Hi,
As far as "taking down" bulletproof hosting, that is very hard to do as
they often operate on jurisdictions that are easier for them to run
their business.
RIPE NCC only allocates blocks of IP addresses to LIRs, which in turn
LIRs allocate to end users. There have been cases where the LIR itself
are cybercriminals that exploit this to get addresses for their
activities.
There are other entities that do flag these blocks in an attempt to make
the internet safer by flagging these IP blocks and even entire ASNs.
I think the most important thing to note, is that at the end of the day
no one "controls" the internet. And RIPE's job is to coordinate these
blocks of IPs assigned to LIRs/ISPs and maintain an up to date database
of all these allocations. RIPE is not in any way an ISP, they don't have
insights on the traffic of the internet including the IPs they assign
(RIPE does operate RIS but it's out scope for this topic).
One of the entities that specializes in flagging and trying to bring
down these criminals is spamhaus (https://www.spamhaus.org/). There are
more, but I personally use the spamhaus blocklist so I'm randomly
quoting this one.
It is also important to understand that RIPE will only revoke addresses
if the LIR is going against RIPE's policies. Since RIPE covers many
regions and jurisdictions it makes the job much harder. As far as I
know, sending SPAM email and other type or bulletproof hosting
activities, is technically not a RIPE policy violation. Providing false
contact information, and false documentation to obtain number resources
is a policy violation.
RIPE must always maintain a very neutral position in all of this, and as
you mention a Netflix documentary (I'm assuming it was "Cyberbunker"?)
where they were in fact a LIR, those addresses were not revoked, rather
than sold to another company. The documentary reflects this.
Also, RIPE provides registration services for these LIRs. Nothing else.
Without RIPE's job you wouldn't know who was controlling these blocks,
including abuse contacts.
If you cannot get in contact with a LIR through an abuse contact, then
you can contact the registrant's local authorities. If such entity does
not exists, then this is a policy violation and the LIR account will be
revoked including the IPs registered to it.
I personally blame ISPs involved in providing connectivity as they
probably are aware of weird traffic patterns (such as IP spoofing), and
might be contacted every once in a while as to why they are providing
connectivity to these other, smaller, ISPs.
Also I believe that some of the activities you described happen on the
"Tor" network, the .onion websites, which are a bit out of scope here.
At the end of the day, there is very little RIPE can do about this. As I
mentioned on my other email, IP leasing happens a lot nowadays with IPv4
shortage so revoking a LIR account or addresses that were used for these
activities wouldn't even punish the scammers. You would be punishing an
ISP that allocated addresses to scammers. And I think you can see where
the legal fights begin, RIPE does not want to be sued by ISPs.
Best regards,
Tomás Leite de Castro
On 2024-01-17 23:00, OSINTGuardian wrote:
hi tomás,
thanks for answering me
I understand that RIPE NCC's job is not to monitor the internet, but
unfortunately criminals see that they do not get consequences and
decide to join the bulletproof hosting business. People financed by
organized crime see this as a business opportunity.
and hackers, pedophiles, scammers, drug dealers, arms dealers and
other people see an opportunity to be a customer of these bulletproof
hosting. criminals see that they get no consequences for doing this
and make a lot of money.
If RIPE NCC creates an abuse team that monitors that no one uses RIPE
NCC as a form of business model to create bulletproof servers to sell
to criminal networks, the Internet would become a cleaner place.
It became a business model to ignore abuse reports sent by email to
hosting companies.
There is a wiki on Wikipedia about bulletproof servers that describes
the same thing, documentaries on Netflix and series that explain how
criminals do illegal activities on the Internet using bulletproof
hosting. If there is no prompt action against this, the only one who
will benefit is organized crime.
What can be done against a person who operates a bulletproof server?:
From what I've noticed, you said that restrictions apply to LIRs. How
do they punish people who operate bulletproof servers? And what to do
when someone has a lot of evidence that a person operates bulletproof
hosting and uses it to sell services to dark net criminals?
I myself spoke to bulletproof hosting owners, and they feel totally
immune and untouchable. They feel that no one can do anything against
them, many of them are in countries with few laws regarding the
Internet and they abuse this, what resources are there to combat this?
or is there nothing to do?
">
On ene. 17 2024, at 6:05 pm, Tomás Oliveira Valente Leite de Castro
via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hi,
I have been wondering for a while about this same issue. And I guess
there are both pros and cons about RIPE providing registration
services
to such IP addresses.
As you've stated, contacting them most of the time is useless. But
most
of the cases these IPs are blacklisted or on DROP-lists (spamhaus
for
example)
I believe RIPE NCC's job is not to police the internet, but to
provide
registration services. However RIPE should guarantee that the
registrant's data is correct and up to date. This includes a proper
abuse contact.
As for bulletproof hosting, it is at the best interest of the
Internet
that these IPs remain duly registered. There are many cases where
the
original registrant might not even be properly aware, or at fault
when
such activities happen with their addressing.
The most effective action is to contact the upstream ISPs and cut
their
connectivity.
If such a system would be implemented by RIPE, I think it should be
oriented towards making sure the abuse contacts are up to date and
reachable. Rather than to police about the use of the addresses. As
ultimately the connectivity for such activities is provided by ISPs.
I do see the analogy you made with ICANN but registering a domain on
the
internet is much more reachable to everyone when comparing to IP
space,
when most of that space is reassigned from upstream ISPs. Also
addresses
are assigned in blocks, when domains are assigned individually.
Please understand that I don't condone at all bulletproof hosting or
such activities in way. In fact it should be stopped. But the most
effective action is likely not from RIPE to just deregister such
resources when abuse happens or when an abuse contact is incorrect.
It
is worth noting that RIPE does apply restrictions to LIRs that
repeatedly cause issues, and this includes falsifying contact
information.
I think this is worth discussing if more restrictive actions should
be
taken towards such LIRs where illegal activities such as
bulletproofing
are the main business. But I'm worried about RIPE NCC's ability to
verify on abuse that happens on the internet.
Best regards,
Tomás Leite de Castro
On 2024-01-17 19:52, OSINTGuardian wrote:
hi,
There are more and more bulletproof hosting in the world every
month
and they are causing more and more chaos, feeding the dark web by
providing servers to criminals of all kinds who use the servers on
.onion websites in Tor and flooding the clear web with illegal
content.
There is a bulletproof hosting market that is even openly
promoted, it
is as easy to find companies that provide bulletproof servers as
searching on Google, hacker forums or simple internet websites
that
provide lists of bulletproof hosting companies.
The business model of these companies is to ignore reports of
abuse of
illegal content, to look the other way when someone uploads
illegal
content. This is openly their business model, what does RIPE NCC
do
about this?
RIPE NCC provides IP addresses to many of these companies with
bulletproof servers that are then used by criminals on the
Internet,
strengthening organized crime.
ICANN publicly has an abuse reporting form, where users can report
if
a company provides bulletproof domains or ignores abuse reports.
If
RIPE NCC did this same thing, the internet would become a better
place.
If RIPE NCC did this and also other IP address accreditors, they
would
greatly affect criminals on the Internet and therefore the
Internet
would become a slightly safer place than it is today. Bulletproof
server companies would be afraid of being caught by RIPE NCC
committing these violations. Unfortunately, these companies
currently
feel enough freedom to do this, that they even show themselves
publicly.
Is RIPE NCC planning to do anything against this?
- Claudia Lopez
OSINTGuardian
--
To unsubscribe from this mailing list, get a password reminder, or
change your subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
