Rumy Kanis - 19-05-2021 10:31:27
Hi everyone, I’m Rumy Spratley-Kanis from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Please note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Gert Doering - 19-05-2021 10:31:31
Erik Bais - 19-05-2021 10:31:33
Good morning !
Wolfgang Tremmel - 19-05-2021 10:31:39
Wolfgang Zenker - 19-05-2021 10:31:40
Niall O'Reilly - 19-05-2021 10:31:44
Leo Vegoda - 19-05-2021 10:31:53
Erik Bais - 19-05-2021 10:32:00
Are we going to review the ESF semi finals first ?
Michele Neylon - 19-05-2021 10:33:16
Brian is wonderful
Michele Neylon - 19-05-2021 10:33:17
Raymond Jetten - 19-05-2021 10:33:23
Good morning everyone !
Kurt Kayser - 19-05-2021 10:33:32
Is chat-text also "recorded" ?
Oliver Payne - 19-05-2021 10:33:42
this chat here is archived, yes :)
Alastair Strachan - 19-05-2021 10:33:44
Raymond Jetten - 19-05-2021 10:33:45
Kurt: Yes !
Kurt Kayser - 19-05-2021 10:34:00
Uh, scary thought.
Oliver Payne - 19-05-2021 10:34:10
Michele we'll be sure to keep that bit in the logs!
Erik Bais - 19-05-2021 10:34:52
Marita Phelan - 19-05-2021 10:35:02
You're just jealous Erik. ;)
Raymond Jetten - 19-05-2021 10:35:04
Erik: i'm always glad when finland doesn't even make it to the semi finals
Wolfgang Tremmel - 19-05-2021 10:35:28
this is most of the time so far from my taste of music that I never watch it
Marita Phelan - 19-05-2021 10:35:38
The worst song contest in the world and Ireland won it so many times. Really embarrassing.
Erik Bais - 19-05-2021 10:35:56
Marita : As a Dutch person, it was clear that we are not organising the ESF next year.. We made sure of that.. ;)
Michele Neylon - 19-05-2021 10:36:06
I thought we'd all agreed that Ireland didn't want to win anymore?
Wolfgang Tremmel - 19-05-2021 10:36:21
actually I really liked the Dutch entry from a few years ago....
Jan Žorž - 19-05-2021 10:36:25
Marita Phelan - 19-05-2021 10:36:30
Gert Doering - 19-05-2021 10:36:30
reseat the brian!
Michele Neylon - 19-05-2021 10:36:36
All hail the Brian
Wolfgang Zenker - 19-05-2021 10:36:44
Wolfgang Tremmel - 19-05-2021 10:36:45
welcome back Brian
Blake Willis - 19-05-2021 10:36:48
Brian's done a great job, glad to have him back for another term
Wido Potters - 19-05-2021 10:36:49
Ivan Beveridge - 19-05-2021 10:36:52
Congrats Brian :D
Erik Bais - 19-05-2021 10:36:53
Welcome Back Brian !!
Mirjam Kühne - 19-05-2021 10:36:56
Hervé Clément - 19-05-2021 10:36:57
Congrats Brian !!!
Marita Phelan - 19-05-2021 10:37:00
Welcome back Brian :)
Gert Doering - 19-05-2021 10:37:03
couldn't imagine anti-abuse without brian, tbh :-)
Hervé Clément - 19-05-2021 10:37:15
Michael Perzi - 19-05-2021 10:37:23
Leo Vegoda - 19-05-2021 10:38:29
Farzaneh Badiei - 19-05-2021 10:38:47
sorry I missed it, what happened to Brian?
Peter Koch - 19-05-2021 10:39:01
anybody remember _when_, _how_ and _why_ the chair terms were introduced?
Erik Bais - 19-05-2021 10:39:15
Farzaneh : re-appointment as Chair
Farzaneh Badiei - 19-05-2021 10:39:44
aah. congratulations indeed.
Rumy Kanis - 19-05-2021 10:40:59
@Peter I believe it was first implemented by the connect WG (formerly known as the EIX WG) and then adopted by others.
Gert Doering - 19-05-2021 10:42:26
@peter I think some of the WGs had "chair rotation" since ever, and then there was the desire / request to have "documented procedures" for all WGs. Brian might actually know more about the background, I seem to recall that he was one of the chairs pushing for it in the wg-chairs collective.
Farzaneh Badiei - 19-05-2021 10:42:41
oh Graeme is also awake at 4.30 and presenting!!! hmm I don't feel special anymore
Gert Doering - 19-05-2021 10:43:03
@peter I can say for sure AP never had a "formal" process before we were poked to decide on something and document it...
Farzaneh Badiei - 19-05-2021 10:43:16
it's 4.45 :)
Michele Neylon - 19-05-2021 10:43:22
Peter Koch - 19-05-2021 10:43:47
it's actually only '43
Michele Neylon - 19-05-2021 10:43:58
Brian Nisbet - 19-05-2021 10:44:00
Peter, Rob B asked me to look into this in or around the Athens meeting, is the short answer.
