2008.02.19 NANOG 42 Law enforcement interaction with nanog

Three more to go, yay!!!


Paul Fergusen, Trend Micro, Law enforcement
engagement and response handling, NANOG engagement.

Not geared towards just ISPs who are bitshippers;
some issues will overlap into their areas of
this is a subset of slides for anti-phishing
talk to be given in Tokyo.

Mostly the issue is in EU, Asia, where contact
information for responsible party is incorrect
or outdated.

Problem--web threats have moved from highly
visible media events to financially motivated
threats. Attacks to infrastructure are waning,
mainly just kids being pissed off, or someone
has a grudge. The true financial attacks don't
want to lose connectivity, so infrastructure
DoS attacks are counterindicated.

Not just windows, now hitting Linux and Mac
as well, aiming to comporomise Linux servers.
You end up with thousands of compromised
websites infecting more and more machines.
Used for click fraud and other financial

Notifying the victims as well as notifying
the users, two different challenges.
Contacting the owners of the IP space on
both ends is tough.

Large rise in misconfigured, rogue DNS
resolvers; many sitting on compromised
boxes, on home connections, etc; boxes
will resolve anything, possibly incorrectly;
estimated 300,000 compromised DNS servers.

Threat vectors now moved to web; Google
finding 180,000 web servers serving
malicious code in their crawls.

Even trusted websites getting used to source
malware. Government sites/city/county are
targets as people trust them.

Primary goal of security company is to protect
the customer; they have a staff who implements
honeypots, sandboxes, reverse-engineered binaries,
they incorporate new AV signatures, etc.
Try to notify owners of compromised sites; can't
handle that for 75,000 servers.

Secondary goal is to actually find the criminals;
so very few staff who work with law enforcement
agents, work with national CERTs/CSIRTs, etc.
Stuff massively falls through the cracks.

abuse@ is falling through the cracks more and more

Don't dumb down the language used; this isn't just
'cracking', this is criminal activity; serious
moving of money from account to account, using
moneygrams, western union, and Xboxes.

Some of the activity now is more properly organized
crime; the internet is a success, as the activities
of the real wold have moved online; the criminals
follow the money, and the money is now online.

Much unwanted traffic is actually backscatter from
criminal activity.

There's enough low-hanging fruit to make this a
multimillion dollar a year industry for them.
Many criminals operating in the open, as there's
not enough resources to track them down and
stop them.

Goal and desired results
better two-way communication for all stakeholders
law enforcement
NGOs (non-government organizations)
National and organizational CERTS and incident response teams.

We're up to 700+ registrars, so it's getting harder
and harder to track people.

Hasn't been much backlash against it, as credit card
companies are eating the losses; but some areas are
making customers more liable for losses, and bank
may reserve right to investigate your PC to make
sure it is kept up to date, or you may be liable
for the loss.

Trying to work with the unwitting middleman between
criminals and the victims.

Need to get better reporting mechanisms for cybercrimes,
engage the ISPs better at picking up the ball; if we
don't police ourselves better, we may find ourselves
getting stuck with having the policing forced on us.

For NGOs, already have some piecemeal relationships
in place. FIRST.org affiliate list of CERTs/CSIRTs
as a baseline is a good start.
When an issue comes up, start trying to contact
people up through the contact lists; worst case
scenario is having to publicize the issue to try
to get in touch with people.

Use the FIRST.org list--it works!

ISP and network operations engagement is not an
easy path, but it has to be done.

Biggest challenge is internal processes are weak;
domain information is often completely incorrect.
discipline is everything, and disciplined process
is crucial.

Registry info (RADB, RIR, RIPE, ARIN) tend to be
pretty good, as that's a registry of resources.

NANOG is uniquely positioned to take a leadership role
in trying to get these principles adopted.

We're on a good path, but there's lots of course
corrections; we see the threats in near realtime,
the same compromised server on tens of thousands
of webservers all over the internet; many .gov
and .edu hosting malicious code, fake canadian
pharmacies, etc.

Need NANOG community to act as one voice with
internal engagement.

Is this the right way to take action? Do people
prefer to handle things this way.

Q: Carl at mike notes that "bulletproof hosting"
is a red flag--beware of it.

Q: There's a set of at least 5 ISPs in the US
who are very black, who are *not* helping in
our efforts in this war; why are they still
allowed to advertise routes on the internet?

Q: Mike at the mike, from Cisco; from NIAG,
the idea was to have a /security page on each
webserver that told you how to contact people
at a company when there's an issue, as now
root@, hostmaster@, and abuse@ are generally
black holes.
What we're really lacking at the moment is
process; how can you make sure that contacts
are reachable?

Q: port scanning, if we're considering that
'criminal', why not also come down hard on
the copyright violators?
In finland, there are criminal cases from
banks against port scanners.

We're 13 minutes overdue, so hold rest of
questions for later.