Anti‑Abuse Working Group session
27th October 2022
9 a.m.

BRIAN NISBET: Hello, good morning to you all. So, did you miss me? No. I am Brian Nisbet, one of the co‑chairs of the Anti‑Abuse Working Group, and with us in the room we have Tobias in effect the co‑chair, fortunately Marcus de Brun can't make it to this meeting, which I couldn't do in Berlin, I missed you all terribly but I am very glad to be back here now.

What exciting things are we doing today?
So, standard admin, thank you to the NCC scribe and chat monitor, and obviously the awesome technical people from NCC, Meetecho and our technical company at the back, without whom I would just be shouting at you all and directly hoping you can hear me which is difficult on the Internet. Thank you to our awesome steno people of course who are the best.


BRIAN NISBET: Remind you all that this Working Group both in physical session and the mailing list is prided over by the RIPE Code of Conduct, there is a better phrase than that, but it's nine o'clock in the morning, so please be aware of your interactions with people.

You can rate the talks and presentations and discussions that we have here if you so wish, via the RIPE 85 website. It's not the same as the Plenary but it's useful to get some idea of what people think.

That's all the most of the admin trivia. The minutes for RIPE 84 were circulated. People seem happy about with them on the assumption that people are still happy with them we will approve them and go on about our business.
Seeing nobody rush to the things or ask questions in Meetecho we will assume that's all good.

The agenda is up online, it was circulated to the mailing list, is there anything that anyone would like to add think point in time? The Chairs have cunningly added something to the published agenda but we'll get to that in a moment. No?

So, update:
Recent list discussion, there hasn't really been a lot of it, there should be more. Talking is nice, I mean I don't think there is anything particular we need to discuss from that that we're not talking about elsewhere. But again, if anybody wishes to bring anything up, now is a good moment to do so.

And again, seeing nothing, what we're going to do is I hope that Gerardo has got his mike and his camera working, as he is ‑‑ presumably find it very difficult to run the quizzes from real life, so he is joining us on Meetecho to discuss the update on the RIPE NCC anti‑abuse training webinar. Gerardo.

GERARDO VIVIERS: I cannot see unfortunately, but I can imagine the large crowds there gathering to hear me.

BRIAN NISBET: Hundreds and thousands!!!!

GERARDO VIVIERS: Good morning everybody, I am from the RIPE NCC development department and I'm here to give you an update on the anti‑abuse training.

Let me see if I can share the pre‑loaded slides. Well they were uploaded to the website.

BRIAN NISBET: Just give it one second I think. We just want to see them in the room.

GERARDO VIVIERS: Very well. So, I am going to give you an update on the anti‑abuse training project that we started on the question of the Anti‑Abuse Working Group. I presented at the previous RIPE meeting, explaining what we had done up to then, and so what's happened since RIPE 84, is we started working on the development of the material, and we finished it. We opened it up to the Working Group for review. I got quite some interesting feedback, useful feedback, and of course some questions as to if the length of the webinar was, might be too short, so, we answered those questions as well.

And then we organised an online meeting in Zoom where we wanted to get the green light from the Working Group to say okay, is this approved? Can we go on and start delivering it? And so we did get the green light, and we are really happy to say that the material, the first version is finished and it's in production, and we are really happy with it so I want to thank first of all everybody that collaborated and participated in the project during the development and the review phases, because without you, or we wouldn't have been able to finish this as we wanted to.

So, the thing is, what now? Now that we made the material, we're going to schedule it to deliver it regularly. The first session is going to be in January, so if you're interested in knowing what it's about and how it works, you can sign up if you are an LIR or a member. We're going to gather feedback from the participants to see if what we have set at learning goals have been met, and what they think about the training. We will evaluate and update the material as we go, because as we learn more about what the learners need in order to be able to achieve the goals, then we will, of course, be updating the material.

We also have promised to look into the possibility of developing an EIX learning course further down the line when we get more feedback and when we see that the training is having some kind of impact there.

So basically that's it. And I am open for questions if anybody wants to ask anything.

BRIAN NISBET: So, I have a question. It's Brian. Will you come back and keep us updated on the feedback you are getting and things like that as well?

GERARDO VIVIERS: Yes, if that's what the Working Group requests, we will come back and give you feedback on what has been happening. After we have delivered the webinars a couple of times of course.

BRIAN NISBET: Yeah of course. Any other questions from people? And again, we would say this is I think Gerardo, part of this is aimed certainly at ‑‑ I think it's of interest to everybody, but it's aimed for at smaller LIRs, ones that may not have abuse desks, especially starting out and wanting to make friends and make their way on the Internet, and be decent netizens. So, please, if you know people, if you are talking to them, say please spread the word when this goes live in January. So ‑‑ no questions coming in on chat? No?
So, okay,

GERARDO VIVIERS: My mail is there so if there are any further questions later on you can always reach me.

BRIAN NISBET: That is fantastic and thank you for all the work that you and the team have put into this, I really look forward to see how it goes when it goes public.

GERARDO VIVIERS: Thank you and it was my pleasure.


BRIAN NISBET: So, as you will ‑‑ to sudden we do have a number of people that aren't me talking during the group, however none of them are physically present in Belgrade, so it will be me and my imaginary friends who will be talking to you people, to the people in the screen, but they are all awesome.

So, one of the things, the other kind of update and piece of work is around the RIPE DB Task Force, one of the recommendations, recommendation number 10 was assigned to the Anti‑Abuse Working Group. So I'll just ‑‑ so, this is around publishing the legal address of resource holders. "After weighing the pros and cons and listening to the community feedback, the task force decided not to go ahead with this recommendation as there was no clear consensus.

But, the task force recognises law enforcement agencies need to access this information in a timely manner to be able to quickly respond to criminal activity on the Internet. Therefore, the task force recommendation for legal address is that the community explore alternative solutions. The task force recommends this work be carried out by the relevant Working Groups.

