RIPE 90.
Side room.
4:00pm: Security.
BRIAN NISBET: Hello, hello, hello and welcome to the RIPE90 security working group session. I am hoping this stage will remain stable for the purposes of the working group session. I am a good person to road test it. The BoF last night, they all sat town safely. I am Brian Nesbitt, one of the co‑chairs of the working group and with me today is Marcus de Brun, we are not sure where Tobias is. Web we are hoping he is fine, we are sure he is fine but the last thing he did was fly to the US so...
SPEAKER: Who knows. Anyway, we have quite a full agenda. So we will kick on through it. First up, just the administrative matters. This meeting is being streamed and recorded and recorded both verbally and indeed on video so everything you say will be recorded for posterity.
We have a wonderful steno there all that will be up later, there's chat on Meetecho so you can ask questions there, especially if you are joining us online, on the glorious internet.
This working group like all of the working groups is covered by the RIPE Code of Conduct so again, if there are any problems, code of conduct team are there for you.
You can rate the content in this working group. It's not quite the same as the plenary talks but absolutely please do give us feedback because the co‑chairs are interested in knowing what you thought of the sessions, do that by email, on the mailing list or via the rating system that is on the RIPE90 web page.
So, I think that's all the admin trivia, thank you to the awesome tech people and RIPE NCC staff supporting us in all of this.
Minutes from RIPE 89, they were circulated, there seem to be all good, unless somebody says something now, we'll take them as read and approved.
No one appears to be rushing to the microphone. So if you do rush to the microphone at some point during a session, please state your name and chosen affiliation. There is no prize for the most amusing one but I feel sometimes there should be. And I think then there hasn't been any, we have got the agenda, there wasn't anything further, if anybody now desperately wants to add something to the agenda, please let us know. Again, you all seem to be happy with the agenda as circulated so cool.
So the update session, recent list discussion, there hasn't been a lot of it, please discuss more things on the list. It is new, we is it change mailing list and there is a certain amount of us just finding our feet I think properly as the working group from the point of view of the mailing lists but yeah, it's there because nothing particularly to discuss on that.
So, we'll move to our first presentation, which is Dick Leaning from the RIPE NCC who will talk about the LEA transparency report and activity. Please, Dick.
(APPLAUSE.)
RICHARD LEANING: Afternoon. Dick Leaning from the RIPE NCC, ten minutes of your time to talk about the transparency report for LEA requests that we published recently and then about five minutes on what we are going to do with our engagement of law enforcement as RIPE NCC on behalf of the RIPE membership.
That's me. That is the biggest screen I have ever seen in my life.
That's me, as a younger man.
So the transparency report, it's been published, you can read it as your leisure. I want to talk about a few things that we get requests from law enforcement not many compared to other entities in this industry, we have got 120 ‑‑ sorry, 115 in 2024, it never goes above 200. There has been an increase in the last couple of years but it's nothing horrendously significant as in number‑wise. Where's health and safety!
Some of the requests that we do get from law enforcement and I am not joking, this is serious, I won't mention the organisations because that will be embarrassing. Can you tell us who the registrant of domain name is, no, can you tell me who is using this IP address on a Saturday afternoon. Yeah, no.
And I don't want to name anyone, I see my Europol standing staring at me from the corner of the room but it wasn't him.
It may be, you can buy me a drink later and I will tell you exactly who it was but we get requests like that all the time.
Which is sad that some law enforcement think it's what the RIPE NCC has, that type of information and then it's sad that maybe we haven't explained ourselves better, what the RIPE NCC does and what the RIPE community does and how the IP address space really works.
I know we have been doing this over a period of time for many years but there's big churn in law enforcement, they change, every time you get prom mode, you move, you do three, four years, you move to another department.
So maybe we need to start looking at that again at the same time.
So when we are talking about reengaging and continuing engagement with law enforcement, there's a lot happening not just in the EU with new regulations, policies being discussed and there seems to be a conveyer belt of new stuff coming out the European Commission weekly and it's very hard to keep up.
But there's definitely a change happening and that change could affect the RIPE NCC and the data and the RIPE membership so we are keeping involved in that, keeping what is going on, at the same time we thought it would be really good at this point to really engage with law enforcement again and tell them what it is that we actually do and don't do, what information we have and more importantly what we don't have we don't get requests that have nothing to do with us and they get the wrong impression of what we do and don't do.
So what we have done and I am sure you have all heard about the trust portal by now and looked at it and studied it every night before you go to bed, you find in there that we have done law enforcement guidelines for the first time where we are actually going to give those guidelines out to Europol, Interpol, all law enforcement agencies that clearly and concisely explains what the RIPE NCC does, what the RIPE community is, what's the difference between the registry and the database and so they see for themselves exactly what it is we do and don't do and we all put that ‑‑ we will put that on the trust portal.
We are also going to start having a dedicated email address for law enforcement, when they want to contact us for whatever reason, normally they did it through NCC at, we now have a dedicated LEA address for them, that doesn't mean we treat them with priority than any other, it just means we know from law enforcement and we can deal with that appropriately because they could be legal orders, legal requests and anything so we just want to make sure that we are in a position to identify them quickly and deal with it appropriately, it does not mean they are going to be fast tracked above your emails and customer services or anything like that, it's for us to understand what's coming in from law enforcement in a quickly and timely fashion.
As you see we have all seen this now, the trust portal as I have talked about, the other bit I want to, we have the bit I want to talk about now, we have a section for law enforcement competent authorities. I like to use the competent authorities because there are many government agencies that don't have a badge that says cop on it that also are involved with dealing with abuse on the internet, we just packaged that up as a competent authority.
So this is a request for help from you guys. The trust portal has been on live for a week, there's a lot of more stuff we want to put in there for the law enforcement and competent authorities side, we want an FQA, Q&A bit in there. So any, when law enforcement look it up, they can look through the questions, oh yeah, someone has asked that and this is their own, it leaves us alone, the RIPE NCC staff and they can just look at the trust portal. We are putting together a list of questions but we need your help for the type of questions that you get in your daily lives back home, questions that you think that needs to be answered clearly in that trust IPv4 al will be really helpful for us at the RIPE NCC.