Michele Neylon - 19-05-2021 10:44:03
keeping it real
Peter Koch - 19-05-2021 10:44:30
@Michele: I'm trying hard to stick to it
Rob Evans - 19-05-2021 10:44:53
/me does have a relatively complete archive of the wg-chairs archive, but I'm assuming Peter's question was largely rhetorical...
Farzaneh Badiei - 19-05-2021 10:45:02
@Peter you have succeeded! I did not. Tried to fit in though...
Michele Neylon - 19-05-2021 10:45:09
Peter - as always you are doing it very well
Fergal Cunningham - 19-05-2021 10:45:15
@Peter in RIPE-692 it states that WG Chairs are expected to "Develop, maintain, and implement a procedure for the selection and removal of WG Chairs for the WG." https://www.ripe.net/publications/docs/ripe-692
Nigel Hickson - 19-05-2021 10:45:24
Great of Graeme to join. "DNS Abuse" also was discussed on BBC Radio "Women's Hour"; so a lot of traction.
Alex Le Heux - 19-05-2021 10:45:35
Farzaneh Badiei - 19-05-2021 10:45:52
Is there any other abuse we are gonna talk about today? other than DNS?
Gert Doering - 19-05-2021 10:46:27
decix is going to talk about OpenVPN abuse later on
Peter van Dijk - 19-05-2021 10:46:32
Farzaneh, the agenda also mentions E.1. DDoS Never Dies? - An IXP Perspective on DDoS Amplification Attacks
Gert Doering - 19-05-2021 10:46:37
which irked me slightly :)
Marcos Sanz - 19-05-2021 10:46:44
Daniels presentation is not about DNS :-)
Peter Koch - 19-05-2021 10:47:15
So, speaking of stereotypes, the responses I received (and thanks for all) feel a bit like a German reacting to "how are you" ...
Gert Doering - 19-05-2021 10:48:23
so this was a purely rhetoric question?
Farzaneh Badiei - 19-05-2021 10:48:37
@Peter thanks so much. I shall start reading the agenda, really! :)
Peter van Dijk - 19-05-2021 10:48:44
Carlos Friacas - 19-05-2021 10:49:10
Blake Willis - 19-05-2021 10:49:12
abuse as in corporate IT thinking that a VPN will solve all their security problems?
Blake Willis - 19-05-2021 10:49:15
Peter Koch - 19-05-2021 10:51:18
@Gert that would be too subtle ...
Gert Doering - 19-05-2021 10:52:18
@blake: no, using (not-perfectly configured) OpenVPN servers as DDoS reflectors. Which is sort of "yeah, things on the internet can be used for that", but they massage their numbers in a way to present a huge spike "look, it's all OpenVPN!" in the end, and that is misrepresenting the actual numbers
Gert Doering - 19-05-2021 10:53:07
OpenVPN had an interesting spike in 04+05 2020 indeed, so "growing by 500%" is factually correct, but "coming from a neglible base rate"...
Michele Neylon - 19-05-2021 10:53:12
reports where the conclusion gets written first ...
Farzaneh Badiei - 19-05-2021 10:53:23
We will have a community dialogue about DNS Abuse on May 25. (shameless self-promotion, I am one of the speakers) https://www.circleid.com/events/dns-abuse-forum
Marcos Sanz - 19-05-2021 10:53:40
oh, come on, folks. Hear first Daniel talking, then judge afterwards...
Gert Doering - 19-05-2021 10:54:05
Since I got hatted into OpenVPN maintainering, the fact that OpenVPN is stupid annoys me, but exaggerating numbers is not helping anyone...
Gert Doering - 19-05-2021 10:54:34
Marcos: I have looked at the slides, and I dislike the way OpenVPN is singled out, and the way it is presented.
Gert Doering - 19-05-2021 10:55:13
*and* that the numbers are actually a year old, and OpenVPN numbers have been going significantly *down* since then
Peter Koch - 19-05-2021 10:55:42
@Gert go, rate the talk ...
Farzaneh Badiei - 19-05-2021 10:55:44
would be great not to fight the bad famous actor fake Gucci bag with DNS abuse.
Daniel Kopp - 19-05-2021 10:57:51
Hi @Gert, I'm always open for discussion about the topic. You can find more details in the paper. The observation about OpenVPN was just to raise awareness.
Daniel Kopp - 19-05-2021 10:58:47
The talk will be about DDoS amplification attacks that are happening and the protocols used... not only about OpenVPN
Gert Doering - 19-05-2021 10:59:06
sure, but the way it is presented on the slides, the message is "OpenVPN is a huge part of the DDoS problem!", which is not exactly true. I'll listen carefully to the audio track...
