►
From YouTube: IETF 115 IRTF Open session
Description
The Internet Research Task Force (IRTF) Open session, including Applied Networking Research Prize (ANRP) presentations, will be held during IETF 115 at 09:30 UTC on 9 November 2022.
A
A
A
A
A
A
A
A
A
A
The
irtf
follows
the
itf's
intellectual
property
rights,
disclosure
rules
and,
as
a
result,
when
you're
participating
in
this
meeting,
you
must
disclose
a
reminder
that
you
must
disclose
any
patents
or
patent
applications
that
are
owned
or
controlled
by
yourself
or
your
sponsor
and
in
the
in
the
iotf.
We
we
expect
such
disclosures
to
be
filed
in
a
timely
manner,
a
period
of
days
or
weeks
rather
than
months,
and
the
slide
has
the
references
to
the
the
full
details
of
this
policy.
A
In
addition,
a
reminder
that
we
make
recordings
of
these
meetings
available,
the
meeting
is
being
streamed,
live
going
out
on
YouTube
and
the
recording
will
also
be
available
on
YouTube
after
the
meeting.
A
A
Of
the
presentations
obviously
you'll
be
recorded.
Similarly,
if
you're
participating
online
and
you
turn
on
your
camera
or
your
microphone,
you're
you're
giving
consent
to
appear
in
the
recordings.
As
I
say,
this
meeting
is
being
recorded
and
being
live,
streamed.
A
A
reminder
that
any
personal
information
you
provide
will
be
handled
in
accordance
with
the
privacy
policy
and
also
a
very
important
reminder
of
the
code
of
conduct
and
the
anti-harassment
procedures
and
a
reminder
that
you
agree
to
work
respectfully
with
the
other
participants.
A
If
you
have
any
issues
with
that,
please
talk
to
myself
or
contact
the
ombuds
team,
whether
it's
in
this
meeting
or
with
the
ietf
or
the
iitf
in
general,.
A
If
you're
attending
remotely.
Please
make
sure
your
audio
and
your
video
are
off
unless
you're
explicitly
asking
a
question.
If.
A
Any
problems
with
the
technology
that
there's
a
URL
on
the
website
or
send
email
to
support
itf.org.
A
Final
reminder
as
a
covert
safety
measure,
the
in-person
participants
in
this
meeting
and
in
in
the
other
ITF
controlled
rooms
are
required
to
wear
ffp2
and
95
masks,
with
the
exception
of
the
chairs
of
the
meeting
and
the
presenters
who
are
standing
in
the
front
and
actively
speaking
I
think
for
this
meeting,
it
is
also
permitted
to
remove
your
your
mask
briefly,
while
asking
questions
from
the
microphones.
A
If
everyone
in
the
audience,
you
are
required
to
wear
your
mask
at
all
times,.
A
All
right,
so
the
the
goals
of
the
irtf-
and
this
is
an
irtf
session,
rather
than
an
ietf
session.
The
goals
of
the
IIT
effort
to
focus
on
some
of
the
longer
term.
Research
issues.
We're
here
to
think
about
where
things
might
be
going
to
discuss.
A
Some
of
the
the
the
bigger
picture
issues
that
the
longer
term
issues,
perhaps
as
a
way
of
feeding
into
the
standards
process,
that
the
ATF
is
doing,
perhaps
as
a
way
of
for
the
research
Community
to
learn
from
the
standards
process
in
the
SEF
and
learn
from
the
experience
of
the
people
in
the
ITF
community.
A
The
irtf
is
a
research
organization,
we
don't
develop
standards
and,
as
a
result,
while
we
can
publish
informational
or
an
experimental
rfcs.
The
primary
research
outputs
from
the
the
and
the
primary
outputs
from
the
irtf
tend
to
be
more
in
the
form
of
research
papers
than
in
the
form
of
rfcs
question.
A
Iitf
is
organized
as
a
number
of
research
groups
the
the
slide
here,
though,
those
in
light,
blue
or
gray
or
even
not
meeting
or
have
already
met
the
ones
highlighted
in
dark
blue
here,
the
pathway,
networking
research
group,
the
Privacy
enhancements
and
assessments
group,
the
measurements
and
Analysis
of
protocols
group
and
the
human
rights
protocol.
Consideration
as
group
are
still
to
meet
later
this
week.
So
please
do
consider
going
to
their
meetings.
A
A
little
bit
of
research
group
news
I'd
like
to
extend
a
welcome
to
Simone
furlin
and
Michael
shapira,
who
have
recently
joined
as
co-chairs
of
the
internet
congestion
control
research
group,
joining
Janna
ayenga
who's
been
chairing
that
group
for
a
number
of
years.
A
So
thank
you
very
much
to
Janna
for
his
service
over
many
years
and
I.
Very
much
look
forward
to
working
with
Simone
and
Michael
and
thank
you
thank
them
for
their
willingness
to
serve
going
forward.
A
In
addition,
we
have
a
couple
of
side
meetings
tomorrow
which
are
discussing
work
which
might
form
potential
new
research
groups,
and
you
may
have
seen
some
some
email
I
sent
to
the
attendees
list
and
to
the
ITF
discussion
list.
We've
got
a
site
meeting
tomorrow
lunchtime
in
the
Richmond
six
room
and
that
room
has
changed
from
the
initial
announcement,
which
will
be
looking
at
usable,
formal
methods
and
there's
there's
been
a
number
of
people.
Who've
contacted
me
expressing
interest
in
this,
so
I
think
we.
A
We
should
have
an
interesting
discussion
about
whether
it
makes
sense
to
create
a
a
new
research
group
in
the
space
of
formal
methods
and
usability
of
formal
methods
for
protocol
specification
in
the
ITF
community.
A
Another
meeting,
which
is
happening
at
I,
think
3
30
tomorrow
in
mezzanine
12,
is
a
potential.
A
meeting
to
discuss
a
potential
research
group
into
researching
the
internet
standards
process
and
Neil's
turnover
is
leading
this
effort.
This
follows
on
from
a
workshop.
The
internet
architecture
board
organized
I
think
it
was
late
last
year
where
a
number
of
people
were
exploring
the
data.
A
We
can
extract
from
the
data
tracker
and
the
mailing
list
archives
and
trying
to
understand
the
process
by
which
the
ITF
develops
standards
and
understand
that
the
shifts
in
demographics
and
the
shifts
in
in
the
way
the
process
works
to
to
get
some
better
understanding
of
who
helped
set
standards
and
how
effective
the
standard
setting
process
is.
A
So
if
you're
interested
in
that
topic,
please
go
along
to
the
the
meeting.
Niels
is
organizing
tomorrow
at
3
30.
A
As
I
said,
the
earlier,
the
irtf
can
produce
rfcs
this.
The
last
meeting
cycle
since
since
the
summer
meeting
in
July
has
actually
been
one
of
our
more
productive
cycles
for
producing
rfcs
and
I.
Think
this
is
the
most
rfcs
I
have
to
report
in.
A
In
the
four
years,
I've
been
irtf
chair
and
we've
published
five
rfcs
in
the
last
cycle,
a
couple
from
the
intent-based
networking
research
group,
looking
at
intent,
classification
and
Concepts,
and
definitions
for
intent-based
networking,
a
couple
relating
to
information,
Centric
networking,
looking
at
integration
of
ICN
protocols
with
4G
mobile
networks
and
looking
at
the
integration
with
network
coding
protocols
and
another
another
protocol,
looking
at
Network
coding
and
photo
error,
correction
and
its
relation
to
congestion,
control
and
transport.
A
The
main
focus
of
today
is
the
applied
networking
research
price,
the
applied
networking
research
process,
something
we
organize
in
conjunction
with
the
internet,
Society
with
sponsorship
from
Comcast
and
NBC
Universal,
and
we
we
give
Awards
to
to
celebrate
some
of
the
best
research
and
best
recent
results
in
applied
networking
to
celebrate
interesting
new
ideas
that
might
be
of
when
you're
coming
out
of
the
research
community
that
might
be
relevant
to
the
internet
standards
community
and
to
celebrate
the
achievements
of
upcoming
people
that
we,
we
think,
might
have
a
future
impact
on
the
standards
community
and
the
internet
standards
and
Technologies.
A
I'm
very
pleased
to
announce
that
we
will
have.
We
will
be
making
free
applied
networking
research
prize
awards
today
it
will
go
to
gotam
umati,
who
is
something
sitting
in
the
front
here:
he'll
be
talking
about
the
risks
of
domain
hijacking
due
to
register
practices
to
Karen
kef
he'll
be
talking
about
her
ethnographic
work
on
the
itf's
culture
and
so
Daniel.
What
Wagner
he'll
be
talking
about?
Ddos
attack,
detection
and
mitigation.
A
The
papers
for
these
are
on
the
the
linked
website.
Iitf.Org
anrp
and
the
talks
will
be
happening
in
a
minute
and
we'll
be.
The
recordings
will
be
available
on
YouTube
afterwards.
A
The
NRP
is
very
much
dependent
on
your
nominations
and
the
nominations
for
the
2023
awards
are
open
for
another
week
or
so.
A
So,
if
you
have
read
any
interesting
played
networking
research
papers
if
you've,
if
you
know
of
any
interesting
work,
any
interesting
people
that
you
think
would
be
prize
worthy,
please
do
follow
the
link
on
the
slide,
nominate
the
papers
and
self-nominations
and
third-party
nominations
are
very
much
encouraged.
A
All
right,
sorry
about
that,
in
addition
to
the
prices,
we
are
very
pleased
to
offer
a
number
of
travel
grants.
We
have
a
diversity
travel
grant
program
and
for
the
July
meeting
we
also
have
make
travel
grants
available
for
the
applied
networking
research.
Workshop
I
very
much
like
to
thank
the
sponsors
for
the
travel
grant
program,
Akamai,
Comcast,
cloudflare
and
Netflix.
I
think
this
is
a
fantastic
program.
A
A
If,
if,
if
you
know
of
anyone
from
a
perhaps
underrepresented
group,
please
do
encourage
them
to
apply
for
the
awards,
and
this
is
a
very
much
a
program
we're
looking
to
expand.
So
if
you
work
for
a
company
which
is
willing
to
sponsor
future
Awards
Future
travel
grants,
please
do
get
in
touch
foreign.
A
With
that
I
think
that
is
all
I
have
to
say.
The
remainder
of
our
agenda
is
the
the
free
applied
networking
research
price
awards
for
today.
First
up
we
have
gotam
who'll,
be
talking
about
Risky
Business,
followed
by
Corin
and
then
Daniel
to
finish
up
so.
A
A
All
right,
you
should
have
control,
so
the
the
first
talk
today
is
given
by
Goodson,
akiwate
and
I
hope.
I'm
pronouncing
your
name
correctly,
but
his
paper
on
Risky
Business
risks
derived
from
register
and
name
management.
This
paper
was
originally
published
in
the
ACM
internet
measurement
conference
in
2021.
A
Good
time
is
a
postdoctoral
researcher
at
Stanford
University.
He
completed
his
PhD
a
few
months
ago
from
UC
San
Diego,
where
he
was
advised
by
Jeffrey,
volcker
and
Stefan
Savage
and
Casey
clefey.
A
He
primarily
works
on
the
intersection
of
security
and
large-scale
network
measurements,
and
his
recent
work
has
looked
at
the
security
of
DNS,
TLS
and
routing,
and
if
you
find
this
work,
interesting,
I
think
you're
talking
in
map
RG
tomorrow.
Is
it?
Yes?
Yes,
where
you'll
be
it's
something
about
the
the
impact
of
the
conflict
on
the
Russian
DNS
is.
D
There
yeah
like
it's,
basically
us
looking
at
the
hosting
DNS
and
DLS
landscape
after
the
February
Invasion
at
so
it's
called.
Where
are
you
cleverly
enough
so.
D
Okay,
thank
you.