And basically anything in there that you think would be helpful, we don't mind a pit bit of duplication, we'll put in there now a PDP works, the working groups, the security working group, what that does, the history of it, anything that you think will be helpful for governments, law enforcement and anyone else in the security that would be interested in what we do here at the RIPE NCC and the RIPE community.
I think that's basically about it, I am here for the rest of the week. I leave Thursday evening and isle be down the road later on today if anyone wants to have a chat. And I have got, I don't know what it means, it's got two minutes 30 and it flashes non‑stop, so I think I have a couple of minutes left to take questions. To me or I can see my legal team are there staring at me to make sure I don't say anything wrong, so you can ask any of us a question.
BRIAN NISBET: Sure. Sure you would never. Questions? Please.
AUDIENCE SPEAKER: E‑evidence is something in the horizon and that will change the requests for data, how do you account for that, are you already working on this?
RICHARD LEANING: Yes, two things this, one of the pro active approaches is let governments and law enforcement know what we have and it's definitely on our radar and something our legal team are looking into and we'll have an analysis in the end of this year on the evidence, yes, we absolutely are following that greatly and we are already involved in the discussions, absolutely.
AUDIENCE SPEAKER: I was going to be nice. You asked for some feedback, sorry, MIM ceili from Blackknight, if you could please possibly train law enforcement types how to read who is records, that would be really helpful, I am sick to my teeth of getting requests for information that is public and also as well will they please change which of the vendors they are using forgetting data because we keep getting reports from the wrong contacts and we do publish Abuse‑Cs.
RICHARD LEANING: These one of the things we'll look into this year and next year the educational side again on the RIPE Labs and how to make the right inference,s not an easy thing to look at unless it's what you do on a day job, it's something we have spoken about with Europol and other law enforcement agencies.
Last thing I forgot to mention, we are here this week we have three Portuguese law enforcement officers, if you are based in Portugal and you want to peak to your local law enforcement officers, please do, they are quite easily identifiable, they are the only ones wearing a suit and tie. I won't embarrass them by standing up but they are wearing suits and ties so please if you are based in Portugal.
BRIAN NISBET: At least one of them isn't wearing a tie.
RICHARD LEANING: Please speak to them, nice guys and start having that conversation with them.
MARKUS DE BRUN: Two questions actually from Ruba... the LEA report for 2024 mentions a request related to a RIPE Atlas probe, is it possible to tell what kind of information was requested for example regarding a measurement or a probe host?
RICHARD LEANING: I don't have any knowledge of a request regarding an atlas probe and my+ legal team are now looking at the floor... they are actually standing up.
AUDIENCE SPEAKER: Legal officer RIPE NCC. Excuse us for the time we took to remember what was this about, it was actually about information we did not have and RIPE Atlas can either, but it was actually about either information we did not have at all or that they were publicly available already. And I don't remember the details, apologies for that.
MARKUS DE BRUN: OK. Another question also from robe check. Do you enforce in and outbound encrypted emails while communicating with LEA [at] ripe [dot] net?
RICHARD LEANING: I mean no, it's just an email like everybody else. We don't enforce that. But we do under the new email address and any other we do get, we do validate that we are legitimate law enforcement agencies.
BRIAN NISBET: OK. Cool. Thank you very much.
(APPLAUSE.)
I will say to your speakers and this is the first time this room has been used, the clock display appears to be wobbling a little bit so just to warn you if it looks strange, it's because it's strange, I don't think we have the time to work on it right now, it should be fine. So, next up we have one of those people wearing a shirt and tie. Yes. We have Emanuele from Europol. Please.
EMANUELE IOVINI: Good afternoon everybody, I actually work in the European Cyber Crime Centre as the governance specialist. In the prevention and outreach team, what do we do at Europol, what we want to do and what are our goals I will explain in a second, European cyber rCrime Centre, it's a law enforcement agency, not as a law enforcement port, it offers a lot of strategic, analytical and forensic support to member states, so it doesn't start investigation by itself, but supports member states to cooperate with each other. In each we publish the internet organised crime threat assessment which is a flagship strategic report describing all the cyber crime and how it is evolving through the year.
These are our structure, we focus only on EC 3 which is the European cyber crime centre and we have three big parts like the knowledge, the digital support with forensic support and cyber intelligence, and we have the operations. The operation covers a large spectrum of crimes, you can see the crime, the payment fraud, child sexual abuse, dark web.
We are the joint seener crime action task force which is permanent and it composed by all member states which gives one officer to us to cooperate and work together.
This is what Europol does, when we see some particular server or platform, we put up this page, whoever tries to connect to this illegal platform, we will see this image, which tell us what we have done, how we worked and what are the consequences.
But in reality, we are this. We work hand to hand, shoulder to shoulder, to manage and tackle cyber crime. Why I am here. The corporation, co‑operation can be two ways, one is constitutional co‑operation, you can see on the screen.
By Europol, we cooperate between member states and focus on co‑operation between member states, we have the J CAT which is the task force, we have euro just and we have many project through EMPACT which funds our operation and makes us do our job the best way as possible.
But the co‑operation is also with the private sector, we have many advisory groups, currently three, so we corporate with private sector on many project, we have many goals with them, we have trusted relationships, voluntary co‑operation, providing expertise, capacity building and agree on many strategic points on cyber crime.
So, they help us, they support us, they give threat assessment data, we manage to discuss policies with them and they also participate in our events by providing a lot of feedback and a lot lot of insights and information so that's why the private is so important for us.
But what we do in practice, how the operation look like. This is one of the most important operation, it ended in January this year, and is one started by the German authorities, it's called operation talent and it's actually to take down two of the most largest cyber crime forums, cracked dot to and nulled dot i e, we managed to arrest two people, searched many properties and seized 12 domains that were able to host these platforms.
