAN NISBET: Depeering is always an option.
AUDIENCE SPEAKER: Short of 40 questions. So we have seen reports from these meetings about possible hijacks and rogue announcements and fake path so I have not noticed in your presentation, have you checked this, have you done validation because it could be space for your hosting but announced somewhere and then you claim that it's not okay. These Valitations ‑‑
DHIA MAHJOUBl: I did not imagine the BGP hijacking problem but that is also yes.
AUDIENCE SPEAKER: But you blamed ‑‑
BRIAN NISBET: We have to stop now, sorry. There is more time for discussion, this is a couple more /TAEUS, people need doing and have their lunch, I need doing to a lunch, there is a whole bunch of things. Thank you very much.
(Applause)
So, very briefly before you all run away, we are not quite finished, a minute long, I am assuming there is no AOB at this point in time? No. I will just remind people, you can submit things for RIPE 78 now, we will be in the lovely city of Reykjavik and thank you all for your participation thanks to the describes and Jabber and stenography, I look forward to seeing you at RIPE 78. Rate these talks as well but PC election voting, a couple more hours doing on that. Thank you.
LIVE CAPTIONING BY AOIFE DOWNES, RPR
DUBLIN, IRELAND