My
name
is
Gautama
kiwate
and
I'm,
a
postdoctoral
researcher
at
Stanford,
University
and
and
the
only
reason
that
it
doesn't
make
it
up
on
the
slide
is
because
I
did
this
work.
When
I
was
a
PhD
student
at
UC,
San
Diego
advised
by
Stefan,
Jeff
and
Casey,
who
I'm
told
some
of
you
know
so
at
a
high
level.
D
This
paper
is
a
story
of
how
well-meaning
standards
can
encourage
operational
practices
that
lead
to
issues
and,
while
I'm
primarily
going
to
talk
about
this
Risky
Business
paper,
I
am
also
going
to
sort
of
a
lot
of
work
has
happened
after
the
paper
came
out
and
we've
worked
on
some
of
the
adjacent
issues,
so
I'm
going
to
sort
of
zoom
out
a
little
bit
and
talk
about
some
of
the
follow-up
work
that
we
have
done
to
sort
of
think
about
Solutions,
more
holistically
foreign.
D
D
D
D
The
second
mystery
that
we
saw
was
something
we
called
drop
this
host
anomaly,
and
in
this
we
saw
that
when
we
were
looking
at
the
Zone
files
for
nine
years
worth
of
Zone
files,
we
found
33
of
the
name
service
ending
in
dot
Biz,
where
of
the
form
drop,
this
host
random
characters
dot
base,
and
that
was
odd.
D
So,
as
an
example,
here's
an
example
for
yourgadgetnews.com
we
saw
its
name
service,
ns1
and
ns2
known
ub.com,
being
replaced
by
drop.
This
host
string
of
random
characters,
dot
biz
and
again
we
found
ourselves
asking:
why
did
the
name
server
change?
Who
changed?
The
name?
Servers-
and
in
this
case,
given
the
large
numbers,
we
realized,
it
must
be
something
systemic
like
these
can't
beat
typos
anymore,
and
in
order
to
understand
this
better.
In
order
to
understand
how
these
name
servers
get
changed,
we
first
needed
to
understand
how
these
name
servers
get
propagated.
D
The
DNS
configuration
gets
propagated
behind
the
scenes
and
essentially
we're
trying
to
understand
how
the
DNS
configuration
flows
from
the
registrant,
which
is
the
domain
owner
who
nominally
operates
the
the
child
Zone
to
the
registry,
which
operates
the
parent
Zone,
and
we
found
that
the
registrar
plays
a
central
role
in
this
propagation.
D
So
the
registrant
communicates
the
any
name:
server
changes
to
the
registrar
using
this
web
portal
or
an
API
and
the
registrar
in
turn,
uses
this
protocol
called
extensible
provisioning
protocol
Epp
and
to
communicate
these
changes
to
the
registry,
and,
given
that
these
were
large
numbers,
and
given
that
this
was
a
systemic
issues,
we
figured
that
there
must
be
something
amiss
with
Epp
and
also
the
fact
that
we
didn't
understand
anything
about
Epp.
So
what
I'd
like
to
do?
D
Next,
with
apologies
to
all
of
the
to
Steve
Hollenbeck,
who
actually
wrote
the
RFC
on
Epp,
is
to
create
a
simplified
mental
model
of
what
Epp
is
and
to
sort
of
use
that
simplified
mental
model
to
sort
of
work
through
how
Epp
constraints
can
actually
lead
to
this
issue
and
again,
the
apologies
to
add
the
actual
Experts
of
RFC
in
the
room.
D
So
a
good
place
to
start
is
to
think
of
the
registry
top
level
domain,
DNS
configuration
as
a
database,
so
all
of
the
domain
objects
the
name
service
to
think
of
them
as
a
database,
and
this
database
has
two
sorts
of
objects.
The
first
is
a
domain
object
such
as
food.com,
and
the
second
is
a
host
object
and
every
host
object
that
belongs
to
the
same
top
level
domain
such
as
ns1.food.com
needs
to
have
a
relationship
with
the
domain
object.
D
In
this
case,
ns1.food.com
is
a
subordinate
host
object
of
food.com,
and
once
you
have
that,
you
can
then
think
of
Epp
as
the
specification
on
how
this
database
can
be
modified.
Okay,
again
simplified
metal
model,
new
apologies,
okay,
with
that
mental
model,
let's
work
through
an
example
to
see
how
how
we
can
get
ourselves
into
problems
so
consider
two
domain
objects:
one
food.com
registered
by
registrar,
a
bar.com
registered
by
register
B.
D
We
next
introduced
the
subordinate
host
objects,
ns1
and
ns2.food.com
for
food.com,
which
is
abundant
host
objects
of
food.com
and
ns1.bar.com,
which
is
about
init
host
objective
power.com.
We
also
show
the
delegated
name
server
relationships,
and
each
of
these
domains
has
two
delegated
name
servers
as
is
required,
and
what
is
the
thing
to
keep
in
mind
here
is
that
bar.com
is,
has
delegated
its
name
service
to
a
host
object
that
is
controlled
by
another
registrar,
and
that
in
itself
is
not
a
problem.
This
happens
all
the
time
designed
for
it
and
everything
works.
D
D
In
order
to
do
that,
EPP
requires
that
the
registrar
first
clean
up
all
of
the
Associated
host
objects,
so
the
register
goes
and
cleans
up
ns1.food.com
without
any
problems,
but,
as
you
can,
some
of
you
might
have
already
anticipated
when
the
register
tries
to
go
and
delete
ns2.food.com.
It
cannot
do
so
because
it
is
being
referenced
by
another
domain
object
and
hence
cannot
be
deleted.
Now.
This
is
a
domain
object
that
is
controlled
by
another
registrar,
and
so
the
register
at
this
point
of
time
has
two
options.
D
One
is
not
really
an
option
because
like
it's
to
suck
it
up
and
just
keep
the
domain,
as
is
in
the
registry
database,
but
in
this
case
it
means
that
it
needs
to
continue
paying
for
this
domain,
even
though
it
has
stopped
getting
paid
for
it.
D
The,
and
so
this
is
not
really
an
option
and
Epp
sort
of
foresees
this
and
presents
a
workaround
which
is
to
rename
the
host
object.
So
what
does
this
renaming?
Look
like
what
are
some
of
the
constraints
around
this
renaming
and
it
turns
out.
There
are
very
little
constraints
and
like
the
the
primary
constraint
is
that
if
the
host
object
is
renamed
within
the
same
top
level,
domain
Epp
requires
that
the
domain
object
must
exist.
So
as
a
concrete
example,
ns2.food.com
cannot
be
renamed
to
drop
this
host
random
characters.com,
If
drop.
D
This
host
random
characters.com
does
not
exist,
and,
given
that
EPP
cannot
check
external
references
like
references
to
external
top
level,
domains,
ns2.food.com
can
totally
be
renamed
to
drop
this
host
random
characters,
dot
Biz,
because
dot
base
is
an
external
top
level
domain.
Even
if
drop.
This
is
regardless
of
whether
drop
the
source,
random
characters,
dot
base
exists
or
not,
and
these
were
the
constraints,
and
we
expected
there
to
be
a
third
which
was
like
just
dropping
the
name
server
altogether.
D
But
having
talked
to
registrars
and
Registries,
it
seems
like
that
is
not
really
an
option
so,
like
you
can
just
drop
the
name.
Server
like
the
host
object
altogether.
So
not
entirely
sure
why
so,
given
those
constraints,
the
registered
now
has
two
options.
The
first
is
to
rename
the
name
server
to
a
sync
domain.
The
sync
domain
is
controlled
by
registrar,
a
this
sort
of
guarantees
that
the
domain
object
always
exists
so
that
the
operation
never
fails.
D
But
now
the
registrar
is
on
the
hook
for
the
queries
and
upkeep
of
the
sync
domain,
and
this
is
actually
a
problem
because
we
at
least
know
of
multiple
instances
where
registrars
abandoned
their
sync
domains,
exposing
thousands
of
domains
to
hijacks
and
and
like
this
is
a
single
domain
that
an
attacker
can
just
register
and
get
all
of
these
domains
for
free.
The
second
option
is
to
rename
the
name
server
to
a
random
domain
in
a
different
top
level
domain.
D
The
different
top-level
domain
is
to
bypass
the
Epp
check,
and
the
random
domain
is
so
that
you
don't
impinge
on
an
existing
domain
and,
in
this
case,
like
the
registrar,
doesn't
really
have
to
handle
any
queries
or
keep
any
domains.
But,
as
you
can,
as
you
might
have
figured
out
like,
there
is
a
potential
for
security
risk
here.
D
And,
of
course,
because
it's
the
internet,
we
chose
the
the
second
option,
which
is
to
just
dump
it
into
this
random
top
level
domain
dot
base
with
a
random
domain,
and
because
of
this
renaming,
the
the
host
object
is
no
longer
a
subordinate
host
object
of
food.com
and
the
register
can
go
ahead
and
delete
the
domain.
And
what
we're
left
with
is
a
sacrificial
name
server
and
by
Design.
This
is
a
random
domain,
which
was
it
is
not
registered.
D
So
an
attacker
can
now
go
in
and
register
this
domain
and
be
the
authoritative
name
server
for
bar.com
without
having
any
ownership
interest
in
bar.com.
Okay,
and
we
found
that
this
mental
model
actually
explained
most
of
the
renamings
that
we
saw.
But
then
we
started
seeing
renamings
that
affected.gov.edu.net
and-
and
we
found
that
the
one
small,
tiny
adjustment
that
we
needed
to
make
in
our
mental
model,
that
was,
that
EPP
instances,
spanned
multiple
top
level
domains.
So,
for
example,
very
science,
Epp.
D
D
So
in
this
case
we
have
a.com
domain,
a
dot,
gov
domain
and
a
DOT
org
domain,
Each
of
which
delegates
their
name
service
to
ns2.food.com
and
like
before,
food.com
expires
and
the
registrar
renames
Institute
of
food.com
to
drop
this
host
to
to
any
student
food,
random
characters,
dot
Biz,
and
this
renaming
only
affects
the
verisign
Epp
repository
because
that's
the
scope
of
it
and,
on
the
other
hand,
for
the
dot
org.
D
We
are
still
left
with
a
lame
delegation
and
each
of
us
can
be
registered
and
by
an
attacker
to
be
the
authoritative
name,
server
for
even
a
DOT
cup
domain.
So
here's
a
quick
summary
of
what
we
have
learned
so
far.
We
found
that
EPP
consistency,
constraints
led
to
unintuitive
consequences
and
domain
deletion.
D
D
The
expiredomainfood.com
does
not
really
fix
the
issue
here
and
what
was
surprising
to
us
was
that
it
affected
even
domains
in
restricted
top-level
domains
like
dot,
gov
and
Dot
edu,
and
we
actually
found
a
couple
and
like
the
wonderful
folks
who
were
at
verisign
and
who
I
can
see
here,
actually
helped
us
remediate,
some
of
them
or
all
of
them.
So,
given
that
we
understood
how
this
happened,
we
wanted
to
understand
the
scope
of
this
issue
and
do
so
longitudinally.
D
So
we
used
the
three
properties
of
sacrificial
name
servers,
which
is
not
really
important
for
this
presentation,
but
we
use
this
three
properties
and
sort
of
modified
a
methodology
to
identify
lame
delegations
from
one
of
our
previous
papers
and
applied
it
to
nine
years
worth
of
zones
files
and
in
1250
top
level
domains
and
applied
it
to
20
million
name
servers
and
doing
so.
We
found
quite
a
few
registrars,
actually
indulging
in
it.
180
000
name
servers
and
half
a
million
domains
that
were
affected
as
a
result
of
these
renamings
and
I.
D
Just
want
to
say,
like
all
of
these
registrars,
who
we
contacted
were
actually
super
helpful
and
like
helped
us
understand
the
issue
and
actually
rectified
all
of
it.
So
this
was
this
was
great.
So
what
I
know
this
sounds
this
pains
them
in
a
bad
light,
but
actually
they
were
super
helpful
and
super
photo.