Why so important? It takes ten millions users and the a profit of one million euro and it was as we say, cyber crime as a service platform, what does it mean, now it's so easy to get tools for cyber crime just paying a little fee for a subscription to this platform and you can become an hacker in minutes, that's why it's so dangerous, we call them one‑stop shops, one log in, pay a fee and that's all the tools at its disposal. What was it providing, stolen data, log incredentials and malware and hacking tools, as we are facing new technology source, we also /SK‑TDZ add AI based tools, scripts that were able to optimise attacks, time to trying to understand the vulnerabilities and tailor the attacks on the victim, even advancing phishing technique, we were able to they were able to create personaliseed messages tailored to the victim.
Why it was important Europol support we made them cooperate with each other through the joint cyber crime task force and we have eight countries cooperating together with their law enforcements.
Europol has decided to provide analytical forensic support, one analyst was able to work with German authorities, we work actually as always as broker of the law enforcement, to so we are not the one which starts the investigation, not leading the investigation but we are the ones supporting it and bringing co‑ordination through for example operational sprints, which are moments where all the police officers with some investigator in a room and they are able to analyse, many other data and work together, shoulder to shoulder.
This is important for us, what data we need, why we need it, why we have to talk about private sector. We need to identify who is the offender, where is his location, where is the server, why we need the data, I know that sometimes RIPE NCC doesn't know this information ‑‑ or I say doesn't know this information ever, but the private sector does. So when we ask for information, we want for this reason, we want to find who is the offender who can attack your server and can be an offender, a sexual abuser to your children so we want to help you actually and we have to find who owns the data so we can freeze, seize or take down it.
Why it is important, because data has retention in Europe, as you can see, we can have hopping through different space and lose valuable data because we obtain it late because it's not accurate, because it's deleted, because it's not correctly stored or because we need to too many hops that we lose the momentum, we try to manage to get it as soon as possible to continue the investigation. So we need to enable local low value investigations, when we talk about big corporation, it's easier, we have manage resources, the judicial authorities, through Europe, through the rest of the world and when we talk about local low value investigations like the 1,000 euro fraud or scams with low level scams, we stop because we don't have the data so we cannot investigate it. But also what is important to discover, assess the whole criminal infrastructure, where we know where servers are locate, how are they organised, we manage actually to fine the connection and map which is the critical infrastructure, the offenders infrastructure so we manage to tackle all the servers one by one.
What's happening today and what will happen in the near future. We have all the regulations that are linked with ordnance, so we'll be used against you we can say but we will also use for you, which are all these new regulations, many of these are already in place, many will be soon, like the evidence for example in August. And many others will be soon like the second additional protocol to the Budapest convention on cyber crime. Why those are so important? Because they will allow law enforcement to ask directly to private parties to companies, even on falling can you know foreign countries, if I am in a country and want to ask for information, I can do it directly through this kind of protocol for example, the NIS 2 directive, everybody knows, in some cyber resilience and we oblige everybody to adapt today data accurate information and store it correctly.
This is just a mention but we are also under these, we have the cloud act to understand how the cloud works and in the future, just is going to be applied, European Union artificial intelligence act l what does it mean altogether, I take all the common aspects which are not exhaustive but they are important because more or less is what is happening. Every company on the supply chain has to know what is over and under it and you will have to establish a legal reference contact to answer to law enforcement authorities but not only that, only to legitimate access seekers which will be private many times but that will be defined by law because this regulation, many of them will be transposing local laws and will be different from country to country so we have to assess even what will will be the impact of them.
You will have to maintain accurate and up to date information about registrant users and you have need data management and retention policies, many of you already have because they are based on local laws. The most important issue you will have ‑‑ I know this is really bad ‑‑ you need to be able to answer in short time, the evidence asks for eight hours for emergency requests which means threat to life, critical infrastructure damages and so on, I I know probably you will need a 24‑7 office which I know is really expensive for the private sector, but it's worth the laws demand. Having back up strategies and mechanism to retrieve data, this is easy to understand.
And if possible, building co‑operation procedures with LEA, for us it's important to were inform a co‑operation but it's also to involve that co‑operation, many activities are able and going on thanks to the co‑operation with the private sector, which is willing to cooperate so we have many good guys that are helping us and many good guys which cooperate with us and monitoring illicit activities which is not mandatory but really good when people do, for example many registries already monitor DNS abuse on their domain name and they actually intervene and even communicating with police forces.
In the end what I want to say is these are the challenges we are facing. But most important one is the yellow one because it's the public private partnership, we cannot tackle cyber crimes if we don't work together. If we don't manage to find a way to cooperate and exchange information. I know encryption is a problem because we cannot find information, the encryption can be end to end by which I know for freedom is important for security but sometimes in an investigation, imagine you have some sexual offender with child and the private communication, you cannot enter in that if you don't know something like undercover, the anonymity is good for freedom, but sometimes law enforcement need to know who is the offender, they need to prosecute and assess what crime he does. And what I said before also is so important, is the high volume and low value crime, so we have been increased of low value crime which is harder if we don't have the information as fast as possible, it's harder to tackle, it's hard to investigate.
Then we have the cross‑border jurisdiction. Many times it it happens that we need information from a country, we send a requests and we waste so much time to know the data is outside that country, it's somewhere else so we lose time to produce orders and obtain the information we really need, not just random information, the information around the user. So if we have a negative answer, we just have to move to the real one and ask again actually.
So sometimes it's also helpful for us if you just say oh I don't have this data, don't need to send me a court order, it's fine.
And in the end we know, tracing communication and payments, when we use Crypto currencies it's hard but we have many tools to address this issue.
Last but not least, what will happen in the future, we already know what will come because the world is changing and we have new technologies, blockchain in the matter of smart contracts mostly, we have artificial intelligence, which is really, really, really important, it's a really hot topic and quantam computing, for example, for password hacking and making pass records safe. I would say that artificial intelligence is transforming this world because we have accessibility to AI, versatility of AI and sophistication, which makes it easy to make new types of crime. We can think about synthetic images, deep fake and all the other crimes, even cyber crime, hacking which is made through the help of AI intelligence. So the you can find this assessment record which speaks about it on the serious and organised crime threat assessment, everything is public, it's on the Europol site, if you in any case want to have more knowledge and detail, you can access the site and find these papers which are really rich.