Hi, welcome to the relevant Working Group. So, this is kind of sitting there now, going hi, we should do this. We had hoped, the Working Group Chairs had hoped to have discussed this internally a bit, but, you know, one of them ended up in hospital for a while, a lot of life has been happening for the last few months, and we still plan to talk about it, but we would also like input from you lovely people, and maybe some people who might be willing to kind of get involved in that conversation, if, you know, you can volunteer now, which would be lovely, you can also send us an mail, the Chairs, to say you might be interested in helping out, and really it's just trying to figure out what we can brainstorm initial league and see what we think might be suitable there.

I do note that the level of interaction with the LEAs and this Working Group is lower than I would like it to be and I will be asking the NCC to kind of come back and talk to us a bit more because they haven't an update in a while on their LEA interactions which something they used to do at the Working Group, so I would like to see more of that and get that going again a bit, and this is obviously part of it. One of the two of you can stand up at the microphone now.

NIALL O'REILLY: I am doing the evil thing of perusing my mail while sitting in the meeting, and happily I have come across something in the Database Working Group mailing list, some contributions from a new person called frank Bray deck, which seemed to fit on this topic around what kind of addresses we need and what should be the basis for them.
His submissions to that list may inform the discussion in this group.

BRIAN NISBET: Okay, cool I will admit I am a little bit behind on my reading there. Thank you. Just fire us a quick mail with that person's name Niall just so I don't have to ‑‑ it's in the minutes and the steno as well, but so we don't forget. Please.

AUDIENCE SPEAKER: Peter Koch. Good morning Brian and everybody. Nobody is awake, sorry. So, I have been a member of that now dissolved task force and I'll say again what I said on another occasion and of course I don't speak for the task force, the task force doesn't exist any more, so on and so forth, but I just voice a moment of caution because there is A, or maybe two reasons that there is a plural in relevant Working Groups, which in this particular case might mean that there are multiple Working Groups that ought to discuss a particular issue you because from my percent it doesn't make sense that if we have this stakeholder group thing that the needs, desires actually, not needs, of one group are discussed in one Working Group and then the people having to deal with it are mostly assembled in another Working Group and that's been a theme that we have been confronted with a couple of years now and just warning against claiming that this, or any other Working Group is the one, right. We need a bit more interaction there. Thank you.

BRIAN NISBET: You are absolutely correct. And what I ‑‑ I suppose what ‑‑ and that, yeah, better explanation is good. We have been asked to I suppose lead on this, but not go off on our own and do our own thing and absolutely there is a bunch of other people that need to be involved in that. So thank you Peter for making that very clear, it's not ‑‑ we do not wish to do any solo runs because it's all a very integrated thing, or turn around to someone and go hey we're just going to lob this piece of work over the wall to you, like we have been accused of in the past so. Let's not do that again.

But yeah, no, absolutely.

AUDIENCE SPEAKER: Hi. Before I think that maybe before focusing on LEA and legal address and all sorts of terms that are ambiguous and there is no one definition, like, do we know what we are talking about? Like when we talk about law enforcement agencies, do we actually mean like what do we mean by law enforcement agencies? Are they like the only ones based in Europe or in our countries? And then also when we talk about legal address, which jurisdiction are we talking about? And then when we talk about criminal activity, what sort of criminal activity are we talking about? So these are like the things that I think that this recommendation on its own is very ambiguous, and we need to like discuss what we really need to tackle and provide alternative solutions for, especially when I don't know if cooperation with LEAs is even advisable, but maybe they should think about alternative ways themselves as well.

BRIAN NISBET: So, certainly from the ‑‑ and I am not going to attempt to answer for the entire RIPE community here, what I can talk about is the experience of interconnection with law enforcement over the last. So we're talking about the legally empowered agencys in a state which is in the RIPE service region.

Now, the laws of those vary hugely. 71, 72 countries, there is a huge variance in the legal structures, the culture, everything, you know, there. And it's not an attempt to make a one size fits all. It's also not an attempt ‑‑ certainly from my point of view ‑‑ there is no attempt to go okay, you get super special access. All of the rules, all of the pieces that Athina and other people have talked about around court orders and the traps reports that are there are absolutely there, and this is not a one way street either, law enforcement absolutely has to engage to work on this as well, and there is ‑‑ and I am not sure where these activities are at the moment but the NCC used to do and presumably still does a bunch of training on how to interrogate the database for law enforcement using exactly the public information that everybody else can access.
It's tricky. There is no two ways about it. But, when we talk about that, what we're talking about is the law enforcement agencies in a member state, but remembering that all of the legal framework around this is the NCC is a company based in the Netherlands, and that's the legal framework under which the NCC operate. So I don't know if that answers fully your question, but they are the definitions we're talking about. But it doesn't mean that there is no attempt to give, out with a court order which is recognised appropriately in the right jurisdictions, any sort of access that you wouldn't be able to get by logging onto the database as a citizen of wherever. Does that answer any of your questions or...

AUDIENCE SPEAKER: It does. It's just that well when ‑‑ well I'm just going to be blunt about this. Some countries in this, in RIPE service region, the law enforcement is actually human rights violators, to, I think that we need to think about talking about access and corporation with law enforcement very carefully, and acknowledge this issue. But I get that this has been like the talk of the community for the past 15 years, but it's never too late to bring it up.

BRIAN NISBET: Thank you. Peter, do you want to say something? Or...