D
So,
given
that
not
only
were
half
a
million
domains
affected,
but
nearly
one-third
of
all
of
the
domains
were
hijacked
by
registering
the
sacrificial
name
servers
so
not
only
where
these
domains
being
exposed,
but
they
were
in
fact
being
taken
advantage
of,
and
these
were
not
really
sophisticated
hijacks
and
the
hijackers
essentially
were
trying
to
get
hold
of
these
domains
in
order
to
serve
ads
and
where
search
engine
optimizations
were
the
other
use
case
that
we
saw,
and
essentially
these
were
opportunistic
hijacks
so
like.
Basically,
there
was
nothing
targeted.
D
There
was
nothing
malicious,
they
saw
this
domain
being
exposed
and
we
see
that
domains.
Attackers
trying
to
maximize
how
many
domains
that
they
can
get
for
a
single
registration
and
in
in
the
paper,
we
have
some
sort
of
value
curve
where
we
see
attackers
trying
to
go
for
the
high
value
domains.
D
The
first
is
to
prevent
creation
of
new
sacrificial
name
servers,
and
to
do
that,
we
worked
with
the
the
three
registrars
with
the
largest
impact
to
prevent
creation
of
new
sacrificial
name
servers,
and
each
of
them
used
a
different
flavor
of
sync
domains
and
so
far
as
a
result
of
this
intervention
like
we
have
prevented
30,
000
domains,
I
think
as
of
last
year,
from
being
like
prevented
from
being
hijackable
and
also
the
the
registrars
used
different
sort
of
renaming
idioms
and
like
more
interestingly
GoDaddy
used
as112.arpa,
which
was
a
topic
of
big
debate
in
DNS
obvious
today.
D
So
I
thought
that
was
interesting
and
the
enum
and
internet.bs
like
used
a
regular
old
domains.
D
D
There
are
multiple
instances,
as
I
had
mentioned,
before,
of
sync
domains
being
Avail
becoming
available
for
registration
as
registers
sort
of
move
to
newer
domains,
and
in
this
case
a
single
registrant
gets
all
of
the
domains,
and
we
have
a
few
suggestions
for
long-term
Solutions
in
the
paper.
One
of
this
could
be
one
of
a
DOT
alt
TLD
again,
which
has
been
discussed
in
in
the
DNS
of
a
working
group.
D
I
think
Warren
and
Paul
have
been
working
on
an
RFC,
and
it's
like
in
its
draft
stages,
and
the
second
potential
solution
could
be
just
you
know,
delete
the
host
object
without
trying
to
rename
it,
and
we
are
not
entirely
sure
of
what
the
potential
implications
could
be
for
that.
So
something
to
study.
D
But
the
thing
to
note
here
is
that
each
of
these
potential
long-term
Solutions
need
to
be
certified
as
a
change
to
Epp,
and
not
only
does
this
prevent
relapse
to
Old
renaming
idioms,
but
also
because
not
all
Epp
instances
support
the
proposed
Solutions.
So
some
of
this
is
going
to
take
rejiggering
on
our
parts
and
from-
and
this
seems
like
a
quite
a
heavy
lift
for
this
specific
issue
like
changing
Epp.
D
Changing
all
of
these
Epp
instances
seems
like
a
heavy
lift
for
this
one
specific
issue,
and
so
the
way
I
decided
to
approach
this
was
to
sort
of
zoom
out
and
see
and
try
to
look
at
some
of
the
other
problems
that
that
that
are
surrounding
the
same
issue
and
see
if
we
could
come
up
with
solutions
that
are
more
holistic
and
what
I'd
like
to
do
now
is
to
sort
of
switch
gears
a
little
bit
and
so
far
I've
been
talking
about
opportunistic
hijacks.
D
D
If
you're
going
to
revisit
these
protocols,
then
we
should
do
so
that
do
so
in
a
way
that
solves
both
of
these
problems
and
a
lot
of
you
might
be
familiar
with
targeted
hijacks
because
of
this
Department
of
Homeland
Securities
emergency
directive,
asking
government
domains
to
evaluate
their
DNS
infrastructure
for
science
of
tampering
in
January
of
2019.
This.
This
was
what
Cesar
published
around
the
same
time.
D
There
were
multiple
security
vendors,
such
as
Cisco,
Dallas,
Cloud
strike
and
FireEye,
which
published
multiple
reports
of
widespread
DNS
hijacking
activity,
targeting
multiple
sectors
across
multiple
countries
and
and
the
the
the
hijack
of
the
French
Aerospace
company
was
perhaps
like
the
the
most.
The
first
documented
instance
of
a
domain
hijack,
and
what
I'd
like
to
do
is
to
sort
of
work
through
this
2014,
hijack
as
an
example
of
how
this
attack
typically
plays
out
and
what
the
attacker
is
trying
to
achieve
and
so
and
what
could
be
good
mitigation
strategies
for
it.
D
So,
let's
say:
you're
a
client
trying
to
log
into
the
secure
network
for
this
French
Aerospace
company,
essentially
you're,
trying
to
load
up
this
login
page
in
order
to
enter
your
credentials
and
to
do
that,
you
need
to
First
resolve
secure.net.fr,
which
is
where
this
domain
lives,
and
in
order
to
do
that,
the
client
sends
off
this
request
to
the
recursive
resolver
and
we
are
all
familiar
with
how
this
resolution
process
takes
place.
The
recursive
resolver.
Does
this
dance
with
all
of
the
authoritative
name?
D
D
in
2014,
attackers
were
able
to
maliciously
update
DNS
delegations
at
the
top
level
domain,
authoritative,
name,
servers
and
I
want
to
make
sure
that
you
folks
are
aware
of
this
key
difference,
unlike
DNS
cash
poisoning
or
query
interceptions,
which
Target
the
DNS
query
protocol.
In
this
case,
the
attackers
Target
the
registrars
and
the
Registries
in
order
to
influence
the
delegation
at
the
top
level
domain,
authoritative
name
server.
So
this
is
not
a
query
protocol
attack.
This
is
a
social
engineering
supply
chain
attack.
D
If
you
will,
where
the
attackers
Target
the
registrar
and
the
registry
in
order
to
influence
the
top
level
domain
delegations
and
now
because
the
attackers
actually
control
control
the
authoritative
name
servers,
they
can
redirect
all
users
all
users
trying
to
resolve
that
domain
to
an
IP
address
of
their
choice,
and
now
the
web
web
browser
is
going
to
go
to
this
malicious
IP
address
and
load
a
web
page.
That
looks
awfully
similar
to
the
actual
login
page.
D
It
is,
in
fact,
malicious,
and
at
this
point
of
time
a
lot
of
you
must
be
asking.
Isn't
this
exactly
what
TLS
is
supposed
to
help
us
with
like?
How
is
this
new?
How
does
TLS
not
help
us
with
this,
and
it
turns
out
that
TLS
would
have
helped
had
it
not
been
for
this
unfortunate
trust
dependence
between
certificate
issuance
and
DNS?
D
So
it
turns
out
that
certificate
issuance
automated
certifications
uses
DNS
to
approve
domain
ownership,
and
since
attackers
actually
control
the
DNS,
they
can
obtain
PLS
certificates
for
the
domain
and
keep
in
mind
like
these
are
completely
legitimate
certificates,
maliciously
obtained
but
legitimate
certificates.
Nonetheless,
and
as
a
result,
users
can't
really
distinguish
between
legitimate
infrastructure
and
attacker
infrastructure.
D
Certificate
certificate,
transparency
and
allows
for
auditing
of
all
of
the
certificates
that
were
issued
and
sort
of
helps
us
in
being
able
to
identify
these
hijacks
and
place.
So
transparency
plays
a
big
role
as
in
us
being
able
to
identify
these
hijacks,
okay.
So
a
quick
summary
of
like
this
targeted
infrastructure
hijacks,
they
start
by
an
attacker
acquiring
ability
to
control
DNS
delegations.
These
hijacks
are
characterized
by
multiple
brief
updates.
D
So,
instead
of
hijacking
for
a
period
of
a
day,
they
prefer
to
do
it
a
few
hours
over
a
period
few
hours
every
day
over
a
period
of
weeks,
so
as
to
not
attract
attention
and,
more
importantly,
because
they
control
the
DNS
infrastructure.
They
can
bypass
dnsic
TLS.
They
can
just
disable
it
or
bypass
it,
and
there
is
this
parallel
attacker
infrastructure,
which
is
to
mimic
the
target
domain,
and
this
response
with
a
maliciously
obtained
TLS
certificate,
which
basically
means
like
they
cannot
be
distinguished
from
the
legitimate
infrastructure.
D
D
We
wanted
okay,
now
sorry
I,
sort
of
spoiler
alert,
so
we
wanted
to
construct
yeah.
Okay,
we
wanted
to
construct
a
methodology
to
retroactively,
identify
these
targeted
domain
hijacks
in
the
wild
and
as
an
independent
third
party
and
I'm
not
going
to
go
into
the
details
of
how
we
did
it
happy
to
talk
about
it.
The
link
to
the
paper
is
in
the
slides,
but
in
all
we
identified
41
domains
as
hijacked
33
of
these
domains.
D
We
were
able
to
independently
re-identify
and
verify
from
previously
published
reports,
I
think
we
were
able
to
independently
re-identify
each
nearly
all
of
the
domains
that
were
previously
published
and
eight
domains
that
were
not
previously
identified,
or
at
least
not
reported,
and
we
think
that
these
are
high
confidence
and
like
each
of
them
is
manually
evaluated.
There
are
many
many
more
domains
where
there
is
circumstance
circumstantial
evidence,
but
we
just
didn't
feel
confident
enough
to
consider
them
as
hijacked,
and
this
is
one
of
the
limitations
of
being
an
independent
third
party.
D
So,
to
give
you
a
sense
of
what
is
it
that,
like
the
data
that
we
were
able
to
find
so
so
here
is
an
example
of
four
domains
that
we
identified
a
hijacked
all
belonging
to
dot
kg,
which
is
the
Kyrgyzstan
government.
Three
of
them
were
government
domains.
One
of
them
was
an
infrastructure
provider
in
Kyrgyzstan,
and
we
find
that
each
of
them
was
targeted
from
the
same
network
geolocated
to
Russia,
each
of
them
targeting
the
mail
infrastructure.
I
just
want
to
be
careful
here.
D
The
geolocation
is
not
to
denote
attribution,
but
in
each
of
these
cases
the
mail
infrastructure
was
the
one
that
was
targeted
and,
for
example,
for
Ministry
for
foreign
affairs
in
Kyrgyzstan
they
used
Zimbra
as
their
mail
provider,
and
we
find
that
the
attackers
sort
of
setting
up
this
parallel
infrastructure
with
that
mimics,
the
Zimbra,
my
login
page
and
sort
of
prompt,
malicious
downloads
or
harvesting
user
credentials
and
I.
Don't
expect
any
of
you
to
read
this,
but
this
is
like
the
entire
list
of
41
domains.
D
So
if
you
have
the
slides
open
on
your
computer,
you
can
sort
of
go
over
the
slides,
and
the
only
thing
that
I
can,
that
you
might
be
able
to
see
is
some
of
the
patterns
that
sort
of
emerge
a
lot
of
government
domains,
a
lot
of
male
infrastructure,
a
lot
of
reuse
in
the
same
attacker
infrastructure,
which
was
surprising
but,
roughly
speaking,
this
is
a
this
is
an
ongoing
issue
and
something
that's
actually
been
becoming
more
problematic
over
the
over
time.
D
So,
if
I
were
to
summarize
this
Target
hijacks
part
I
would
say
like
the
thing
that
we
as
a
community
need
to
sort
of
grapple
with
is
the
fact
that
the
traditional
mechanisms
such
as
DNS,
Tech
and
TLS,
don't
really
protect
against
these
DNS
infrastructure
hijacks.