And that's it from my side, if you have any questions, if you want to start from, if you have any idea, any kind of partnership, co‑operation, I am here all week. You can speak with me, I am free to talk with everybody. So thank you for your attention and I will receive any questions you want.
(APPLAUSE.).
BRIAN NISBET: Thank you very much. So are there any questions? Or does everyone just want to ask him questions in private.
You don't have to...
AUDIENCE SPEAKER: Mick from Blackknight, I didn't think it was helpful at all, it seemed very aggressive and very anti network operator. I didn't kind of come away from this thinking oh I must go out of my way to assist Europol. I mean especially when you look at your supposed threats. There's no balance, it's very, very biased. You are anti encryption, anti anonymity, there's ‑‑ you are not giving me any incentive to actually want to work with you. And I just thought the way it was being framed was very much along the lines of here's a bunch of laws, you have to conform with them, oh yeah, maybe you might want to cooperate with us.
But that did not come across at all, that you actually want to want to cooperate with us. Thanks.
EMANUELE IOVINI: I have the right to answer?
BRIAN NISBET: Absolutely!
EMANUELE IOVINI: When you speak about challenges, it's not about we don't want to comply, it's about finding the right balance between freedom and crime. And when we speak about crime, it's because we work on it, we know, and we know that a bit of balance should be made between freedom and crime. If everything is freedom, everyone is free to do what ever he wants and everybody can commit any crime. But when is your child to be another crime or your organisation to be attacked by ransomware, it's always a different story. One time it happens to us to be attacked by ransomware and we have to ask another company to hep us and it can be the other way around. So as law enforcement, we are the helper, we want to tackle the offender, not the free people, we don't want to some kind of block the freedom of people or something, we just want to tackle crime and that's helping society and not doing anything else.
BRIAN NISBET: OK. Please. Yes.
AUDIENCE SPEAKER: I am hoping some of you will remember me from last year and talking at this session, we are right in the middle, I do up to a point agree with, that was quite heavy handed to be fair, I think there's a softer approach to be taken here. I am hoping that some of the members of the audience will come along on Thursday and listen to our BoF which will hopefully meet both sides there. The point I kind of want to make for those who can't is that the information is held needs to be better and I think that would then help both sides, it will help law enforcement identify the vectors that they need to identify and the perpetrators of these particular crimes and hopefully take away some of the headaches from you guys as well that you are not getting bombarded by unnecessary requests for information that you don't have.
I am excited to hear Dick's presentation and getting out there and educating law enforcement and in the private sector about what you guys, the information that you guys hold legitimately and what RIPE NCC and the other regional registrars hold as well, I think that will be a big step forward because a lot of private sector and a lot of law enforcement don't actually have a clue and they will just see an email address and fire it off and hope for the best and I don't think that's a good co‑operation between the two different kind of sides of the internet here.
And further education element from the law enforcement side, I am going on, yeah, the law enforcement need to understand how the internet works and they don't. And that would be a big step forward as well. That's it.
BRIAN NISBET: Any comment?
EMANUELE IOVINI: No I think he just spoke by itself and it's fine, there's no question, but I thank you for the words.
BRIAN NISBET: So last two and then we are done with this. There may be time later, who knows.
AUDIENCE SPEAKER: Alex. I think the presentation clearly shows that you do not understand the internet because of the laws and regulations that you referenced will not solve the problem, not even dent it. You for instance don't recognise resellers that are located outside the EU. That don't provide their services within the EU. So they don't have a reason to register, so if you ask them who is their customer, you will not get the answer.
And they are not legally obliged to give you the answer.
Just one small example why it doesn't work.
EMANUELE IOVINI: If we had two, three hours to speak about the regulation in detail, I couldn't bring it here because of time, we would understand it better, we know it works, we know the investigations are happening because we don't find the data and we also have a problem with proxy services many time but it's not that we don't address the problem, it's we cannot manage to deal with everything at the same time. We just tackle the problem one at a time, but if you don't even know the easiest kind of information, how we have managed to get the hardest one so if you don't even manage to get the information in Europe, manage the get the one outside of it for for countries, how hard it would be.
BRIAN NISBET: OK. This is, there's again plenty of time this week to have some more of these conversations. Rudiger please.
EMANUELE JOVINI: Kind of, I hated some of the comments and kind of, well, OK, your presentation may have spent more time than is useful because well as citizens, we are and network aware citizens very much, we are I think all aware of most of the problems that you are talking about.
The thing that I am kind of missing and asking is well OK, what is the constructive part of our discussion here. The constructive part obviously needs to facilitate the actual co‑operation in cases where something has to be done or preparation for that.
And kind of suggestions for what to do in that direction and for well OK, me say sitting in Germany, who should I be doing this with, who should be my peer in this discussion? I didn't see any of that kind of suggestion in your presentation and I think that is the thing that needs to be actually worked on and when you are saying we are working with the Dutch police because well OK, we are Dutch men, that's quite clear and so kind of let me boil down to the very simple thing, is there anything where you would point to an address or a web page at Europol that you are suggesting any of us to go to or is the suggestion going, go to your local police or Ministry of interior or whatever?
EMANUELE IOVINI: That's a lot of questions actually.
BRIAN NISBET: I think the core question is around contact.
EMANUELE IOVINI: It's important to start the co‑operation and see what you need and we have to find each other in the middle, it's not like you have the answer or we have the answer, the answer has to be found together, it's the most important thing actually.
BRIAN NISBET: OK, I mean I know obviously and I think this is the thing Rudiger just and we will finish up now is that I know in Ireland, if we had a problem, if somebody ransomwared our systems or otherwise, the advice at the moment is go to the local police station at which point I am rocking up to to some desk Sergeant, who knows, maybe they are an internet expert, to try and report this crime an I think that's one of the problems, a local and a lot of national law enforcement people acknowledge, it's how do you actually go and talk about this and who do you talk to. But listen, it is very very good that you are here and we are having these conversations and I look forward to future presentations and hopefully that feedback Athina, I really ‑‑
AUDIENCE SPEAKER: Thank you very much for being here and the reason I'm on the mic has to do with the previous question, the Atlas request, I would like to correct a little bit what I said, because our memory tricked us a little bit.