AUDIENCE SPEAKER: Hi, I am Marie ace Stafyla, senior legal counsel from the RIPE NCC and I was also part of the task force. Just to give a little bit of more context here.
This recommendation from the task force was a follow‑up from a policy proposal that was admitted by Europol a couple of years ago, I don't remember when, when they had suggested that the legal address of the resource holder should be part of the ‑‑ should be visible in the RIPE Database, so that these would help them find ‑‑ it would help them with their investigations. So, as part of the task force, we analysis whether indeed the legal address should be part of the resource holder around this was the recommendation that based on the feedback that we had heard during the period of task force, we could not come up with definite outcome on whether indeed there is a value for that for the community to be there.
And indeed, what Brian mentioned, as the RIPE NCC, we have procedures based on what we supply publicly available and not publicly available information. If it's public it's publicly available for everyone. If an LEA comes with a legally binding order for us we have to comply with it. If it does not come with a legally binding order, then we can only point to publicly available information, and I am talking about Dutch and non‑Dutch LEAs.

BRIAN NISBET: I think it's fair to say there is a page on the NCC website which puts all this out and puts the transparency report. And I think it's been an interesting theme so far of this meeting around newer people at the meeting and things, so we need to communicate this more clearly, we need to talk about it more regularly, so thank you for that.

AUDIENCE SPEAKER: Thank you for the feedback.

PETER KOCH: If I may? This is Peter again. So from memory in the discussion in the task force, in addition to their clarification that Maria kindly provided, and to trigger something that we will be painfully aware of already is that we have a kind of false dichotomy between Dutch court order gives you whatever the RIPE NCC has and whatever the court order says they should give out, versus making this all public for everybody in the world, right. That's the issue here, and of course the elephant in the room that I was pointing to is the Whois discussion in the domain name world and so forth. So I am wondering what this particular Working Group could do in that case because that's something that needs to be discussed, or that touches more upon RIPE NCC internal procedures than any particular quote unquote need or operation or detail that could inform this. The false dichotomy is something that we content get around here. Thank you. And of course I'm biased.

BRIAN NISBET: Thank you. I don't know the answer to these questions which is why we're standing up here asking the Working Group ‑‑ and then the wider community.

AUDIENCE SPEAKER: Hi, Tobias, I have a comment from Mick Begley in the chat. He says the NIS directive coming hard and fast for Europe has two pillars around data accuracy and data access requests that should also be considered.

BRIAN NISBET: I think somebody said there was the first mention of NIS 2 at some point yesterday and they couldn't believe ‑‑ possibly yourself, I knew I read it on a wonderful Twitter account somewhere ‑‑ yes, it may be a whole wonderful new brave world.

Okay, so I'm going to move on from this. We're not under a huge amount of pressure to do this, but it's something that, you know, it's there, we do need to talk about it. If people would like to be involved in that conversation, please drop us an mail, we'll see, we'll get, you know, more stakeholders involved, more Working Groups involved, and, you know, who knows what's going to come out of that? There is always an option to do nothing. There are also options to do other things, so we'll have to see, but it's there and it would be wrong of us to ignore it, as the task force and the RIPE Chair has asked us to look at it.

Okay, I'm going to move on, in which case, and ‑‑ so, now, we have Patrik, hopefully, on Meetecho there, from the German anti‑abuse group Kg Abuse. Patrik, are you with us?

SPEAKER: I am with you. Good morning everybody, I I have been travelling around a lot recently, so I thought I'd skip that and just join you virtually.

I am head of the competence group anti‑abuse at echo in Germany and Marcus asked me to introduce you what we do at the group.

First of all, I thought I'll give a presentation. After a while I gave up on that, and I thought it's probably better that I just start to talk about how the group came to be, and do an historical ‑‑ don't worry I'm not going to go back into the medieval ages ‑‑ to you on how we proceeded, how we stumbled, and finally proceeded for orderly to get where we are today. So initially the group was founded many years ago as second group next to the competence group that deals with mail. And then mail, or especially abuse within that mail became so dominant that it kind of seemed that everybody that ‑‑ everything that happened talked about in the abuse group kind of doubled in the mail group. So after a while the abuse group came to a halt and nobody really attended that any more and then a few years passed and then people found out they still were different types of abuse, obviously. And that's when they resurrected the group, and he that's when I came into the game. I went to one of those meetings and was brave enough to raise my hands when they said we need somebody to lead the group. So I said I'll do it.

So, by the end of that day, I accidentally became leader of that group.

The first thing we did in the group is what I think ‑‑ and we're still not really done with that yet but we have advanced quite a lot ever since then ‑‑ is go from amateur to professional. I take it that most of you take pride in what you do, and with infrastructure people, we are speaking from real world examples, we are the ones who build the roads, we put up signs, we erect houses and that's what we do and we take pride in that and we are very upset when others come and take it down or ruin it or abuse it.

So, historically speaking there are many people I know in the Anti‑Abuse Working Group that have been dealing with abuse and trying to handle abuse, even though they didn't have a mandate from the company they are working for, it's just that they couldn't take it that others were ruining what they had brought up. That brings us to an interesting point because probably if you have been fighting abuse you have also been fighting an in‑house ballot trying to make your management understand that there is abuse, and you should receive funding and a budget to fight that abuse, to make it professional. And people we look at said no, sorry, I don't know, abuse is something very annoying, you know, and actually outbound abuse, that's our competitors' problem, if we have abuse coming from our platforms, it's good for us because unions or competitors, nobody really want to talk about that but that's something that happened and happens meantime.

So one of the first things we did was trying to develop the certifications, why should there be an abuse handling team? Why do you want that? And one of our members was very, very active, he came up with calculations and he was able to show up in calculations and prove that if a customer has abuse on one of their systems, they have to talk to support twice, two times within the contract time. The company will not be able to earn any money with that customer any more.
And he also did measures and he said well, there is nothing I'd really like to talk about but we have to talk about it, we have about 10%, we dedicate about 10% of our resources to abuse that takes place on our platform.
That means people who do abuse, take money from us, they are using our resources, we have to buy hardware sooner, we have to pay more electricity, blah blah blah, all the whole thing. And with those numbers, he went to the, to sea level, he said listen, there is something we should talk about, we have an internal growth market without our competitors, something we can deal with simply by battling abuse. And that marked the day he had a budget because he could prove abuse costs that much and of course it's businesses, they are run by money, so he could prove there is abuse, he could prove at which point a customer would not bring in any money any more, and that was the management said oh, there is something we could do.
The cool thing about that ‑‑ and that particular thing of abuse was, it was abuse coming from the customers and it was abuse taking only place on their own platform, so they had a growth market. So without even fighting or actually spending money or telling the rest of the world that they are better than the customers ‑‑ sorry, competitors, they would simply take care of their own platform and take care of their customers.