Since
attackers
are
able
to
sort
of
go
and
disable
these
protections
and
that
there
is
a
need
for
more
transparency
and
proactive
measurements
to
understand
how
to
mitigate
these
future
attacks
and
I
thought.
D
Now
that
we
understood
what
the
the
big
bigger
issues
were
and
Christmas
is
near,
I
should
come
up
with
a
wish
list
and
I'm
told
that
the
ITF
Center
only
deals
with
rfcs.
So
I
thought
how
about
I
come
up
with
what
I
would
like
to
see.
So
there
were
three
things
and
the
DNS
transparency
I've
realized
after
talking
to
a
lot
of
people,
is
an
overloaded
term
and
I
think
it
should
be.
D
I
should
have
renamed
it
to
Epp
transparency,
since
it
sort
of
builds
up
on
some
of
the
Epp
changes
that
we're
thinking
of
but
I'm
not
going
to
belabor
the
Epp
point.
It
is
to
essentially
codify
changes
so
that
we
don't
create
new
sacrificial
name
servers.
D
Given
point
of
time,
so,
if
you
sort
of
think
about,
does
ietf.org
know
what
the
name
servers
for
their
domain
are,
we
would
like
to
think
that
they
haven't
changed,
but
unless
you
go
and
actually
check
the
dot,
org
top
level
domain,
authoritative,
name
servers,
there
is
no
way
to
know
for
sure,
and
and
and
essentially
this
sort
of
transparency
is
a
way
to
get
visibility
into
any
changes
that
are
being
made
in
the
duration
that
you're
not
checking
and
I.
D
Think
the
best
analogy
that
I've
come
up
with
is
that
this
is
to
think
of
this
as
a
supply
chain
attack
and
and
having
this
transparency
allows
organizations
to
convince
themselves
that
nothing
really
has
changed,
assuming,
of
course,
that
you
trust
the
registry,
but
assuming
that
you
do
I,
think
this
sort
of
transparency
is
important
for
organizations
to
convince
themselves
and
what
we
can
Envision
is
something
like
an
append
Only
log
with
all
of
the
changes
to
name
servers
being
recorded.
D
And
finally,
this
is
a
certificate
transparency
on
steroids
certificate.
Transparency
has
been
great
to
identify,
Bad
actors
and
a
lot
of
work
would
wouldn't
have
been
possible
without
a
certificate
transparency,
and
it
turns
out
that
certificate
authorities
do
a
lot
of
work
when
they
issue
certificates
and
if
they
made
it
sort
of
public
or
at
least
available
to
researchers
such
as
DNS
queries
and
the
IP,
which
initiated
the
risk
requests.
D
We
would
be
able
to
get
a
better
sense
of
like
what
exactly
might
be
happening
and
with
that
I
just
want
to
say
before
I
we'll
go
for
questions.
I
just
want
to
thank
all
of
my
collaborators,
who
are
the
only
reason
why
I'm
here
and
that
I
think
I'm
happy
to
take
questions
and.
A
Okay,
thank
you
guys.
Some
excellent.
A
So
if,
if
there
are
questions,
please
do
join
the
queue
using
mitaku
and
come
to
the
microphone
while
we're
waiting
for
people
to
join
the
queue
I'd
like,
though,
to
remind
people
of
the
masking
policy
for
the
room.
A
If
you're,
not
an
active
speaker
at
the
front
here,
you
need
the
community
guidelines
is
that
you
need
to
wear
a
mask
at
all
times
and
The
Mask
needs
to
cover
your
nose
and
your
mouth
and
if
you're
not
willing
to
do
that,
then
please
leave
the
room
all
right.
So
the
if
see
we
have
some
people
in
the
queue
first
up
in
the
queue
is
Dwayne.
A
E
Hey
guys
I'm
great
talk,
but
I
I
really
want
to
push
back
strongly
on
the
alt
TLD
idea,
because
that
is
really
designed
for
non-dns
use
cases,
and
this
would
be
very
much
a
DNS
use
case,
which
would
you
know,
generate
lots
of
traffic
that
we
really
wouldn't
want
to
have
to
see.
So.
D
E
But
again
I
think
that's
the
ideal,
but
the
the
draft
at
this
point,
which
is
still
a
draft,
obviously,
but
doesn't
say
that
resolvers
have
to
have
to
drop
it.
So,
okay,
I
think
it's
I
think
it's
at
this
point:
it's
not
a
good
fit.
Okay,
there
should
be
other
other
ideas,
I
guess
yeah
I'm.
D
Happy
to
like
again
I'm
excited
that
people
are
interested
in
actually
making
these
updates.
So,
like
I'm,
happy
to
talk
more
on
like
what
exact
solution
like
there
are
a
few
more
solutions
that
we're
thought
through
but
again
like
it's.
It's
always
great
pickup
to
ITF
and
actually
understand
the
Practical
concentrations
of
it.
So
yeah
happy
to
chat.
Okay
thanks.
F
Richard
Wilhelm
PIR
one
great
talk.
Thank
you.
A
couple
couple
things
one
just
plus
one
Dwayne's
comment
on
the
on
the
dot.
All
thing:
there's
not
really
any
musts
in
that
in
that
draft
right
now
and
I.
Think
that
your
the
idea
in
the
paper
about
dot
invalid
was
probably
I
like
going
better
for
what
it's
worth
a
couple.
Things
you
in
the
in
the
in
a
slides
that
had
an
example
about
the
multiple
providers
and
platform
communication
between
garage.
F
Even
at
a
single
registry
service
provider,
often
platforms
aren't
often
connected,
so
whether
it
be
at
verisign
or
Affiliates
or
whatever
the
the
platforms,
don't
necessarily
connect.
So
it's
just
a
yes
and
to
the
point
that
you
were
making
about
platforms,
not
having
communication
so
great
point
there
just
something
else
for
that
it
may
be
a
solution.
It
might
be
just
dropping
the
name.
Server
originally
Epp
had
a
requirement
of
having
two
names
for
servers
for
DNS
reliability.
As
you
know,
that
was
written
before
the
days
of
widespread
anycast
adoption.
F
So
one
might
argue
that
that's
outdated,
but
even
so
there's
Corner
cases
where
you
could
end
up
having
that
meaning
a
name
name
going
dark.
The
idea
of
communicating
all
domain
deletions
gets
very
challenging,
because
the
notion
of
when
a
domain
gets
deleted
is
remarkably
fuzzy
at
registry
platforms.
F
Then
the
last
point
I'd
like
to
make
is
just
probably
for
ever
more
for
everyone
with
an
earshot
is,
as
you
point
out
very
well
in
your
slides,
especially
the
Integrity
of
the
registrants
registrar
account
is
so
key
to
the
underlying
infrastructure,
as
you
point
out
in
your
example
there,
and
so
if
you've
got
registrations
that
are
under
your
control
or
around
you
with
your
company
wow.
If
you
don't
have
multi-factor
authentication
on
that
account
you're,
just
just
asking
for
it.
F
D
Right
so
a
couple
of
things
that
actually
great
points
and
I'm
like
thank
you
for
the
feedback
for
for
the
multi-factor
authentication,
I,
think
totally
I.
D
Think
the
registrant
account
compromise,
I
think
that's
that's
a
big
problem
and
multi-factor
authentication
definitely
needs
to
be
adopted,
but
then
there
is
also
the
issue
of
registrars
themselves
being
compromised
and
we
see
like
in
in
a
lot
of
these
cases,
Epp
tokens
themselves
being
sort
of
exfiltrated
by
attackers,
nation
state
actors
and
that,
but
that
said,
like
they're,
just
right
account,
security
is
an
important.
This
is
an
important
factor
in
all
of
this.
G
H
Take
out
him
great
paper
and
great
presentation,
one
of
the
things
that
occurs
to
me
when
I,
read
and
watch
your
presentation
is
what
we're
seeing
is
particularly
the
first
part
of
your
presentation.
Is
that
we're
seeing
the
Aging
of
the
internet
and
what
that
that
raises
a
question
in
my
mind
about
the
externalities
that
are
being
introduced
with
within
the
system
at
a
fundamental
level.
You
know
between
icann
and
the
Registries
relating
to.
H
Is
it
really
it
is?
Is
it
just
an
externality
at
this
point
that
we're
addressing
in
terms
of
when
a
name
goes
away?
Is
it
simply
if
the
reputational
damage
isn't
there
for
The
Domain,
that's
gone
away,
right,
they've
gone
away,
they
don't
care
about
their
reputation,
but
the
harm
may
may
accrue
to
others
in
terms
of
what
happens
next,
if
somebody
reuses
that
domain
and
now
there
are
two
sides
of
this
right-
you
mentioned.
There's
this.
You
know
use
of
a
domain
name
server
right.
H
There's
there
there
probably
are
some
best
practices
that
that
need
to
be
applied.
There
I
like
the
idea
of
dropping
the
name
for
that
purpose,
but
rather
the
damage
occur.
Quit
more
quickly
than
and
more
transparently
than
say
it
being
hidden,
but
these
other.
There
is
this
other
aspect,
I
just
tickled
in
my
head,
as
as
possibly
some
further
research
for
the
iconites
to
to
think
about.
D
Yeah
and
I
think
Rick
also
made
this
point
about,
like
dropping
the
name
server
and
like
originally
Epp
did
not
allow
it
because
of
the
requirement
of
two
name
surveys,
but
in
this
case
one
could
argue
that
the
second
name
server
is
actually
serving.
No
purpose
like
it
is
a.
It
is
a
dead.
It
is
a
lame
delegation.
It's
not
going
to
resolve
and
just
having.
There
is
a
waste
of
space,
and
actually
it
might
be
better
to
make
it
more
clear
that
this
is
a
dead
delegation.
So
yeah
good
point
thanks.
I
So
like
to
Echo
what
my
previous
speaker
said
as
one
one,
the
got
all
is
not
the
solution.
You're.
Looking
for
the
reason,
also
in
I,
mean
resolvers,
never
would
get
asked
for
the
name,
server's
name
they
would
internally
resolve
it.
So
that's
a
different
kind
of
close
pass,
so
I
think
GoDaddy
did
the
right
thing.
They
used
as112.apa,
which
is
kind
of
like
yeah.
That's
the
sinkhole
that
we
use
for
all
things
in
DNS.
D
Right
and
so
when
we
spoke
to
other
people
about
as112.orpa,
the
the
hijack
ability
of
as112.orpa
domains
was
not
immediately
obvious
to
us
like,
since
there
is
a
sinkhole
server
that
is
localized.
Does
it
sort
of
expose
domains
to
some
sort
of
localized
hijacking
control
we
couldn't
say
but
but
yeah?
If.
A
Really
so,
thank
you.
Everybody
excellent
set
of
questions
I'd
just
like
to
give
you
a
small
token
of
our
appreciation
and
thank
you
once
again.
A
Clearly,
jumping
the
gun
here,
so
the
second
talk
today
is
by
Karen
calf
Corin
is
a
research
affiliate
at
the
minduru
center
for
technology
and
democracy
at
the
University
of
Cambridge,
where
she
studies
internet
governance,
cultures,
currents
talking
today
about
the
technology
we
choose
to
create
human
rights
advocacy
in
the
ITF.
A
This
paper
was
originally
published
in
the
Telecommunications
Policy
Journal
in
2021.
It's
also
available
as
I
think
it's
chapter,
seven
of
your
PhD
thesis
and
we
link
to
your
thesis
on
the
website
in
an
Open
Access
form.
If
you
want
to
read
the
details
and
again,
if
you
want,
if
you
find
this
work,
interesting
I
think
you're
talking
in
hrpc
on
Friday
as
well
see
there'll,
be
similar
topics.
I
guess.
J
Yeah
good
to
go
thanks
so
much.
Thank
you
so
much
for
for
being
here
this
morning
and
for
being
with
me,
it
is
day
three
of
the
iitf
and
I've
already
been
able
to
lose
my
voice,
so
we're
gonna
try
this
slowly
as
I
sip.
