AbuseHUB: a Success Story

Gert Wabeke

Holland Strikes Back event, October 28, 2014

www.abuseinformationexchange.nl

Association with major assets

§ Community of AbuseDesk experts sharing knowledge on how to detect, inform and support customers more efficiently

§ System (AbuseHUB) that collects, correlates, and distributes abuse notifications to abuseDesk

Powerful and concrete mechanisms to enhance internet safety, increases overall Abuse handling maturity level

Scope

Source:  h#p://pineut.wordpress.com/2013/04/13/botnet-­‐aanval-­‐op-­‐wordpress-­‐com/  

Out  of  scope  

Abuse HUB collect, correlate, distribute post infection information to

Abuse Desks Members use the information to

inform and assist their customers to mitigate infection

Removal  (decentralizedl)  

AD  

AD  

AbuseHUB

Sources   InformaGon  sharing  (centralized)  

AD  

AbuseHUB  Manager  

AbuseHUB  HosGng  provider  

Abuse  HUB  

HosGng  Center  

RN  

RN  

RN  

RN  

Legal  enGty:  

Abuse  Desk  process  

Customer  support  

Statistics 4,7 million Abuse_ Reports received and processed in September. 100 Abuse Types identified Reports sorted, correlated and distributed to our members Abuse Desk covering in total 35 ASN

AbuseHUB’s Notifiers

Extending # Notifiers!

§ Notifiers who are able and whishing to share information

§ Requirements § Well-defined detection process § Machine-readable reports (IODEF, X-ARF, CSV/TSV with header) § Must contain source IP and date timestamp (ntp-synced). §  Using its own detection resources (no ‘recycling’ of other sources).

Our proposition: we distribute and sort the information to ASN owner based on IP address. The ASN owner will take action and remove (botnet) infection on its network. As an industry collaboration with over 90% market coverage together contributing to enhance internet safety.

Members

With  startup  funding  from:  

90%  of  fixed  internet  access  in  the  Netherlands  |  70%  of  the  Dutch  domain  name  market  

Extending # Members

§ Open to everyone who wants to enhance internet safety

§ Requirements § Own Autonomous System (IP address space) §  Demonstrable abuse policy § Members also act as a Reliable Notifier §  Annual contribution (keep system afloat)

Our unique proposition: we enhance the maturity level of your abuse handling processes through (1) a one-stop-shop with high-value information on botnet infections and (2) a community that will enable your staff to further develop their skills together with their peers.

Q&A

Vereniging  Abuse  Informa:on  Exchange  Overgoo  13  Postbus  262  

2260  AG  Leidschendam  The  Netherlands  

www.abuseinformaGonexchange.nl  info@abuseinformaGonexchange.nl