So, the cool story is he was able to bring abuse down from about 10% to 0 point something within two years, and the other thing is the churn rate went down because they had an abuse team that actively contacts customers and says listen, we think you have abuse in one of your devices or something, something has gone wrong, and customers, in this particular hard for Germany because Germans are remember the Nazi thing and dictators and some people being over, what do you call it, over interested in your private data, Germans still are very aware of that so when you call and say listen we have abuse on your platform, we are why are you reading my data? This turned out to be not what everybody expected, it turned out that people actually are happy that they are calling them and the churn rate sank. So that's even good for their business, customers are staying with them.

So, we took that as a blueprint and came up with how can you justify your business? Because many abuse departments at many of our members hadn't been there. They had just came to be over the last years, one of the reasons was that we had been able to provide our members with templates to go and look for that, take a look at this here, examine this here, do this maths and this calculation and see if we can go for a budget. So that's part of the work we did in the first years.

Another thing, and that's actually something that's still a work in progress, also due to the nature that there are still new things coming up all the time, is that we asked ourselves what actually is abuse? And then there was an interesting journey because all of the new business, the competence refer abuse or anti‑abuse at the equal goes through all the friend organisation types we have that do business with the Internet. So we have hosters, we have service providers, we have access providers, and so on and so forth, and whatever is abuse is a completely different story to each of those groups. A hoster is probably would say abuse is somebody putting up files for download on a website. If you are a service provider like mail, you probably have ransomware or spam things like that. If you are an access provider you want to avoid people using your bandwidth. Things like that. So abuse means something completely different to different groups. And we have been going through long discussions trying to figure out what actually makes abuse, it's only been recently that incorporation, or may be driven by the instant number groups at eco, we have come up with a table that names different types of abuse and names who probably should be held responsible for that or whom you want to contact if you want to battle abuse.

That's something we have been discussing too. And as you might say, or note, actually we are bringing the business ‑‑ we have been bringing up the business of abuse over the last years from zero trying to make it a professional thing.

One of the things we noted, obviously, is there is quite ‑‑ there is large numbers of abuse out there and if you want to deal with that, it means you need to automate things. So, we have been investigating in frameworks, service providers out there that would help us to deal, battle abuse, as the next thing if you want to tell others about abuse, we have been talking about standardising likes 6 RF and things like that to exchange information that some abuse is taking place. That also has a long history of privacy, so who should know about what? Who may or may not know about what? I feel you because I have been following the Whois discussion in the recent years, and also, we have been talking a lot about processes. For example, just to give a small idea. If you notice you have abuse, or one of your customers is having abuse, the quickest way to inform them would be to send them an mail. Actually the quickest way to inform them would be to would be to send them an SMS but that costs, at least in Germany, has a problem because most of the time we don't know that our customer's SMS numbers and even if they are changing their phones and numbers so often, it's kind of hard to keep track of that. So it's an unreliable path so maybe mail is better, so we try to send an mail. The mail doesn't work, actually it's just an automated process, we get a bounce, that will trigger a print job, so the customer will have an regular mail the next day in their mailbox. Thing about processes and doing this and signing them as has been something we have talked about a lot because obviously if you want to find abuse, it's going to cost a lot because there is a lot of abuse out there so you really need to look at the numbers and find out how can you have great effect at low cost.

And how would I say that? Yeah, one of the things we have, at least in Germany with the politics, is they believe that there is something like the German borders of the Internet and you have to they will them listen, there are no German borders of the Internet, you can't defend Germany at the borders of the German Internet. Actually it only works if you become international, because those who do abuse are international, they use platforms in one country, come from another country, buy data from a third country and things like that.

So, one of the things we have been working on in our group, and lockdown really had a hard impact on that is, we have been visiting different countries with our abuse group every year, and trying to learn and get in contact with the local people dealing with abuse, and trying to work with them, trying to do some networking, get known because you know the day you have abuse on a platform and it comes from a certain country, it really pays to know people.
So that's something we have been doing too.

Now, just before I am going to end, is, recently we have turned to not only battle abuse that is there, but also trying to become better at avoiding being abused, and that means training people, and it doesn't mean only training people, it also means taking care of your platforms systems and trying to make sure everything is up to date, secured, blah blah blah, but I want to go for training people. We are will to work more in terms of awareness, trying our customers ‑‑ trying to tell them what they should not do and what they should do and how they should behave if they think there is something that would be abusive.

Somebody has been doing very good ground work for that is Melanie in Switzerland if you want to search for that, I'll type it into the here ‑‑ it's a project in Switzerland and they are very good at fighting abuse and making people aware of what is going on, especially also by using a language the recipients will understand because we are experts at what we do, but most other people are not, and that is often a communication barrier.

On a professional level, we have also have begun to train our members special trainings like, listen there is a certain situation, this type of abuse has taken place, what is it are you going to do? And then we let them come up with ideas and there is a trainer, takes a look at them, gives a feedback and works with them. That's what we have been doing recently. We are all very, very eager to get back and meet in real life. We will start in our group next year, we're not going to do the October first thing. Because something that has shown over the recent years is that what really makes all of the difference is get to meet people and talk with them because battling abuse is something that requires trust and trust is something that is established when people meet.

Thank you.