Some
water
I
really
appreciate
the
opportunity
to
be
able
to
present
my
work
today.
As
Colin
already
mentioned,
my
paper
is
called
the
technology
we
choose
to
create
human
rights
advocacy
in
the
iitf.
Now
I've
been
participating
in
the
ietf
since
2014.
J
My
research
work
has
been
generously
funded
by
the
Ford
foundation
and
I
want
to
thank
Michael,
Brennan
and
Lori
mcglinchey,
in
particular,
for
believing
that
this
is
important
work
now
I
wrote
both
my
Master's
thesis
and
my
PhD
about
the
ietf,
and
the
work
that
I'm
presenting
today
is
is
part
of
that
work
and
it
really
delves
into
the
cultural
aspects
of
the
iitf
and
in
particular,
why
Engineers
choose
to
create
and
develop
and
standardize
particular
Technologies
and
what
sometimes
unspoken
values
Drive
these
choices,
but
before
I
dive
into
my
paper,
I
want
to
draw
some
attention
to
the
ongoing
hunger
strike
of
Eliza
Egyptian,
British
activist
and
technologist,
who
has
been
imprisoned
in
Egypt,
unjustly
for
over
nine
years
for
his
work
on
human
rights
and
internet
freedom.
J
Now
it
might
feel
like
a
bit
of
a
hard
pivot
to
go
from
this
call
to
fiela
to
my
paper
presentation,
but
I
promise
there's
a
red
threat
there
in
terms
of
the
importance
of
considering
the
impact
of
technology
on
human
rights,
foreign
has
four
sections:
I'm
gonna
talk
a
little
bit
about
anthropology
I'm,
an
anthropologist
by
training.
J
I'm
gonna
give
some
context
for
the
research
that
I
did
talk
a
little
bit
about
the
findings
in
this
paper
and
then
move
to
conclusions,
but,
more
importantly,
to
the
Q,
a
because
I'm
really
interested
in
having
the
conversation
with
the
community,
and
that's
really
why
I'm
here
as
I
mentioned
I'm
an
anthropologist
I
am
currently
a
research
affiliate
at
Cambridge.
Some
of
you
might
also
know
me,
in
the
context
of
my
day,
job
as
the
VP
of
research
at
the
open
technology
fund.
J
I
want
to
make
clear,
though,
that
I'm
presenting
this
not
in
that
capacity,
but
as
a
lapsed
or
elapsing
academic,
and
it's
interesting.
It
was
really
wonderful
to
hear
Gautam
talk
before
me,
because
I'm
going
to
riff
a
little
bit
on
the
story
that
he
was
trying
to
tell
from
10
000
feet.
So
the
story
that
I
want
to
tell
is
really
about
how
well-meaning
people
have
practices
that
sometimes
have
unintended
consequences.
J
So
for
those
of
you,
who've
never
met
me
who
don't
know
my
work.
You
might
also
know
me
as
the
Cat's
pet.
That's
good.
That
gets
quoted
a
lot
on
iatf
threads
about
what
is
and
what
isn't
good
etiquette
most
recently
on
this
ITF
at
IHF
thread,
then
I'm
sure
more
of
you
than
not
don't
need
to
be
reminded
of
this
quote
in
particular,
incidentally,
refers
to
another
piece
that
I
have
written
about.
Itf
culture
called
what's
wrong
with
loud
men
talking
loudly
the
iitf
culture
wars.
J
So
one
of
the
things
that
I
love
to
do
in
my
talks
is
preview.
A
little
bit
of
the
key
takeaway
and
the
key
takeaway
for
this
talk
today
is
somewhat
of
a
controversial
one,
at
least
in
this
community.
If
there's
one
thing
that
I
hope
sticks
with
you
today
from
my
talk,
it
is
that
the
itf's
work
is
political.
Much
as
there
is
a
mantra
here
that
says
we
don't
do.
Politics
and
I
want
to
be
really
clear
about
what
I
say
when
I
mean
political
and
politics.
J
J
Just
to
move
that
clear
now
that
I've
situated
myself
within
the
community
I
want
to
talk
a
little
bit
about
why
the
IHF
is
such
a
fascinating
place
for
anthropologists
and
I'm
going
to
do
that
by
taking
a
really
quick
dive
into
some
important
developments
in
the
field
of
anthropology
sort
of
starting
since
the
1970s,
but
bear
with
me
I
promise
we'll
get
to
2022
in
a
second
now
many
people
see
anthropologists
a
social
science
researchers
who
go
off
to
remote
Islands
to
study
people
who
are
very
different
from
us
to
study
sort
of
the
Argonauts
of
the
Western
Pacific
to
bring
in
some
classical
anthropological
work.
J
And
whilst
this
once
was
largely
the
focus
of
anthropologists,
a
lot
has
changed,
especially
since
the
1970s,
when
there
was
a
switch
in
the
field
from
from
that
kind
of
research
to
studying,
up
and
studying
in
our
own
societies,
meaning
studying
those
more
powerful
than
us
within
the
context
in
which
we
ourselves
are
native.
J
So
that
means
nowadays
you
will
find
us
everywhere.
We
are
studying
the
US
government.
We
are
studying
the
European
Union.
We
are
studying
Netflix
meta
Apple
wherever
we
can
enter
so
the
well-known
tech
companies,
but
also
lesser
well-known
communities
like
the
ITF
and
one
of
the
interesting
thing
is
like
iitf
Engineers
anthropologists
of
Technology
get
together
and
have
beer
and
gossip
and
trade
War
Stories,
and
the
interesting
thing
is
when
I
do
that
with
fellow
anthropologists
who
are
in
this
field,
and
we
share
our
war
stories,
I
often
get
asked.
J
How
do
you
deal
with
the
hostilities
that
many
anthropologists
experience
being
social
scientists
who
study
technical
communities
and
one
of
the
things
that
always
tends
to
surprise?
My
colleagues
is
that
I
say
I've
actually
found
the
ITF
to
be
very
receptive
of
my
work,
I'm
very
curious
about
it.
Even
if
we
don't
always
agree
I,
don't
think
I
would
be
here
receiving
this
price.
If
that
wasn't
the
case
and
I'm
very
appreciative
of
that
reality
and
I
think
part
of
the
reason.
J
In
the
time
that
I've
spent
here,
I've
interviewed
astronomers
philosophers,
other
anthropologists
people
coming
from
a
wide
array
of
academic
backgrounds
and
bringing
those
very
interesting
and
diverse
perspective
to
the
work
that
is
done
here
now.
This
is
a
quick
how
why
eventropology
slide
for
those
in
the
room
who
are
less
familiar
with
it
as
an
academic
discipline.
J
So
let
me
give
you
a
really
quick
sort
of
bird's
eye
overview.
What
anthropologists
do
is
that
we
study
human
behavior
and
cultures,
and
we
do
that
through
direct
engagement
with
humans,
so
by
participating
in
their
worlds.
J
So,
in
my
case,
I've
spent
three
years
doing
field
work
within
the
IHF
and
by
doing
in-depth
interviews
and
other
types
of
field
work,
and
what
really
that
allows
us
to
really
draw
out
the
cultural
conditions
that
shape
society
and
that's
what
I
hope
to
make
concrete
in
the
paper
that
I'm
going
to
be
presenting
today,
I
really
try
to
demonstrate
how
issues
like
autonomy,
freedom
and
choice
are
valued
in
the
ITF
and
how
that
impacts.
J
J
Let's
go
with
Bob
and
Alice
column,
the
First
Column
outlines
what
Ellis
said
in
the
meeting
column,
the
second
column
outlines
what
Bob
thinks
Ellis
said
or
is
trying
to
say,
and
the
third
column
outlines
what
Alice
is
truly
saying
what
she
truly
means
the
same.
So,
for
example,
in
the
first
column,
it
says
that
Alice
told
Bob
I
have
a
few
comments
and
what
Bob
heard
was
please
rewrite
this
draft
entirely.
J
So
putting
all
of
that
information
in
the
context
of
my
paper
on
the
technology
that
we
choose
to
create
I,
have
a
bit
of
a
schematic
overview
of
the
kind
of
questions
that
anthropologists
ask
and
the
kind
of
answers
that
I've
given
in
the
context
of
this
paper,
and
in
particular
my
research
has
looked
at
how
ITF
Engineers
have
responded
to
the
attempts
of
Human
Rights
activists
to
include
human
rights
considerations
in
the
itf's
work.
J
So
here
we
go
so
anthropologists
ask
questions
like
what
do
people
care
about
what
beliefs
do
they
hold
and
how
do
these
beliefs
inform
cultural
practices,
for
instance
the
cultural
practice
of
developing
protocols
and
standards?
Now,
in
this
particular
case,
I
found
that
a
lot
of
the
people
here
care
about
Freedom
autonomy,
growth
of
the
network
and
having
the
choice
and
also
leaving
the
choice
that
people
end
up
implementing
protocols.
J
Some
of
the
beliefs
that
they
hold
are
that
these
particular
things.
Freedom
autonomy,
growth
and
choice
is
well
what
make
the
best
functioning
internet
for
all
of
us,
and
these
beliefs
inform
the
cultural
practices
of
standardization
in
this
particular
case,
by
bolstering
some
of
the
resistance
against
the
human
rights
work.
J
So
that
brings
me
to
the
second
part
of
my
talk,
where
I
provide
a
little
bit
more
context
for
the
research
that
I've
been
doing,
because
I
know
that
perhaps
not
everyone
is
equally
familiar
with
the
human
rights
protocol
considerations,
research,
group
and
other
activities
of
folks
who
come
from
a
public
interest
background
in
the
iitf.
J
So
here
we
go
in
too
fast.
So
in
October,
2014
three
human
rights
activists
presented
a
bold
idea
to
the
ietf.
They
wanted
to
do
research
on
how
internet
standards
impacted
human
rights.
Initially
they
had
wanted
to
directly
set
up
a
working
group
in
the
ietf,
but
it
was
decided
that
it
would
perhaps
be
better
suited
to
be
a
research
group
first.
J
So
what
the
activists
try
to
do
is
that
they've
developed
guidelines
that
Engineers
could
use
to
Think
Through
the
potential
impact
of
the
work
that
they
were
doing
on
a
number
of
Human
Rights
and
to
achieve
that
goal,
the
activists
set
up
the
human
rights
protocol
considerations,
research
group
in
the
irtf.
The
group
is
still
doing
a
lot
of
work
and
I'll
be
presenting
some
of
my
research
there
on
Friday
for
people
who
are
interested
I
think
it's
the
morning
slot.
J
So
how
should
we
see
this
particular
group
within
sort
of
the
larger
history
of
the
iitf?
Now,
during
its
30
plus
year
of
existing?
There
have
always
been
people
working
alongside
industry
Engineers
here
who
come
from
organizations
that
maybe
don't
that
aren't
corporations
so
I'm
sure
many
of
you
know
dkg
who
works
for
the
ACLU
Mallory
nodal,
who
works
for
the
center
for
democracy
and
technology,
and
they
are
not.
Their
presence
here
is
not
novel
in
any
kind
of
way.
J
J
Now,
after
the
publication
of
this
human
rights
guiding
document,
there
was
limited
uptake
of
it.
J
I
mean
very
few
standards
that
I've
seen
at
this
point
have
human
rights
consideration
section
like
they
do:
privacy
considerations
or
security
iterations,
and
there
are
many
many
reasons
why
the
human
rights
work
face
such
an
uphill
battle.
Now,
obviously,
some
are
related
to
sort
of
the
political
economy
of
standardization,
the
Dominus,
the
dominance
of
the
interests
of
particular
technical
actors
and
Industry
actors,
whose
main
concerns
are
around
efficiency
and
costs
and
latency.