BRIAN NISBET: Could you hold that for AOB, that would be great. OK. Let me just finish this and thank Emanuele for coming. So yes, thank you very much.
(APPLAUSE.)
AUDIENCE SPEAKER: Right, I would like to correct what I said before about the Atlas proper request, it was a mixture of requests for public information on public information, informs we did not have, we decided to categorise it under the request for non‑public information in our report and that's why you see it there. In the end we only provided the public information as a response to that. Thank you very much.
BRIAN NISBET: Cool, thank you for the explanation. It's important that transparency is transparent is very important.
OK. So let us move on. And next up we have the first of two talks from colleagues in ICANN and first up we have Samaneh talking about INFERMAL, Inferential Analysis of Maliciously Registered Domains. I can't believe it's not a RACI talk with that title, that's just me. Please. Thank you.
SAMANEH TAJALI: Hi everybody. Can you hear me? Yes. OK. OK. So I am Samaneh... I am the Director of Research at Security Research at ICANN's office of CTO. Today I am here to present INFERMAL which is a project proposed and worked on by core labs and funded by ICANN. Later it was submitted and accepted at the ACM computer communications and conference which is upcoming proceedings this year.
So the motivation of the work, as you know there's a lot of cyber criminality going on, phishing malware and spam and bot nets but there's little on what factors actually influence the trends that are there.
Specifically looking from what criminal preferences are.
So this research aims to look into two main things, one is looking to attackers preferences when it comes to.domain abuse and second, what are the factors that influence driving this malicious activity.
Registrations.
Here's an approach used, basically the work took around 73 features, collected from different places, which combine the summarising to these three following categories, the features aim to capture registration attributes, pro active verifications and reactive security practices. Of registries and registrars.
The method, the GLM learning method used to be able to assess how these collected factors influence abuse is a model that models the odds of certain things happens including all the factors in a model.
What the researchers did is actually making sure that the models capture interactions between these factors because as you may well know, this ecosystem is very complicated and it's important that all of these interactions are taken into account at the same time while looking into domain abuse.
What do we have, there are many data set used in this work for phishing, this work is specifically focused on phishing only when it comes to malicious activity, for phishing ‑‑ PhishTank and OpenPhish is used, to the domain pool, the ICANN famous well known CZDS, the Google transparency laws, this was to get the base domain infrastructure. For future selection, there's TLD which is a paid service but you can pay and it collects certain features over time things like the cost of registrations, discounts, free features etc. In a few slides I will go through more details of the features, this is just the datas, then there are a lot of data manually collected and eyeballed and from the registration processes and there's also active measurement conducted to measure up time which is the amount of time from which the domain is up from when it's reported as being maliciously used for malicious purposes.
Then for attribution purposes, active who is and DNS measurements are used.
Basically the starting point was around five hundred X block listed you recalls, the timeline of the study is from August 23 to January 24. I won't go through all these numbers because it might be a bit confusing. But the domains are curated, the pool of the initial data set is curated carefully in order to back calculate biases or outliers, etc, they are mapped to registries and registrars and I can tell you that we made sure that the data is comprehensive when it comes to and it represents the domain space that we wanted to study.
There's also, in order to be able to compare malicious domains, there's also a data set for benign domains, which is around 54 K domains on 159 TLDs, you see the 20 most frequently observed had registrar TLD pairs when it comes to maliciously registered domains.
One thing to focus on is this work is not looking into compromised domains, this is only for domains that are maliciously registered from the beginning. In the final two slides or maybe three, I will discuss the features collected in more details. The features that fall under registration attributes are whether or not the registrant could use free API to be able to search, purchase or manage domains. These are for those who are different processes, whether there was a capability for bulk search, available payment methods, so can domains be non‑Msly paid and also if so, through which method. Then retail pricing, the prices of the names. Whether there was discounts offered during the registration process. Pricing terms, whether there were limitations during the registration processes and also if the registrar offered free other complimentary services which are hosting DNS email account, etc, r pro active verification, there was a feature collected on whether or not the registrar validates the registrant contact details. Basically this is a note that this is only whether or not they validate. We didn't check if they actually validate that the information is correct. Whether or not they have a process to validate.
Domain registration warnings and restrictions whether they have checks and balances and also other registration restrictions like such as local presence, ID requirements, etc.
Then the last category of features which is reactive security practices, this category is basically what so the reaction of the registries or registrars to when they see a domain shows up on their abuse contact or a black list, what do they do, how much time it takes for them to take the domain down, we calling it up time. So a measurement is DNS and Whois measurement is conducted, first every five minutes and then 15, 30, until 48 hours and then every 12 hours. Until the domain is not there any more.
There's also a subset of domains for which to which a notification has been sent that this domain is seen on an online block list.
So these were the features that were collected.
From now on I will show you a summary of some of these features and then we'll discuss the results.
So for prices and discounts, we saw that domains could range from 78 cents to 68 dollars, nearly 50% costing less than two dollars.
When it came to registration discounts, examples of expensive domains were, you can see, USPs which was 69 dollars, or DHL centre.net was 56 dollars.
Registration prices were also subject to terms, discounts for new customers only, etc, which were rare conditions.
This is the start of some of the features, free services that were offered, free DNS, email, SSL certificate, etc. And what we saw was that 18 of the registrars that we looked at offered bulk search to check availability of the prices for 20 to 10K plus.
What are the results. So starting from the first category, which is the economic incentives prices. What our models showed is there is a weak but positive relation between price of a domain and the odds of it being abused which is quite intuitive. What was more interesting, there was a way stronger correlation between between discounts that are offered in the process of the registration so not the initial price but the discounts and abuse, basically with one dollar increase in the price, keeping all the other variables in the model constant, we had 50% more, we saw 50% more abuse, if they got discounts.
And interestingly enough, let's see, OK. Interestingly enough we saw that when we looked at benign domains, the discounts basically the mean price for benign domains was 8.6 which is higher compared to malicious ones, meaning that the initial price did not matter as much for the benign registration than it did for the malicious one which was an interesting finding
We looked at the role of free services and we saw APIs registered domains have very strong positive correlation, keeping all the other values constant.