BRIAN NISBET: Thank you very much. So just one question that I have, and other people may have questions. You mentioned Melanie there, my quick Googling did not turn up anything other than a lot of Instagram accounts. If you put the relevant URLs into chat that would be really useful. The other thing you mentioned, because the discussion about what is abuse is ‑‑ you know, it's the gift that keeps on giving. But if you have any other materials that your group has, you know, has got that can be shared that might be useful, that would be very interesting.

SPEAKER: I'll share a link with you in the chat later. It refers to a new thing that has gone up by Eco. I'm not sure if it's in English, but anyway, I'll post what I find.

BRIAN NISBET: Just, information is useful.
Any other questions, comments?

AUDIENCE SPEAKER: My system paragraphs ten ‑‑ I have another question. This is my favourite topic. So, I just ‑‑ so a lot of these abuse groups that are tackling DNS abuse or IP abuse usually, in order to create that trust, you need to have a certain level of confidentiality which, in return, affects your transparency. Do you think that transparency in your work is also an important aspect and are you doing something about that so that you won't be as opaque as other abuse groups are, which can result in ‑‑ well not efficiency necessarily, but people not knowing what your processes are in your work and who the members are and how you are tackling the IP abuse issue?

SPEAKER: So, thank you for your question. There is two aspects of transparency. I think there is a level of internal transparency within the group, and then there is transparency to the public. And they are diametral. Actually, the competence group anti‑abuse is just like fight club, whatever happens in the fight club, it stays in the fight club, sorry for pulling that one, but anyway...
Actually, it's an invite group only, and whatever we talk in there stays within the group, and that actually is the foundation enables all members in there to talk about what is going on in their platforms. We're not there to blame anyone. So this is very important.

And then there is the counter interest also by head of eco because they want to bursts I said abuse and tell about all the cool things we have done. Most of the things we do are very touchy and some of the members are not happy at having been public about that because it deals with things, problems they are having on their platforms. So it's an ongoing battle. We don't have a rule for that yet, but it's something that's going on.

BRIAN NISBET: I mean I think it's exactly that, it's trying to find that right balance, because I know my clients will say a bunch of things if they know that nobody else, even we are just going to hear about it and they will say very different things when it's elsewhere.

Listen, I don't think there are any other questions? So, Patrik, thank you very much for your time this morning, and ‑‑

SPEAKER: You are very welcome. Thank you for having me.

BRIAN NISBET: So, we have our third phantom zone 2D presentation now this morning and it's from Johannes Gilger talking about Johannes, are you with us?

SPEAKER: I'll start sharing my screen in a second, I just wanted to say hello, good morning, nice to meet you all. I am a little bit of a newbie if you will, this is my first time attending a RIPE meeting, I actually had to look up what RIPE actually does shortly before the meeting. I was invited by Marcus of the german federal office of security to talk about, so that's what I'm going to talk about today. In the context of abuse, what urlscan is how you can leverage it further than you have been doing it so far and how it might be able to tie into your work flow in terms of manual as well as automated abuse handling.

So that's me. A little bit of background. I am the CEO and founder of, is has been around sinned late 2018 as kind of a community site project, if you will, and then we spun it out into a commercial company in early 2020, and so, that's what I have been doing since full‑time is working on urlscan, both in the community side as well as on the commercial side but obviously today we're just going to talk about the freely accessible community aspects of the platform.

If there is any questions at any point in time, please just interrupt, or put it in the chat, again, I don't know how these meetings usually go, I don't know the etiquette, so if I'm stepping on anyone's toes, please excuse me. This is my very first time.

So, let's kick things off and I'll start sharing my screen so we look at the same thing while we're talking about it.

This should start here on my screen. Yes.

So,, this is what I want to talk about today, this is my baby if you will. Some of you might have already used it, some of you haven't. I'll just describe it as, if you haven't seen it before.

So, what is a Sandbox for websites, that's one way to describe it. Some of our customers have called us virus tool for websites which is another kind of fun way to describe t the idea is very simple. Urlscan is a platform that allows to you analyse suspicious or any URL, any website that you are getting in a structured and safe and repeatable manner. So, let's use an example. Let's say you get an mail and there is a link in that mail and you want to analyse that link and see in a structured way, you can just take that link and put into the urlscan to be scanned right, you can go to the website, you don't have to sign up or anything, put it in the box, you can select a couple of options about this, but we'll get to that in a minute, and then you can just click off the scan. I got the link right, botnet, what is is it? It might be malicious, let's just analyse. And that means there is a browser process running in the Cloud somewhere that is going out to the website, it's opening the website like you would open it on your own device, it will record what the website is doing like which IPs are being contacted, which networks are being contacted, by domains and host names are being contacted, we'll take all of that information, annotate some of information, write back that information to the database and then kind of redirect you to this result for this one time that you have scanned this page. And so, this is the page that we're on right now, this is the result page. This is the URL that we have submitted,, of it redirected to www right dot yet. We can see kind of high level information, compiled from the raw information that we have in the database. This is really just a pretty summary, if you will. What's the primary IP address of the page? When was it submitted for scanning? Where was it submitted from? Some summary information. Kind of the things that you'd want to have at a high level summary. How many IPs were contacted. What's the main IP? Which network is the main IP belonged to, in this case CloudFlare. What's the umbrella rank for the domain. And then we have more information further down, down here, where we have the individual IPs and which networks they belong, to so that's annotated information. We can look at it from an IP level, we can look at it from a most name and domain level, like which host names were contacted, which domains were contacted. How much data was transferred. That sort of stuff. We can look at the full resolution screenshot if we wanted to. We can look at the ‑‑ whether the page was being redirected in one URL to another one, look at technologies that were detected on the page.

So, that's a lot of information to take N right, and usually you don't look at everything. Usually you look at one thing or two things and you have a very fixed set of things that you are interested in,nd it very much depends on your use case. Urlscan is a very generic platform that allows to you scan websites and then what you do with that information is up to you.