J
Now,
in
my
paper,
I
consider
openness,
interoperability,
permissionless,
Innovation
and
connectivity
as
for
sort
of
important
properties
or
ideal
outcomes
that
Engineers
strive
towards,
and
what
I
do
is
that
I
outline
how
a
distinct
difference
in
understanding
of
what
these
desired
properties
mean
have
led
to
constant
friction
between
the
human
rights
activists
and
some
of
the
engineers
who
are
participating
in
this
debate
or
to
put
it,
in
other
words,
as
I
already
mentioned.
J
It's
not
just
that
the
human
rights
activists
ask
Engineers
to
do
things
that
they
didn't
think
were
technically
feasible,
but
that
they
asked
them
to
do
things
that
they
didn't
feel
comfortable
doing
because
it
didn't
align
with
their
world
view
of
what
their
role
should
be
in
the
interest
of
time.
I
will
skip
this
one,
so
that
brings
us
back
to
column.
Three
remember
the
different
columns
that
I
outlined
earlier
and
how
I
am
interested
as
an
anthropologist
in
understanding
what
people
mean
and
how
that
drives
their
work.
J
In
doing
so,
for
this
paper,
I
found
that
there
were
big,
big
differences
between
how
some
of
the
human
rights
people
interpreted
openness
or
interop
or
connectivity
versus
how
some
Engineers
understood
it,
and
these
are
some
of
the
examples
that
I
outline
in
the
paper.
So,
for
instance,
when
talking
about
connectivity,
many
of
the
engineers
talk
about
connectivity
of
machines
not
necessarily
of
humans
and
connectivity
in
a
let's
say,
fair
kind
of
manner.
J
So
not
too
much
oversight
amount
too
much
intervention
permission
is
innovation
really
should
not
be
centrally
organized,
but
should
be
done
because
people
choose
to
connect
to
the
network
and
openness
really
as
freedom
from
coercion,
including
sometimes
from
Human
Rights
concerns,
now
unearthing.
What
Engineers
probably
mean
when
it
comes
to
openness
and
interoperability,
and
connectivity
is
important
to
understand
the
cultural
causes
of
friction
in
research
groups
and
working
groups?
Beyond
just
the
ones
that
I've
outlined
here
today,
so
to
make
it
a
little
bit
more
concrete.
J
For
example,
when
talking
about
permissionless
Innovation,
many
Engineers
I
interviewed
talked
about
the
ability
of
the
individual
to
connect
networks
or
innovate
by
building
applications
or
services
that
run
on
top
of
the
internet
without
permission
from
a
central
Central
Authority,
and
they
actually
believe
that
introducing
human
rights
considerations
in
the
ITF
could
undermine
that
type
of
innovation,
as
the
framework
for
human
rights
is
one
that
is
sort
of
rooted
in
centralized
Authority
like
human
rights
law,
supported
by
a
large
number
of
organizations
of
centralized
institutions
like
the
United
Nations
or
as
one
of
my
interviewees
said.
J
I
am
not
convinced
human
rights
fit
within
the
ietf.
I
am
willing
to
be
told
otherwise.
But
when
we
talk
about
the
political
world
of
Human
Rights,
what
comes
to
my
mind
quickly?
Is
the
international
telecommunications
Union,
the
Ito,
or
something
like
that
in
which
the
question
becomes
Madam.
Chairwoman
I
would
like
to
speak
about
the
gentleman
from
slobovia
who
just
said
something
with
which
I
disagree.
J
J
And
again,
as
one
of
my
interviewee
said,
the
problem
is
that
the
human
rights
protocol
guidelines
will
be
seen
as
didactic
by
the
community
that
it
is
trying
to
influence
and
far
from
achieving
What
It
Wants.
There
is
a
risk
that
it
could
backfire.
It
gives
ammunition
to
the
enemies
of
groups
like
hrbc
at
times.
J
So
the
tldr
of
this
is
a
lot.
A
lot
of
the
struggles
that
happen
here
are
because
of
a
clash
of
World
Views
and
those
play
out
by
way
of
protocols.
So
it's
politics
by
way
of
protocol,
something
that
Professor
Laura
de
nardis
has
long
focused
her
work
on
for
people
who
are
interested
in
reading
more
about
this
from
a
social
science
perspective.
J
Now
this
Clash
of
World
Views
is
not
the
only
reason
why
the
human
rights
Advocate
struggled,
but
it
is
important
to
show
how
World
Views
factor
in
to
protocol
development.
J
So
what
this
is
always
the
question?
So
what?
Why
does
any
of
this
matter?
Why
do
we
need
to
know
this?
J
The
influence
of
these
cultural
aspects
of
the
iitf
inform
technical
decisions,
or
rather
that
are
inherent
to
technical
decisions,
provide
insights
into
how
and
when
the
ITF
is
political
and
this
matters,
because
the
its
responds
to
some
of
the
human
rights
efforts
and
the
their
sort
of
the
dismissal
of
it
to
a
certain
extent
in
part
comes
from.
There
believe
that
the
approach
of
Human
Rights
activists
would
require
a
shift
in
their
cultural
understanding
of
desired
protocol
properties
and
internet
architecture.
J
Now
many
Engineers
are
hesitant
to
make
that
shift
for
fear
of
how
it
would
change
how
the
ITF
operates
today
or
even
affect
the
internet's
overall
technical
functioning
and
the
economic
and
cultural
imperatives
that
undergird
it
or
in
other
words
the
protocols
that
are
developed
are
about
the
technology
that
the
ITF
and
its
Engineers
choose
to
create.
J
Full
circle
I
started
my
talk
about
with
a
call
to
learn
more
about
the
case
of
La
delphate
in
his
unjust
imprisonment,
because
we're
meeting
in
the
UK,
but
also
because
I
wanted
to
highlight
the
Hostile
realities
that
many
internet
Freedom
activists
face
when
calling
for
human
rights
protections
from
their
governments.
J
Similarly,
I
could
have
started
my
talk
by
speaking
about
the
situation
in
Iran,
but
I
think
that
Simone
basto
from
uni
and
Masa
Ali
mardani
have
already
done
so
really
well
yesterday,
at
the
IAB
open
meeting
that
really
conveys
the
importance
of
us,
at
least
as
a
community
thinking
through
the
potential
human
rights
ramifications
of
our
work.
Even
if
the
conclusion
is
that
we
might
not
be
able
to
remember
these
things
so
instead,
I
will
end
on
this
note,
while
in
part
my
research
aims
to
speak
to
the
ITF
community.
J
It
also
aims
to
provide
a
roadmap
for
newcomers,
especially
those
who
are
representing
end
users
from
regions
that
experience
surveillance
and
repression
and
to
help
them
understand
how
to
be
effective
in
this
community
and
what
cultural
barriers
they
must
overcome
to
do.
So.
Thank
you
very
much.
A
Thank
you,
Karen
excellent
talk.
As
always,
does
anybody
have
any
questions.
I
The
tool
up,
Rich
sauce
so
I,
noticed
you
said
a
couple
times
we
and
that
you
are
also
a
candidate
for
IAB.
Does.
J
J
Anthropologists
as
a
field
is
inherently
aware
of
the
fact
that
research
is
always
political,
that
my
World
Views
and
how
who
I
am
will
influence.
What
my
focus
is
in
the
research,
so
I
don't
pretend
to
be
independent
or
politically
neutral.
Instead,
what
anthropologists
and
a
number
of
other
social
scientists
do?
Is
that
we're
very
explicit
about
our
positionality.
J
So
what
you
will
find
in
my
PhD
research
is
a
positionality
statement
in
which
I,
for
instance,
outline
how
the
different
ways
in
which
I
am
seen
impact
my
research,
a
good
example
that
I
always
bring
up
is
obviously
I
identify
as
a
woman,
and
that
means
that
I'm,
a
minority
in
the
ITF
in
some
ways,
I'm
also
white.
That
makes
me
part
of
a
particular
group
within
the
iitf
as
well.
I
am
from
Europe.
H
Thanks
very
much
for
your
paper
and
your
work,
I
think
you
chose
a
group
at
a
moment
in
time
that
this
community
struggled
with
greatly,
quite
frankly
and
for
many
reasons,
not
just
a
single
reason.
Some
of
the
reasons
had
to
do
with
the
responsibilities
that
we
in
this
room
have
not
just
toward
individuals
such
as
the
one
you
mentioned,
but
also
towards
the
day-to-day
person
who
gets
ripped
off
from
you
know
from
fraud.
H
J
J
That
being
said,
I
did
Focus
very
specifically
on
a
certain
subset,
so
I
did
focus
on
human
rights
activists
in
particular,
because
I
do
feel
that
in
this
community,
people
who
represent
that
kind
of
end
user
in
many
ways
are
in
the
minority
and
I
feel.
The
concerns
that
you
raise
are
very
valid.
I
also
feel
they
are
well
represented
and
not
necessarily
sure
that
it
is
my
role
to
take
on
those
concerns
as
well,
given
that
everyone
has
a
limited
amount
of
capacity
and
24
hours
in
a
day,
foreign.
C
I'm,
just
a
little
too
short
for
the
stand,
my
name
is
Michaela.
Thank
you
so
much
for
your
presentation,
my
question
so
coming
from
a
human
rights
background,
so
less
of
a
technical
background,
I
am
very
interested
in
what
you
were
talking
about.
How,
in
terms
of
the
the
differences
in
language,
in
terms
of
how
you
kind
of
there's
ways
in
which
you
can
push
for
something
as
a
human
rights
activist
and
that
will
not
be
interpreted
always
very
well
and
so
I'm
curious.
C
J
I
mean
there's
a
there's,
a
bunch
of
different
recognitions
that
I
would
have
maybe
something
to
talk
about
offline
I
also
have
more
of
a
policy
paper
coming
out
next
year
that
specifically
focused
on
such
some
of
the
cultural
hurdles
that
the
ITF
poses
in
terms
of
its
sometimes
rough
working
practices
and
and
who
those
are
easy
for
whom
those
are
easier
to
navigate.
Another
thing
that
I've
seen
is
very
effective.
J
I
mean
everyone
who
represents
different
interests
at
the
ietf
sort
of
collaborates
in
ways
to
support
each
other
and,
and
there
are
groups
that
do
the
same
thing
for
human
rights
activists.
So
again,
let's
talk
about
that
I'm
happy
to
make
some
introductions
there.
A
Okay,
so
I
reminded
that
we
have
remote
people
too.
So
if
you
can
use
the
the
tool
for
the
computer,
we
have
there's
a
a
b
in
the
remote
Festival.
L
Yes,
I
have
a
question
regarding
the
April
April
RFC,
my
my
understanding
from
reading
the
documents
that
I
understand
what
a
writer
or
the
author
of
the
mean
and
or
what
they
mean
by
as
they.
They
see
it
as
a
tradition
for
ief.
L
But
my
opinion
and
I
would
like
my
comment
now
to
to
know
your
opinion.
As
your
expert
is
in
Societies
or
communities
Behavior.
My
understanding
that
at
least
the
document
is
RFC,
which
is
in
the
first
October
to
be
notified
that
it's
it's
let's
say
for
some
kind
of
purpose
on
the
document.
But
if
you
write
a
document-
and
you
just
put
the.
B
L
It's
the
first
of
April
that
as
saying
it's,
they
say
it's
a
full
date
or
fulling
date
or
funny
date
day
of
fools,
or
something
like
that.
But
in
my
as
an
academic
I
come
from
an
engineering
academic
background,
I
feel
it's
documents
shouldn't
be
re-notify
only
by
the
date
that
this
gives
some
kind
of
indication
and
write.
In
some
words
saying
this
is
in
some
kind
of
purpose,
just
like
a
title,
so
I
want
to
know
your
comment
on
that.
Thank
you.
J
I
am
not
100
sure
I
could
follow
that
because
it's
really
hard
to
hear
remote
questions
when
you're
up
on
the
stage,
but
I
think
the
question
was:
why
did
I
organize
to
talk
along
certain
dates
for
key
documents
or
I?
Don't
have
anyone
else
in
the
room
could
hear
what
the
actual
question
was,
of
course
about.