And when we looked at the other free services such as DNS and hosting, we saw that they both show positive correlation meaning the more free, the more abuse, but interestingly enough, this was the same for benign domains, meaning that it really did not matter that much.
Restrictions show also a negative correlation meaning the more restricted, the less abuse but which is an interesting finding for those who practice.
I want to ‑‑ this is the most important part of the presentation because this, there are a couple of notes to be made and considers, one is that this study looked at factors from an attack terse perspective, it shouldn't be mixed with looking at practices of registrars because there is a space in between what attackers prefer and what registry registrars do and this was not the intent of the study.
Nor the intent of the results.
The results should be taken into caution when interpreted because it cannot be generalised, it shouldn't be taken out from the context of this research, the scope of this research. The most important thing is that remember when I discussed for example the model part for example, using and having an API allowing for bulk surge /management of domain increasing abuse by 401%, this is not ‑‑ this is not as easy as it sounds because the statistical model actually models all the factors together so when this 400% is reported it means taking all of those other factors into account.
And taking ‑‑ and holding them constant. Some if you added or removed a variable from those models, the number would change. So again, a word of caution with the result interpretation.
The research work in order to be able to do the modelling more robust combined some of the variables for instance registration restrictions, the variable registration restrictions or consolidation of payment methods are three detailed variables that are combined into one, digital wallets, bank transfer, etc.
Lastly and my final point is that when looking into results there's also whenever an action is taken by the defenders in this case those who manage and sell domains, it should be considered the impact of legitimate users also, likely the responses of attackers to the adjustments that are made by the registries or registrars based on the results of this report or any other action that they take, importance of attackers always adjust and these adjustmentss would also impact legitimate users.
With that, I finish my presentation and I am happy to take questions.
(APPLAUSE.)
BRIAN NISBET: Thank you very much. Any questions? We do indeed.
AUDIENCE SPEAKER: Excellent presentation, thank you very much. Two questions, one question, the table, this wall of fame or shame rather, you showed is your methodology allows to peer generation of this table, like monthly?
SAMANEH TAJALI: The data is published and the methodology is published also in the paper, the goal of this research was not to rank, this was only a table to show the basically the registrars on the registries under this study but yeah you can use the methodology and data to regenerate if that's what you meant. .
AUDIENCE SPEAKER: The second question, how you see the impact of the study on the home, do you foresee that registrars or registries with just their actions discourage certain things in their registration processes, how do you see that?
SAMANEH TAJALI: Well this was a study that was.requested, not this specific study but this kind of research was requested by the ICANN community to the ICANN org, through one of the recommendations because the ICANN company was interested in knowing what are the things that they should be looking into, right. And this study is by the community, by an academic core labs and University of Grenoble, we basically, this is the initial phase of saying, high these are the factors on the study and this is the result. It's up to the community to decide where they want to put importance and possibly actions or discussions or even next phase of this study where we look into specific factors requested. For now actually, it's a topic that is actively discussed in the ICANN community and we are looking forward to receive input on what the committee wants next.
AUDIENCE SPEAKER: Thank you.
AUDIENCE SPEAKER: Hello, thank you for the presentation. And I have a question, one is what is the aim of the model, are you doing the classic ‑‑ if it's benign or malicious or is it like you already know the label that they have and you just want to say what are the indicators of the, of this type of data.
SAMANEH TAJALI: Thank you for the question. No, the goal of the model was not to classify, even though it a classification was used in order to disdistinguish between malicious registered domain and compromised, not benign. The classification, the classifier that's used is published somewhere else, we use the method to classify.
AUDIENCE SPEAKER: They are all labelled data.
SAMANEH TAJALI: They are label data, yes, if you wanted to know more about the classifier, I can link you to the work.
AUDIENCE SPEAKER: OK, thank you. I have another question, how do you select the features like they have multiple features and how do you select the importance for the...
SAMANEH TAJALI: Yes, that was a very, that was some of the hardest discussions that we had, in a variety of sources first and foremost, previous literature that suggests importance, the ICANN community in which this topic is discussed at length and also our own experts opinion.
AUDIENCE SPEAKER: Thank you and thank you again for the brilliant presentation.
SAMANEH TAJALI: Thank you.
AUDIENCE SPEAKER: Thank you for the work, I think it's really important, two comments more a question, I see consistently that know your customer comes up at a really helpful tool to discourage malicious registration so it's good to see that has come up in this research as well.
And also another question, but DNS research federation which I have no affiliation with publishes a whole range of legal tables which for example show the abuse by TLD and recently they have added by registrar as well, which might encourage the less helpful parts of the community to take action and address their shortcomings, more of this, giving it visibility will drive up the bar of behaviour so good work. Thank you.
SAMANEH TAJALI: Thank you, Andrew. Am
BRIAN NISBET: OK. Cool, thank you very much.
SAMANEH TAJALI: Thank you.
(APPLAUSE.)
BRIAN NISBET: And last but certainly not least, we have Sam Cheadle from ICANN. Now, me sense a theme here, speaking about identification and abuse characters of batch registered G TLD domains. Please.
SAM CHEADLE: Thank you very much, Brian. Yeah, my name is Sam Cheadle, just a warning, this is another DNS domain name talk. So double dose of that.
I am in the same team as Samaneh, recently joined the security stability and resilience team, previous at nom net, the UK domain registry.
I'd like to talk to you today about a project we have been working on for the last few months, it's all about domain registrations and it's all about patterns in domain registrations.
The talk structured in four parts so first of all, I will talk to you about what exactly I mean by these patterns, they are referred to as batches. Fairly intuitive, I will describe the details of that in a second. And then I will move on to looking at some descriptive statistics, how common are batches and we look across the wider domain registration landscape and then thirdly bringing in security feed data, crosschecking that, can we see any relationships between these domain registration patterns, batches, and then the event actual use of the domains ‑‑ eventual use of the domains or abuse and then lastly conclusions and future work.