So some people might use it already knowing that a specific URL is malicious and they just might want to use it just to get a screenshot or they just want to see is the page still working is it still up, is it at this moment active?
And so, yeah, it depends on your use case and this again, this is the me using the UI but one thing that is one of our guiding principles is that every bit of functionality and every piece of information you can see on this platform is also available as an API. So, if you have figure out this is an interesting kind of work flow, this is an interesting bit of information, you can work with our APIs to do that, right, you can work with the APIs for automatically to submit URLs, to approve those results and then kind of pull out the pieces of information that you might be interested in.

And as you can see, there is even more information right, you can look at individual HTTP transactions because while the page is logo, we record all the individual HTTP requests and responses, we actually store some of these, we hash the content of these responses, so you can search for the hashes later. We look at outgoing longs we look at things like one the javascript variables on the page would give you an indication of whether there is certain frameworks in place for example. We have some really neat features. You can actually download the whole domain re from the page, so there is a load of information, and in most cases you are going to look at just one our two things and already know, oh yeah that's interesting or it's not interesting or I see what I wanted to see..

And if we another example, if you scan another page it would look more interesting because there might be dozens of different host names and networks and providers being contacted just to basically render a single website, and I am sure you are aware of that.

So, how can you use that? What's the whole point of this?

So the point of this platform is that compiling all of this information manually is possible, right, you can do it, but it's a tonne of work, and doing that repeatedly in a structured and kind of consistent way is almost impossible manually, so you need automation, you need a platform to do that, and urlscan does exactly that. In the context of abuse, the way we have seen it used is people and customers scanning websites that ‑‑ or URLs that they don't know anything about, but also customers and people, users scanning websites that they already know to be malicious and so in that way urlscan is just another way of preserving the snapshot of that page because you have everything in one place, this is what the website looked like, these are the IPs that were contacted. And if you scan the page again by the way you get a new snapshot, you can always scan the page like every hour or everyday and see if it changes and even if it's not working any more right now, you can go back and say well here is an historical record, his has been historical scan of that page and by the way this is what it looked like yesterday and this is when the page actually had, I don't know, phishing content on it, right.

So for abuse purposes it's a great tool for archival and documentation purposes.

But, that's kind of the very straightforward use case of using urlscan as a user, right, you go to the website, you put in an URL that you want to submit, you submit T you get back this piece of information, you can share the result of that snapshot with whoever you want to spare it with, that's great. But ‑‑ and so that kind of takes us to the other use case ‑‑ that is just things you are finding, right, they are just things that you are submitting, and one of the major unique aspect of urlscan is that it is a community platform that is used by tens of thousands of people everyday, and commercial customers as well obviously, and all of these people are submitting hundreds of thousands of URLs to us everyday. And most ‑‑ almost, probably all users of the platform and all customers of the platform are not just interested in things that they submit themselves, but also interested in what other people are submitting.

And this is where our historical data comes in because every scan that's performed on the platform is, by default, stored permanently and it's made available through the search Index in the historical scans where you are able to go in and search historical scans for a specific website by dozens of different attributes. Let's go back to the example we had earlier if we scan the website.

We look at this snapshot and it might be interesting to us and it might already answer the question that we have but in most cases if you look at something, you are also interested as kind of the next logical question, you are going to be interested in the context of that page, of that scan. So, given that is the host name, has this host name been seen before? Has it been scanned before? If it has, how did the website look like when it was for example scanned yesterday? How far back does it go? And the host name is just, or the host name or domain are just one of the many attributes that you can pivot on, the same could be said about the IP address, so here is a host name, it's pointing to this IP address, that's great, but has this IP address been seen in connection with maybe other host names? Has it been scanned? Right, and that is a question that our search API, our search functionality allows you to answer.

So we already kind of see a preview here for which says it was scanned more than 1800 times on urlscan. Now we could pivot into the search and look at these previous scans, right, and we can see this one, 48 seconds ago, it's probably somebody on this meeting I guess, and then 4 minutes and 7 minutes, probably all folks on the minutes, one of them would be me, but then as we scroll down we can see holder historical submissions, days and weeks and maybe even years ago, all the way going back to 2016 when we launched.

And so that's one way to kind of look at things, filter for things.

For you, as providers, as platform providers, IPs, again I don't know exactly who is in the audience so I'm trying to kind of find the right angles that are interesting to you. There is also other things you can filter by. You can filter by IPs, like, pivot on IP addresses, and I am trying to find and IPv4 so we actually have something that's a little bit more approachable, but let's use an IPv6 maybe. You could pivot on an IP ‑‑ or you could even pivot on the whole sub‑net that have IP. You could like specify a /24 and then get all the results that are either hosted on that IP or talking to that IP.

You can do the same thing for networks, for ASNs, right, you can go in and say show me everything that is showed on an ASN called CloudFlare. You could do that by name or by number, so if you have the AS numbers you can just put in the numbers as well, that's obviously more robust, I tried some things earlier, German telecom for example, and you get that list of results. And you can still kind of even further narrow that down. You could say show me everything on CloudFlare with a DE domain within the past 24 hours. Okay, so that's like a very limited set of result for that specific combination of filters. And so that would allow to you tap into what other people are submitting to urlscan that might be relevant to you that maybe you want to look at as kind of a feed of interesting things, and by its very nature urlscan has a very high signal to noise ratio. For most people, they submit URLs that they already know to be malicious, and so you will find a lot of malicious URLs that way.