Could
you
repeat
it
I.
I
K
This
was
a
this
is
a
great
talk
and
and
I
in
the
great
tradition
of
the
ITF
I
did
not
read
your
paper
before
it
comes
to.
N
K
Microphone
to
comment
on
it,
but
that
doesn't
stop
anybody
anyway.
So
I
I
liked
the
principles
you
identified
for
like
much
people,
you
know
believe
the
ITF
is
about
the
one
thing
that
I
also
think
is
is
maybe
in
your
paper,
which
I
don't
know.
Is
this
multi
stakeholderism
right
that
at
least
I
believe
there's
this
this
Foundation
there?
K
That
thought,
like
many
of
us,
believe
that
you
know
things
get
better
and
their
consensus
is
stronger
when,
when
you
know
we
have
a
diversity
of
opinions
and
and
the
diversity
of
participants
in
the
room,
and
so
I
was
in
Collins
chair
when
hrpc
started
and
I
charted
it
and
my
sort
of
motivation
at
the
time
was
sort
of
to
challenge
that
belief.
K
A
little
bit
right
because
it
can't
just
be
lip
service
but
and
I
was
sort
of
excited
when
those
participants
showed
up,
because
that
was
an
angle
we
really
haven't
had
before
and
I
think
it
has
made
the
ITF
stronger
and
I'm
wondering
to
come
to
my
question.
If,
in
your
interviews
and
your
experience
here,
if
you
would
say
that
we
are
really
like
believe
in
multi-stakeholderism,
and
it
is
a
foundation
for
the
work
or
whether
we
pay
lip
service
to
it,.
J
So
I'm
I'm
really
interested
in
the
fact
that
you
choose
the
term
multi-stakeholderism,
because
I
know
that
some
of
the
other
internet
governance
organizations
like
icann
are
much
more
explicit
in
mentioning
that
as
a
key
governance
tradition.
J
K
K
Think
that's
why
it's
not
so
widely
used
and
other
organizations
have
sort
of
now
jumped
on
the
bandwagon,
let's
say
and
are
trying
to
portray
themselves
as
very
open,
I
think
there's
an
argument
to
be
had
whether
they
actually
are
quite
as
open
as
they
claim
to
be
right,
because
it's
becoming
a
political,
politically
reason
to
to
be
that,
but
I
sort
of
wonder.
If
sort
of
you
know
if
the
iitf
I
think
we've
always
had
this.
J
Interesting
thing
is
that
I
found
that
there
is
a
conflation
within
the
ITF
between
being
culturally
welcoming
and
procedural
openness,
so
I've
had
a
lot
of
people.
Tell
me
to
quote
one
particular
person
who
said
any
effort
with
an
email
can
sign
up
to
a
mailing
list.
That
is
procedural
openness,
but
then
a
lot
of
the
folks
that
I've
spoken
to,
who
are
women,
who
are
non-binary,
who
are
people
of
color,
not
from
the
EU
and
the
US,
have
said.
J
That's
not
openness
when
I
experience
sexism,
when
I
experience
microaggressions
when
people
make
fun
of
my
accent
when
I
speak,
English
or
because
I'm,
not
a
native
speaker
or
because
I
am
a
native
speaker
with
a
distinct
accent.
J
So
openness
is
a
really
thorny
issue
and
one
of
the
things
that
I
think
the
ITF
still
has
a
lot
of
ground
to
gain
because,
yes,
we
are
open,
but
we
are
also
a
place
where
you
know.
On
a
average
meeting,
10
of
the
participants
identify
as
women
and
the
rest
are
men.
J
H
H
A
Elliott,
so
we
have
a
a
we're
running
a
little
short
on
time.
We
have
a
remote
question
from.
B
A
O
All
right
so
I
try
to
to
be
brief.
Here.
Hi
Keith,
I
I've
seen
your
talk
multiple
times
in
multiple
venues,
so
my
question
is
very
quick.
Given
that
you've
been
navigating
the
structure
in
the
ITF
and
trying
to
find
out,
try
to
discover
basically
your
findings
now.
O
Is
there
any
initiative
to
keep
this
work
alive
inside
the
ITF,
like
we
have
a
little
bit
of
research
work
now
trying
to
find
out
how
the
process
of
ifc's
get
adopted,
accepted
or
evolved.
So
if
do
you
have
any
any
plans,
or
is
there
anybody
inside
ITF
that
she's
interested
in
having
your
work
alive
or
keep
it
alive?.
J
Yeah
I
have
three
really
quick
answers
to.
That
is
the
first
there's
this.
The
human
rights
protocol
considerations
group
is
ongoing
work.
There
is
a
I
think
it's
a
side
meeting
tomorrow
of
a
group
of
folks
called
rasp
that
want
to
do.
J
Research
on
standardization,
gorshabbat
was
over
there
and
I
run
a
group
called
the
public
interest,
Technology
Group,
where
we
convene
people
who
work
on
standards
not
just
at
the
ITF
but
at
a
bunch
of
different
places,
from
a
public
interest
perspective
and
as
Rich
mentioned,
For
Better
or
For
Worse
I
am
running
for
the
IAB.
J
So
if
you
think
that
this
research
that
I'm
doing
was
terrible-
and
you
think
it
has
no
place
in
the
IB
or
if
you
think
this
kind
of
a
perspective
has
a
place,
then
please
feel
free
to
send
a
little
note
to
the
nomcom
about
my
potential
candidacy.
B
You
mentioned
icon
and
also
in
this
slide
on
the
interview.
I
think
the
itu
is
also
mentioned.
Could
you
tell
more
about
the
similar
initiatives
to
yours
on
other
standardization
borders?
If
you
are
aware
of.
J
There
there
are
I
mean
obviously
I
can
has
a
has
a
also
a
long
history
of
people
from
a
not-for-profit
and
a
public
interest
perspective
participating.
They
are
divided
into
stakeholder
constituency.
There
is
a
the
ncuc
which
stands
for
the
non-commercial
users.
Community
someone
from
icon
is
going
to
throw
something
at
me
right
now.
The
itu
is
trickier
because,
obviously
you
have
to
be
on
a
national
delegation
to
participate.
J
That
being
said,
some
of
the
national
delegations,
for
instance
the
UK
and
the
Netherlands,
where
I
am
from
allow
Civil
Society
participants
to
join
them
on
the
delegations
and
actually
actually
actively
participate
in
the
negotiation
so
Nielsen
over
who
was
one
of
the
founders
of
the
human
rights
protocol
considerations
group
was
at
the
itu
Plenty
potentiary
a
couple
of
weeks
ago,
memesh
Ansari,
who
is
the
head
of
digital
at
Human,
Rights
NGO,
Article
19,
was
also
there.
J
M
I
I
loved
how
you
said
when
the
IDF
chooses
to
be
political
and
and
when
not.
My
question
was
in
your
interviews,
so
another
cultural
practice
is
that
people
sometimes
represent
themselves
as
individuals
and
you
know
hide
their
affiliation
in
your
research.
Did
you
find
that
and
not
just
on
human
rights?
But
maybe
you
can
answer
that
people
had
a
different
position
when
speaking
to
you
in
private,
where
they
sort
of
didn't
have
to
you
know,
represent
a
company
or
have
an
affiliation
that
everyone
knows
about
actually.
J
N
N
It
shares
this
Duality,
both
by
being
neutral
in
and
of
itself,
but
completely
greasing
the
skids
for
a
particular
political
agendas
and
one
of
the
the
main
reason
I
want
to
get
up
to
ask
a
question
was:
how
do
we
get
additional
input
from
the
other
stakeholder
groups?
Do
we
need
an
Outreach
organization?
Are
they
already
aware
and
trying
to
make
inroads
here
like?
How
do
we
further
develop
the
inputs.
J
So
I
think
I
the
ITF
does
that
already
pretty
well,
there
are
people
here,
for
instance,
Mallory
nodal
who's,
obviously
on
the
IAB,
but
works
for
the
center
for
democracy
and
technology,
and
part
of
her
role
is
also
making
sure
that
there
are
resources
and
information
available
to
others
who
are
interested
in
that
there's
a
need
to
scale.
J
It
though-
and
there
is
the
obvious
difficulty
that
a
lot
of
that-
what
we
do
here
takes
a
lot
of
technical
capacity
that
isn't
necessarily
present
in
the
same
way
within
Civil
Society,
plus
the
fact
that
there
are
many
different
challenges
when
it
comes
to
technology
and
obviously
for
many
people,
the
most
visible
parts
of
the
internet
are
the
most
obvious
ones.
So
a
lot
of
Civil
Society
organizations
will
focus
on
artificial
intelligence,
social
media
and
the
things
that
we
see.
J
That
being
said,
I
think
there
are
a
lot
of
development
here
that
will
impact
our
ability
to
sort
of
use
the
internet
for
for
ways
that
are
important
to
Human
Rights
activists
that
we
have
a
role
to
play
in
and
by
we
I
mean
both
me
as
an
academic
bringing
that
kind
of
work
out,
but
also
the
human
rights
activists
who
are
present
here.
A
A
A
Excellent
talk,
excellent
questions,
we're
running
a
little
behind
time,
I
I,
hope
hope.
You
will
give
us
the
the
grace
to
run
slightly
over
this
session.
The
last
speaker
today
last
but
I,
know
means
least,
is
Daniel,
we'll
be
talking
about
his
paper
United
We,
Stand,
collaborative
detection
and
mitigation
of
amplification
DDOS
attacks
at
scale.
A
A
Danielle
is
a
doctoral
student
at
the
Max
Planck
Institute
in
the
University
of
this
island
in
Germany,
and
he
focuses
on
network
measurement,
traffic
classification
and
software-defined
networking
using
novel
programming
languages
and
he
joined
D6
in
2019
as
a
researcher
and
developer
as
a
of
new
products
and
solutions
for
internet
exchange
points.
P
Yes,
I
need
to
pass
the
movement.
Well,
there's,
basically,
nothing
to
add
to
that
what
Colin
said
so
I
do
not
need
to
introduce
myself,
I,
think
I'm
now
in
control
of
the
slides.
Yes,
it
says
control
well.
First
of
all,
thank
you
all
very
much
for
making
all
of
this
possible.
Thank
you
for
these
kind
of
phrases
you
are
awarding
here.
It's
amazing
I
did
not
imagine
ever
to
received
something
like
that.
So
thank
you
all
very
much,
and
also
thanks
to
my
co-authors.
P
Without
these
guys,
something
of
that
would
have
been
possible,
so
I
think
very
much
Daniel
Cobb
and
tsblue
by
Christoph
dietzel,
my
fellow
colleagues
at
dkx,
as
well
as
Oliver
hulford
from
the
btu,
go
to
Georgios
marathakis
from
Teo
delft
and
my
doctoral
supervisor
Anya
fettman
from
the
Max
Planck
Institute
all
right.
So
the
topic
is
once
again
about
DDOS
attacks.
We're
going
to
talk
about.
Why
is
that
still
a
Hot
Topic?
P
This
is
Dylan
not
really
well
self
problem
in
our
internet
and
our
today's
internet
that
we
have
and
the
the
volumes
of
the
attacks
and
the
Damage
that
they
cause
is
still
on
the
rise.
So
we
we're
seeing
more
and
more
reports
on
on
the
web
dating
to
I,
don't
know
now
it's
3.47
terabit
attacks
to
date.
P
This
is
a
volume
that
can
take
like
also
the
very
big
players,
at
least
for
their
scrubbing
services,
to
an
enormous
test
for
reference.
A
gigabit
usually
is
enough
to
knock
off
some
base.
Services.
I,
don't
know
like
some
some
stores
web
services
stuff
like
that,
and
this
also
targets,
basically
everything
that
is
hosted
online,
so
more
and
more
influencing
more
daily
lives.
For
example,
financial
services
and
even
Health
sector
is
affected
or
can
be
affected
by
that.