So just to go into a little bit of background. Motivation for this study. We know the community knows that attackers often register domains to be abuse domains in bulk, if you put yourself in an attacker's mindset, it makes sense, if you want a large volume of domains that you can use and abuse quickly and discard, you really want to register them in bulk in high volumes.
How would you prefer to do that? Again imagining yourself as an attacker, you would like to do that presumably using an API or programme atically, what you wouldn't want to do is am go through a hundred or a thousand domains and try register those manually.
We know that APIs are a factor as Samaneh mentioned. They are a facto Tore when you try and predict malicious domain use, one of the strongest predictors organization so far so far good, if you are an attacker and you are registers domains in bulk using APIs.
But there's a downside. From the defender's perspective. You can pick up on patterns, patterns in the registration data and what we were particularly interested in in this study is these bursty time bound spikes or batches of registrations, so when I say batches, I am talking about these high volumes that come in with either identical or very similar creation dates.
And the reason we want to do that obviously a general abuse mitigation, combating malicious domain registrations but detecting these batches of domains also gives the community the ability to spot abuse early and hopefully in some cases even take down these domains before they are weaponised.
So effective detection, intervention and mitigation, those are three key goals.
So you might wonder what features are best to focus on, to identify these batches. Pre‑GDPR where registrant data was commonly publicly available, that would be a key source to look to. Post GDPR as I am sure you are all aware, post 2018, it's very difficult. Commonly domain registrant information particularly for abuse domains is hidden behind previously preserving and proxy services. So which registration data do we have, which features can we use to group these domains.
There are limited features but there are effective features, one feature that many studies look at before is analysis of domains that are registered through the same registrar. Now commonly if you are registering a batch, that would all be through the same registrar and they will all come in around the same time, almost identical creation dates.
That's fine although there are issues if that's a very large registrar, you might get hundreds of registrations coming in per minute, it's very can I have to difficult to pick out batches of domains tied to a single account holder or domain owner.
So the approach we have taken in this study is to look at registrar but also to look at authoritative name servers and to group the domains in that way.
So we look at, we'll run through all go TLD domains ‑‑ gTLD demains, all unique combinations of registrars and authoritative name servers and do some cluster based on the creation dates and we'll exclude any cases where very large registrar resolving domains through a common set of shared name servers. It just makes separation of the domains too difficult.
And the algorithm we use for the clustering is DB scan, which is a density based clustering algorithm, very useful for this type of task where we have got these high density time bound batches and then very sparse data registrations around that.
As I mentioned, we are only looking at d TLD registrations, ICANN have access to centralized repository of bulk registration data access, we also look at security data, security feeds, what we term RBLs, reputation block lists and there's a list at the bot some there, there's a couple of commercial feeds and complemented with OpenSource feeds.
So just to give an example of what I am talking about in terms of batches.
This is a plot where along the vertical we have got a list of domains registered consecutively over time and along the horizontal we have registration time. Al few features of this plot to highlight, for this particular example, we are just looking at a single registrar and Auth name server pair, this was just picked at random, we are also looking at a two‑hour time window, that's just for illustrative purposes.
So what we see here illustrated in this plot is the result of the clustering algorithm, you can see two, two sets of domains that have been successfully clustered and you can see the black dots surrounding them that have not been clustered.
This is another example, again we are picking at random set of domains that have been registered in this case in two batches, they are registered through a single registrar in this case with Cloudflare name servers, you may be able to see along the vertical that they are all, they all share very similar lexical features, they are all under the dot TLD, DGA like domain streams, there are two batches here but they are obviously part of the same campaign.
This is a very high‑level plot to try and illustrate what the we see if we look over a three week time period and here we are plotting the top 25 registrars with the highest volume of batch registrations. So we have got for each hour, the volume of batch registrations shown by the circle size and the proportion malicious shown by this red to blue colour scale. So you can see that some registrars have a mixture, it's mainly blue, so they are mainly clean domains, not contained in any of our security feeds, but then there are other registrars where predominantly these batches are being tagged as malicious, some registrars have few batches and then a sudden spike.
So how common are batch registrations in general? If we look at our gTLD data, we had about 10 million domains registered over almost a two month period. Just over 25% of them were tagged using this algorithm, bear in mind we are including batches of my size, it could be from two domains upwards, so that does include very small batches also.
Just to give you a flavour of how these batches are characterised in terms of abuse. If we look at the domains that have been flagged as abused over that two month period, we pick out almost 300,000, how many of them have also been registered in a batch accord to go our analysis, around 60%, a reasonably high number and if we look at the, if we split that data by threat type, so we got four different threat types, spam, phishing, we can see the proportion in red that have been tagged as batch registered, it varies, the highest proportion is for spam with just over 63%. And also I should point out that the majority of malicious domains used in this study are from that spam category.
If we look at the TLD break down, malicious batches are commonly associated with with TLDs that we do know have a history of abuse, some of them listed here. There's a second pie chart labelled unknown batches, so these are batches with no known evidence of abuse, that doesn't mean they are all legitimate, we can see looking at these top five TLDs again the same sort of TLDs pop out, dot bond, dot top, dot XYZ, etc.
If we try and look at the relationship between the proportion of registrations that are flagged as malicious and the proportion registered in a batch per registrar we get something like this so this is a bubble plot, each dot here is a single registrar, the size of the dot is the number of domains under management so we can see there's a relationship, it's not particularly clean but there is a significant positive relationship so the more domains that the registrar has, that we see being registered in a batch, the more we are seeing domains coming through our security feeds tagged as malicious.
We cannot look at the distribution of batch sizes, as I mentioned, we are picking out a lot of smaller batches so many of these batches are two domains, three domains, four domains, the ones that we are more interested in often are larger and you may or may not be able to see it here but there are spikes at these intervals of ten, twenty, thirty, etc, this is a kind of we believe it's a human preference for those numbers.
Last result, I think. I think this is an interesting way to look at the characteristics of the batches, here we picked out three hundred batches, sampled at random, each of those batches had at least one domain flagged at malicious, they are plotted here from the smallest batch on the left to the largest on the right, the number of domains shown in red is the number of malicious domains, the number of domains shown in blue are the unlabelled so the logic here is that if we presume that these batches are containing domains used for a common purpose, even a big batch where we might have one, two or a small number of domains tagged as malicious, they are probably all malicious, we can do some expansion analysis, if we do that we can see that the numbers increase and we are actually doubling the numbers of domains.