So another aspect I wanted to talk about what why kind of URL, or a platform like urlscan is unique and it's also necessary to combat abuse and especially phishing and things like that nowadays and why this kind of concept of having a publicly accessible repository and database of these things is absolutely crucial, web based phishing or brand impersonation whatever you want to call it. Some of these have been around for a long time and are obvious like oh yeah, I am going to stand up a new domain called CloudFlare fine us secure minus login dotcom, I am going to put a fake page on it and try to attack employees of that company, of CloudFlare for example, and I am using CloudFlare because that was a recent example where they were targeted, and so this is kind of the old school way I am going to get my own domain and then put a phishing website on it. But thanks to new technologies like certificate transparency, and lots of providers doing passive DNS ingestion, it's very noisy, it's obvious, there is other providers that would look at domains and do machine learning detection based on the domain name and then on the age of the domain and they would flag it right, and so being successful with that, it's still possible I guess especially if you are going after smaller players like a small eastern European bank where like frankly, major western tech companies don't care to the same extent they would do with a western company. Yes, you might be might be noisy and you won't stay on for any long.

One other way is you can compromise legitimate websites and then just put your phishing website in a subdirectory, that works really well because if you compromise a good website is has a good domain and IP reputation. I have personally see government websites being compromised and then I mean if you have a phishing website on a government domain that's like winning the lottery right, because no protection tool out there will flag a government domain that's been around for I don't know how many years as being malicious, but you are able to compromise the web press running on that government website, so you could put a phishing website in a subdirectory.

Other ways to do phishing include using legitimate platforms, so one example would be all, basically all platforms, and I am using a couple of examples but it's the same for all of them ‑‑ that allow users to upload users content and host it on the platforms, domains and infrastructures. So, like, Amazon has three, right. You can create an Amazon has 3 bucket and put files into had a bucket and host it on the Amazon S3 domain and that has perfect domain reputation. And nobody in their right mind would block the Amazon S2 domain. The same is truthful I don't know back place, which is another provider, digital OS net is one of them right, and they often have like automatically generated random domain names for these buckets, for these websites that have been put up. But I am pretty sure if we open up one of them, yeah, okay, so somebody put up a bucket and uploaded something, and they are probably using a free tier, I don't know, put in a fake credit card, I don't even know what's going on in that regard and they just uploaded a phishing page, there is no way to take that phishing page down based on the domain reputation or the age of the domain or anything. It's not something that would be numerable because this is not a newly published, probably not a newly published ‑‑ it's not a newly published domain with its own file, it's not like this host name would appear in any certificate because it's probably a wild cut DLS certificate, it's probably also wild cut DNS record, right, so, it's just blending in. And so kind of the only way, the only way to find these phishing pages nowadays is frankly, to be on the receiving end of them, or at the very least, in the middle somewhere as kind of like seeing mails coming knew whatever platform you have where mails are going to employees or the big company and you are able to look at the URLs in those mails. But if you are making about certain individuals the only way to see these phishing pages is you are the actually recipient of that phishing attempt. And we have seen that happen where somebody would submit an URL to us, and it would be a phishing page, and based on the content of that URL, it was very obvious that that specific page was created just for that one individual and the submission was performed by that individual or by someone on his staff, his or her staff, because there is nobody else that would have received that link, that URL to that phishing page. It was really targeted at one high value individual.

And so, it's not something ‑‑ why I said you need this community aspect and you need this open platform because it's not something where you can just say yeah, I am going to build my own phishing detection and throw a lot of money on it and crawl the Internet and Google crawls the Internet and even they are not able to find a page that's put into a compromised web server into a subdirectory unless they already know the URL, right.

This is how you can use Urlscan, and this is probably why you want to use it is to get reports in a structured way, if you find things yourself, but also to look at other people might be submitting. It's very easy to use, it's have I approachable. You don't have to sign up. There is a couple of options that are interesting, especially for abuse purposes, I guess.

The most important one is the visibility. So whenever you submit a page to be scanned on Urlscan, you can just select whether it should be visible to the community or whether it should be private just to yourself. Public means it it's visible to anyone. Private it means it's private just for yourself, nobody else will be available to see it and unlisted is kind of in between where it will be visible to how commercial customers on the Urlscan pro platform but it won't be visible to the community. And the idea with unlisted is that we have a lot of customers that are looking to do with that information, something positive I would say, right. It could be a government entity, it could be an Internet service provider, it could be a software ‑‑ a security company that is company looking to improve its security and detection software. So all of these down downstream customers are trying to take that files of information from Urlscan and do whatever they can with their ‑‑ in their respective business areas, right.

One might be take down, one might be just blocking, one might be detection improvements, all of these different things.

So, keep that in mind. If you scan a URL that you know to be malicious and you want as many people as possible you can put it as public and if you want it to be private, you can choose private.

You can choose where you want to scan the page from as well. So, let's say you have a phishing page and you think well this is really targeted at users from my country, then you might be lucky and one of those countries is yours, right, and you could go in and say let's try to scan it from Spain because I think the page only works from Spanish IP addresses.

But that's really it. There is not too much options. If you do sign up for for a free user account, you get a free user account, you get a little bit more convenience, creature comforts mone thing that you can do is you get a box submission from you get multiple URLs, select the same options, select some ‑‑ the country that you want to scan it from. You can add text to the scan, so you can have something that says like yeah, I think it's phishing so I am going to add a phishing tag, I am going to add a malicious tag and then you could do a bug submission. It's a convenient feature. But another great thing about having a user account, and again you don't have to create one, is, if you submit something while you are signed in, you are able to find those submissions later by using a certain search modify. You can say show me everything I submitted, or if you are part of a team account, my team submitted, and that way you kind of have your private search returnable search results performed by yourself.

So the API, I mentioned the API. Everything we do is available as an API, and there are extensive API documentation about how to use the API in general, how to use the specific API in points, for example for submitting things, for retrieving information, for searching for scans, it's very approachable. There is a separate page just for the search API because it's so powerful. The search is based on elastic search so it will allow you to build ‑‑ perform simple term searches like show me everything for, I don't know,, but also build really complex searches where it would say show me everything for and so and so

TORE ANDERSON: Only in the past 24 hours, and the cans that we index are searchable by dozens of different fields, and really it's ‑‑ it's really crucial to understand what these fields actually contain and how you can search them if you want to be very effective and like do really interesting searches. I mean if you all you want to do is filter by a specific IP or domain, you should be fine, but it still pays off to understand what you can search for and what's contained within these fields.