Brian Nisbet - 19-05-2021 11:00:08
Yes, please, as Marcos said, let's discuss this after the talk has been presented, thanks.
Daniel Kopp - 19-05-2021 11:00:14
No this not what I want to says and what the numbers suggest, I'll make that clear when talking.
Gert Doering - 19-05-2021 11:00:31
Niels Bakker - 19-05-2021 11:02:13
I am of course not an expert on DDoS but I don't remember OpenVPN being very high up our lists either.
Rumy Kanis - 19-05-2021 11:04:14
Just as a reminder, If you have questions or comments for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Rumy Kanis - 19-05-2021 11:04:41
and note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Blake Willis - 19-05-2021 11:05:18
I don't recall seeing any OpenVPN traffic worth mentioning in our inbound reflection attack traffic either
Farzaneh Badiei - 19-05-2021 11:05:27
I think this is abuse mitigation. using the word "harm" creates another definitional problem.
Desiree Miloshevic Evans - 19-05-2021 11:06:22
+1 Farzneh "harm" asks for more definition
Harry Cross - 19-05-2021 11:07:37
From the incidents I've been involved with, domain name suspensions seem to be used as a mallet to hammer a tiny nail - especially when Intellectual Property protectors seem to spray and pray abuse emails to anyone who will listen
Michele Neylon - 19-05-2021 11:08:20
one of the big problems is that it's hard to find the host or other actor - finding the registrar or registry is "easy"
Farzaneh Badiei - 19-05-2021 11:08:28
Niels Bakker - 19-05-2021 11:09:07
Intellectual Property abuse complaints are generally of laughable quality. I've received too many takedown notices for legit sites to count. Generally from outsourced 'security' companies or from confused do-gooders.
Peter van Dijk - 19-05-2021 11:09:34
Me too, and I don't even host anything.
Michele Neylon - 19-05-2021 11:09:51
Pornography is legal in most jurisdictions Nigel
Farzaneh Badiei - 19-05-2021 11:09:53
yes and they frame it as fighting with bad actors. Fake Gucci bags attacking the DNS you know.
Michele Neylon - 19-05-2021 11:10:08
Unless he means a compromised site?
Farzaneh Badiei - 19-05-2021 11:10:10
No porn is not in DNS abuse definition.
Desiree Miloshevic Evans - 19-05-2021 11:10:18
I believe Nigel refers to whitehouse ..... org example
Michele Neylon - 19-05-2021 11:10:24
that's out of scope
Michele Neylon - 19-05-2021 11:10:31
not DNS abuse
Harry Cross - 19-05-2021 11:10:42
I often see abuse emails with 10 or so different organisations in the To field, some of them with a miniscule attachment to the issue in question
Farzaneh Badiei - 19-05-2021 11:10:48
DNS abuse has a technical definition. also do you really mean pornography? cause that's legal in some countries... and not a crime
Farzaneh Badiei - 19-05-2021 11:11:41
no that is outside of technical definition of DNS abuse.
Farzaneh Badiei - 19-05-2021 11:11:46
no it is not technical
Graeme Bunton - 19-05-2021 11:13:46
Desiree Miloshevic Evans - 19-05-2021 11:14:41
the example I gave is not a DNS abuse, i agree... we're in agreement.
Nigel Hickson - 19-05-2021 11:15:48
Thank you; think my "Minister" may disagree but understand difference here, thanks Michele and others
Michele Neylon - 19-05-2021 11:16:38
Nigel - I think there's ways to deal with the problem but lumping it into the same bucket as the DNS abuse stuff isn't helpful
Farzaneh Badiei - 19-05-2021 11:17:53
Desiree Miloshevic Evans - 19-05-2021 11:18:15
@Michele there's more work for Graeme and the institute to make that clarity
Farzaneh Badiei - 19-05-2021 11:20:41
look forward to hearing what "tools" you want to develop.
Simon Leinen - 19-05-2021 11:29:39
Philosophical non-question: Can honeypots really be "abused"? Isn't their whole purpose to be "abused"?
Steve Atkins - 19-05-2021 11:38:46
When they're used as a data source that data can sometimes be poisoned by bad actors, when they're aware of where the honeypot is.
Erik Bais - 19-05-2021 11:53:04
BCP38 isn't the solution for this.. if the devices in the networks aren't removed there will always be a provider that spoofing will allow.. if you remove the bullets (the amplification devices ) .. it will be a lot harder..
Gert Doering - 19-05-2021 11:54:18
Erik: the problem is that attackers will eventually figure out that web servers do great TCP-SYN -> TCP SYN/ACK amplifiers
Gert Doering - 19-05-2021 11:54:26
10x packet rate with small packets, really nasty to filter
Rumy Kanis - 19-05-2021 11:54:42
This session has now ended. The next session is the Measurements and Tools Working Group, and it will start at 13:00 (UTC+2). More info on the RIPE 82 meeting plan: https://ripe82.ripe.net/programme/meeting-plan/