Very quickly, Brian, I see you looking at me. Conclusions. So what have we found. Batch registrations, we believe we have a method using relatively simple features that is effective at grouping registrations and it gives us some useful information.
Most batches are small, certain sizes appear more frequently, large batches are common for some threat types such as spam and there is a link between abuse rates and batch registration rates per registrar. Next stage of the work, we are really interested in validating this method, we are very interested in reaching out to particularly domain registrars, we want to look at any other reasons that we may be seeing these time bound batches, particularly the possibility of reseller practices, the possibility of these domains and the creation dates come in in an artificial way which may be skewing our results, we want to look at non‑time bound batches which will expan the analysis to cover a broader range of bulk registered domains, we know attackers more sophisticated attackers will do that, they won't register all in a big dump, they may do it programmeically but jitter the registrations and we want to do this on an ongoing basis and ideally expose the results to the community and we are exploring ways we can do that at the moment. So I think that's everything and happy to take any questions.
BRIAN NISBET: Cool, thank you very much. (APPLAUSE.)
BRIAN NISBET: We do have questions. Please.
AUDIENCE SPEAKER: Jim Reid. And RIPE trouble maker. A very interesting presentation, I think this whole field is fascinating because of so many different variables and dynamics that are involved, but for me I think the big problem we are trying to deal with is how can we do something about this problem that's going to have a meaningful impact, it's all very well gathering data about for example batch registrations are creating problems and tied to particular registrars and so on, there doesn't seem to be any enforcement mechanism and accountability mechanism and I think it any view it should the focus, I think the question for the ICANN community in common general and ICANN as an organisation, what are you going to do with this data, I can remember a previous studies around this kind of thing, one of my colleagues was involved in that kind of activity and he said there was a handful of registrars that were responsible for the bulk of the domain abuse, but nobody ever did anything about those particular registrars and I think that's perhaps goes to the heart of the problem, who is going to grapple the with those particular issues.
SAM CHEADLE: Yes, thank you. I think I totally agree I think the stage of this analysis is currently, it's quite early stage so we are trying to validate this particular method. Once we are, and the community is satisfied with the results it's producing, then I think I agree that the kind of pushing it in that direction of incentiviseing reg stars maybe publishing results, looking at those kind of mechanisms, that's the direction it is going to go in but we have to make sure we have a solid algorithm and a solid piece of analysis in the back ground.
JIM REID: That's very welcome and encouraging to try and do this, but wearing my civics hat, I am not at all cynical, I think there's going to be, it's like a game of whack‑a‑ mole, when you whack down one registration practice which leads to bad things, the bad guys to move to another and another and we'll be doing this forever.
BRIAN NISBET: OK. Yes? I can see you hiding.
AUDIENCE SPEAKER: Jan... one question, one comment. How quickly can you go and do this... analysis, let's assume ideal world where you have a string of data and you get information in a matter of minutes or hours, how quickly can you do these... signal up that's a bad patch of domains.
SAM CHEADLE: Good question, I didn't describe the timeframe of the data collection, we have a centralized data source for gTLDs, we don't receive that quickly quickly post registration unfortunately, I don't think that's going to change in the near future, we are looking at other data streams, particularly CT logs as a way to grab the newest observed domains and the newest registrations, and then we can take it from there so yes. That's a very good point, we are trying to speed up that detection.
BRIAN NISBET: We are running very short on time. So if...
AUDIENCE SPEAKER: The observe observation is do you have any CC TLDs on your list, you are saying TLDs and it's like oh TLDs...
BRIAN NISBET: The first slide that I read out said gTLDs.
SAM CHEADLE: I may have missed the G in some of the slides, all of these were gTLDs.
BRIAN NISBET: Three people quickly.
AUDIENCE SPEAKER:
A. Just quickly, research great but you know, publishing this is effectively giving the bad guys a way to avoid it, they are going to change their behaviour and do something else instead, picking up on Jim's last point really, it's like oh, you are looking to for that, are you, we'll do something different, it's just a comment.
AUDIENCE SPEAKER: So that point, yes, but put friction in, make it hard her, there's a niece piece of research came out of the last E SR meeting which I was able to identify reliablely DGA registration which probably ties in with the batches, it might be quite nice to link those two pieces together at some future point, just a suggestion.
SAM CHEADLE: Yes, definitely and the preliminary analysis we have done trying to pick out DGAs shows there's a stronger link with abuse and those batches with DGA properties.
AUDIENCE SPEAKER: We thought about instigating a transactional tax to cover the cost of mitigation of this type of process?
SAM CHEADLE: I am not aware we have, sorry, could you repeat.
AUDIENCE SPEAKER: A transactional tax on registers things, a number like to dollars or something like that.
SAM CHEADLE: For just in general or for particular types of registrations such as batches?
AUDIENCE SPEAKER: To mitigate the problem.
BRIAN NISBET: OK, don't, yeah. Who of you can take that outside. Thank you very much, Sam.
(APPLAUSE.).
OK. And yes, so, we are essentially on time at this point in time.
Is there anything that anyone is desperate to say for the last 90 minutes? Otherwise I am not seeing anyone come to the mic? I will take that as a no. I will say that we just had, before I forget, just briefly the RIPE PC election has opened, there's a button on the front of RIPE90 web page to cast your votes for the PC election.
And just a reminder on this evening's social, there are no buses to the venue, it's a, roughly speaking, an average speed an 18‑minute walk from the venue and taxis are remarkably cheap in this city anyway. Yes, there's no buses this evening and the social starts at nine.
So from the point of view of the security working group, if anyone has any agenda items they would like to share, you can send it to us now to the chairs address and we'll obviously be putting out calls. And I look forward to seeing you all on the mailing list and in Bucharest in October.
Thank you to all of the support people who are doing all the various things for the meeting and to my co‑chairs and to all of you. Thank you all very much.
(APPLAUSE.).