So, I think I am almost out of time. I think the last thing I wanted to say is, how can you work with us? Just reach out to us via mail if you have questions or feedback. If you want to work with us, collaborate with us, I think there is a lot of different avenues that we could work together. One thing we are personally, or I am personally very interested in is if you, for example, an ISP and you are in a position to work with us to provide certain resources that we might not be able to get ourselves, that would be very interesting for obvious reasons. So, yeah, I don't know, let's just figure out, figure that out, just reach out to me my mail and I think I am going to open up for questions now because I think that was 20 minutes.


BRIAN NISBET: Thank you very much for that, do we have any questions, comments? No. It seems you explained everything very clearly.

SPEAKER: Maybe one more thing, I realised I completely forgot to mention it, but apart from just this generic platform that just gives back the information like this is the IPs that were contacted and the domains that were contacted, we also have a phishing detection, or a branded person impersonation system in place, that's why the majority of customers use us, so we are able to detect phishing and brand impersonation against more than 800 brands at this point, and once you you submit a page to Urlscan that actually has content on it so it's based on the content of the page and we detect it, this is what it will look like. Let's say you get this link in your mail this morning and you submit it and we say yes we think this is malicious and by the way it's targeting ING group, thank you for telling us. And this is a good example because this one says this is the only time this particular domain was scanned or this particular host name was scanned on Urlscan IO, so if you hadn't submitted it it wouldn't have been seen, right. And that's kind of one of the primary reasons for people to use it I guess and I don't know why I forgot to mention it in the presentation. But we have this phishing detection. If you think something is missing, you can report it to us. There is ‑‑ you can send and mail, you can leave something on the page which says I think this is malicious and I think this is, I don't know, phishing or brand impersonation or social engineering or all kinds of other scams, right, and kind of give that feedback back to us, and also back to the bigger community because even if the page is not ‑‑ like what is malicious really lies in the eye of the beholder. Like, yes a PayPal login page, a fake PayPal login page is malicious, probably no question about it but what about a page that is kind of like asking for information from someone. Like is it malicious, is it not? It depends on what's happening in the information and it's not something that you can always automatically determine right.

So just kind of saying that as a closing statement I guess.

BRIAN NISBET: Okay. Thank you very much, very interesting.

I think you did very well for your first RIPE meeting.

Okay, so that's that. AOB? Apparently we have some, please.

AUDIENCE SPEAKER: It's me again. So I thought that for RIPE sessions, the commercial product presentations were not allowed, and we have seen some commercial presentations ‑‑

BRIAN NISBET: So there is no rule, but I mean this is a website which is available.

AUDIENCE SPEAKER: It is not, it is a commercial product. They charge you for all the features that they went through. So, a lightning talk, I wanted to submit a lightning talk I saw this kind of like clause there that if it's a commercial product, you should not submit it. And I thought that that would apply to all the sessions, so I might be wrong, but if that is a rule, then I think that we should adhere to it.

BRIAN NISBET: It's not a rule. It's not something that we're ‑‑ we're not looking for sales pitches and this is something we discussed with has been us before his talk. Awareness of things, there is a ‑‑ this is not something we would have on every session or otherwise, sometimes there are tools which are interested and we talk about them but they are under present it mutually but there is no hard and fast rule you cannot do this. We realise the audience is not interested in sales pitches or otherwise, so it's not something that we are looking for or encouraging and certainly from the point of view of the Plenary, the PC, and I can swap hats a little there, you know, we're absolutely not looking for that.
Now and again in a working group where the Working Group Chairs are free to select their content, we might have something like that. But, you know, it's not something that's going to crop up very often, but there is no, there is no hard and fast rule. But there is community feedback like this which influences the Working Group Chairs in what future people we have talk at the Working Group.

AUDIENCE SPEAKER: Okay. Thank you.

NIALL O'REILLY: I think you have dealt with that more or less completely. I am Niall O'Reilly, I am the RIPE Vice‑Chair. Long years ago I used to be a working group Chair, and it was made very clear to me in those days by the then RIPE Chair that RIPE doesn't do endorsements. RIPE doesn't take sales pitches, but RIPE has always tried to allow the community to be made aware of interesting products, whether commercial or free open source or whatever, because we need to know about ‑‑ we need to know about the technologies to be informed to do for each of the attendees to do their job. So, just to complement what you have already explained Brian.

BRIAN NISBET: Thank you and I could be very clear that neither Tobias myself or Marcus received any private jets or yachts or anything else to allow any presentations.

AUDIENCE SPEAKER: I just ‑‑ so, for example, with the products and tools that combat abuse, there are a lot of privacy concerns and a lot of other concerns that we need to address. If they are bringing up ‑‑ if we want to have presentations about these tools, as well as talking about these tools and their features, we have to also talk about how they affect privacy and how they mitigate those issues. So, in the future, if we want to know about all these great tools that are out there, commercial or not, probably it's good to also have an aspect of how do you also balance these rights that people have and it might be impacted by using that tool. Thank you.

BRIAN NISBET: Okay. Thank you.

Anything else, for example?
Seeing nothing, I shall say that we are always open to agenda items for RIPE 86, and, you know, bear in mind this is anything, this is discussion, this is policies, this may be a presentation, an interaction, there is no set format from on high. So, please, if you are interested in presenting to the Working Group, obviously the mailing list is there all the time, but if you are interested in talking to the Working Group, either virtually or physically at a RIPE meeting, then please contact the Working Group Chairs and do let us know.

So, all that remains for me at this point in time is to say thank you all very much for your time this morning, thank you to our speakers, to all the excellent NCC staff, venue staff, and our stenographers, and hopefully we shall see you all in Rotterdam, I believe, in the spring of next year. Thank you very much.