P
So
what
is
what
is
the
kind
of
Adidas
attack?
We
are
going
to
dig
into
there's
a
special
kind
of
those
attacks.
There
are
many
different
different
types
of
that:
we're
looking
at
the
amplification
details,
attacks
which
work
basically
as
follows:
we've
got
an
attacker
to
the
left
and
he
sends
small
packets
to
a
set
of
exploitable
devices
or
services
online.
P
That
act
as
a
reflector
and
the
attacker
sets
a
spoof
Source
address
so
that
the
response
of
the
reflectors,
which
is
larger
than
the
initial
request,
so
say
it's
an
amplification,
can
be
directed
to
any
Target
basically,
and
the
target
is
then
the
service
that
the
attacker
wants
to
knock
offline.
So
usually,
what
is
being
done
to
defend
oneself
from
that
is
that
these
services
that
want
to
remain
alive
they
deploy
a
local
scrubbing
service.
P
I
depict
this
in
this
figure
as
this
purple
box
to
the
right,
and
if
we
assume
that
this
scrubbing
service
did
a
perfect
job.
Well,
maybe
they
are
doing
a
very
great
job,
but
they
are
never
perfect
and
even
if
they
did
perfect
job,
we
have
lots
of
unwanted
traffic
along
the
paths
we
saw
the
these
blue
arrows
pointing
to
the
right
to
the
Target.
They
are
still
carrying
all
of
that
unwanted
traffic.
P
That
has
no
use
just
but
to
be
dropped,
so
it's
basically
polluting
the
networks
in
between,
and
this
is
where
our
idea
kicks
in
along
the
path
between
the
reflectors
and
the
target.
They
are
so-called
internet
exchange
points,
so
they
are
distributed
somewhere
along
the
path
as
depicted
in
the
figure.
P
Some
of
the
paths
of
the
attack
traffic
are
going
around
this
ixps,
but
along
some
of
these
past
paths,
the
isps
are
located
and
that's
that
we
were
measuring
about
the
about
the
the
position
of
the
ice
piece
along
the
path
and
also
what
could
be
the
benefit
of
dropping
the
traffic
earlier
than
at
the
local
scrubbing
service
at
the
Target.
They
have.
P
One
problem
to
say
is
that
they
are
not
aware
of
the
whole
attack
that
is
ongoing
because
they
have
a
limited
view
of
just
the
path
of
the
traffic
that
is
crossing
through
them,
and
they
don't
have
the
absolute
view
that
the
local
scrubbing
service
had
to
the
right.
So
we
are
measuring
a
first.
What
is
the
distance
between
the
reflectors
to
the
ISP
and
then
from
the
ixp
to
the
Target
just
to
quantify?
P
How
much
earlier
we
can
drop
the
traffic
and,
as
I
said
to
to
come
over
the
problem
with
the
local,
limited
and
local
visibility,
we're
going
to
measure
how
much
we
could
benefit
if
they
can
exchange
their
information
in
order
to
get
a
more
sophisticated
and
more
global
view,
the
globe
most
global
view
that
they
can
ever
achieve
if
they
combine
all
of
the
information
and,
lastly,
we're
going
to
dig
into
how
this
kind
of
information
exchange
could
be
done.
P
So,
first
of
all,
let's
leverage
some
data,
we
partnered
with
11x
piece
across
the
globe
plus
well,
that's
way
too
much
to
say
it
was
in
Central
and
South
Europe
and
the
North
American
countries,
ranging
from
very
different
types
of
traffic,
lots
of
different
numbers
of
peers.
There
different
Peak
volumes
and
different
amount
of
flows.
We
could
get
from
them
and
the
time
range
we
were
looking
at
was
a
half
a
year
in
2020.
P
we
were
filtering
for
UDP
only
because
that
is
what
the
most
common
amplification
Adidas
attacks
are
using
as
a
transport
protocol,
and
then
we
were
filtering
further
for
prominent
abusable.
Let's
say
like
that:
protocols
that
were
derived
from
previous
related
work.
These
are
this
is
a
list
of
the
protocols
we're
looking
at
in
the
port
number
and
lastly,
we
were
also
filtering
for
prominent
packet
sizes
that
are
most
mostly
transmitted
when
a
exploit
its
answer
is
being
transmitted.
So
this
is
also
for
the
protocols,
a
a
certain
thing.
P
We
want
to
look
for
next
on
the
filter
data,
we
applied
a
detection
mechanism,
meaning
that
we
are
looking
now
for
flows
that
are
targeting
the
same
IP
address,
but
originate
from
at
least
10
different
sources
that
are
the
reflectors
and
the
absolute
volume
measured
by
that
are
in
some
needs
to
exceed
one
gigabit
of
traffic.
If
we
detect
such
an
event,
it
is
likely
to
be
Adidas
attack,
which
shows
our
thresholds
to
be,
let's
say
rather
conservative,
in
order
to
reduce
the
number
of
false
positives.
P
P
P
Another
takeaway
here
is
basically
that
we
have
a
site
at
which
the
traffic
volume
exceeds
well
beyond
10
gigabits
per
the
attack
Vector,
so
that
is
locally
easy
to
detect
as
such,
because
that
is
very
likely
to
you
know
unwanted
traffic,
but
for
the
other
sites,
for
example,
we
have
here
ce2
Central,
European
2,
the
ixp
there,
where
the
local
detection
would
not
be
feasible,
but
still
it's
carrying
the
attacks
traffic.
That's
basically
a
main
motivation.
We
have
to
we
have
here
further.
P
You
can
see
the
complexity
of
the
attack
vectors
themselves,
so
you're
using
a
couple.
Ports
like
53,
cldap
and
other
protocols
like
they
are
very,
very
much
mixed
and
very
different
protocol
attack
vectors
involved
in
one
attack
all
right.
The
question
is:
how
accurate
are
we
with
that?
Because
we
want
to
reduce
the
amount
of
false
positives,
so
we
we
compared
what
we
found
to
be
an
attack
event
with
the
benign
data
that
was
all
the
data
that
was
not
caught
that
was
caught
by
a
filter.
P
So
this
are
actually
the
protocols
so
far
so
good,
but
it
was
not
caught
by
a
detection
mechanism,
so
any
of
the
patterns
did
not
match
with
too
few
reflectors
involved
on
the
absolute
volume
of
one
gigabit
was
not
reached,
so
we
then
compared
some
some
statistics
of
the
benign
data
or
the
data
we
classified
as
benign
with
the
ones
that
were
caught
by
the
attack
detection
mechanism,
and
the
main
takeaway
here
is
that
for
the
benign
traffic
we
see
a
complete
different
picture
than
for
the
attack
events
that
we
found
so
on
the
top
left
corner
of
that
ecd
AC
ecdf.
P
We
find
that
all
the
three
lines
for
the
benign
data
are
stuck
to
the
top
left
corner,
whereas
the
attack
data
League
shows
a
more
I
would
say,
a
more
diverse
picture,
meaning
that
there
are
more
sites
involved
with
more
different
port
combinations
involved.
But
if
it's
just
a
single
site
involved
and
it's
benign
data,
it's
to
the
top
left,
so
no
slides
of
flip
next,
we
fired
up
self-attacks
and
I'll
get
some
ground
truth,
so
we
attacked
our
own
infrastructure.
There's
an
ethical
consideration
section
on
the
paper
on
that.
P
We
can
definitely
chat
about
that
if
you're
interested
in
what
we
actually
did
to
derive
actual
attack
data
and
compare
it
to
what
we
classify
as
such.
So
by
that
we
derived
lots
of
features
here
on
the
left.
You
have
got
some
exemplary
ones.
We
have
1146
features
derived
different
statistics
like
the
amount
of
ports,
the
duration
of
the
attack
and
so
forth,
and
then
we
did
in
a
principal
components,
analysis
on
on
the
features
that
were
resulting
to
the
right.
P
You
can
see
the
top
three
PCS
being
plotted
and
we
did
clustering
on
that
and
what
we
see
is
a
clear,
visual,
visual
separation
of
the
benign
tags.
That's
a
small
green
bump
somewhere
in
the
middle
and
all
the
attacks
are
very
well
clustered
and
all
of
the
self-attacks
Fall
exactly
into
what
we
call
attacks.
P
Next,
we
compared
to
packet
sizes
for
self-attacks
the
Buddha
services
that
we
used
for
that
did
not
offer
every
protocol
that
we
were
filtering
for
so
sometimes
the
blue
bars
are
missing,
but
you
can
see
for
most
of
these
examples.
I
give
an
example
for
cl
depth.
That
is
part
part
389.
P
In
the
center
of
the
figure,
we
can
see
a
very
strong
correlation
between
the
blue
and
the
and
the
red
packet
sizes
that
we
observed,
whereas
the
benign
data
is
basically
all
over
the
place
so
once
again,
a
clear
separation
of
our
clear
visual
separation
of
what
we
call
the
line
and
what
we
call
attack
traffic
so
another.
Now
that
we
are
confident
with
our
data,
we
can
now
measure
what
we
actually
want
to
answer.
P
First
of
all,
we
dug
into
the
distance
analysis,
so
that
is
seen
from
the
route
server,
so
we
have
a
flow.
We
we
consider
to
be
an
attack
and
seen
from
the
route
server
of
the
ixps.
We
were
counting
the
Hops
that
it
took
from
this
IP
address
from
the
reflector
to
get
to
the
XP
and
then
to
whatever
IP
address.
It
is
destined
how
many
hops
were
there
from
the
route
service
view
to
get
there.
P
I
know
that
this
is
assumes
some
kind
of
some
some
caveats
or
some
some
drawbacks
like
semantic
routing
routing,
but
so
these
numbers
need
to
be
taken
with
a
grain
of
salt.
Nevertheless,
if
we
assume
that
all
of
the
peers
adhere
to
what
the
route
service
are
saying,
we
could
derive
that
at
least
for
45
of
the
attack.
P
The
the
volume
originates
from
a
direct
member
of
the
ISP,
so
the
ISP
said
very
close
to
the
reflector,
meaning
that
there
are
very
good
strategic
position
to
drop
the
traffic
early
and
also
for
about
70
of
the
attacks.
We
found
that
the
the
target
is
just
two
hops
away,
so
also
meaning
that
we
are
close
to
the
Target.
P
Let's
take
take
away
that
we
are
well
connected,
I
guess,
all
right.
Next
thing
we
were
measuring
the
collaboration
benefits.
So
now
we've
got
lots
of
data.
We
can
now
pull
it
together
and
see
what
would
have
been
locally
seen
and
detected
as
an
attack
with
a
local
threshold
compared
to
if
we
combine
all
of
the
data
and
then
apply
the
same
threshold
and
then
look
at
what
exp.
Now,
with
the
global
view
of
that,
traffic
have
been
detected
as
an
attack.
So,
first
of
all
here's
a
graph
that
is
the
ground
truth.
P
If
we
combine
all
of
the
data,
we've
got
for
each
of
the
isps
that
we
have
to
the
very
left.
We've
got
all
of
them
combined,
so
that
is
the
100
000
attacks
that
we
could
or
events
we
could
derive
from
our
data.
Next,
we've
got
all,
but
the
largest
one
that
is
ce1
just
for
a
comparison,
and
then
we've
got
all
the
individual
sites
which
are
actually
carrying
attack
traffic
as
per
the
global
detection.
And
if
we
now
compare
this
to
local
thresholds,
various
local
thresholds,
we
find
this
picture.
P
For
example,
you
can
see
The
prominent
ones,
I
think
is
ce3
where
basically
none
of
the
actually
with
the
global
view,
detectable
attacks
are
being
detected,
not
even
by
100
megabits
threshold.
For
the
very
for
the
far
right,
one
C1,
because
it's
the
largest
one,
it
sees
basically
as
much
as
we
see
with
the
combined
data
for
sure,
but
C3
and
C4.
They
basically
do
not
detect
any
of
the
attack
traffic
that
they
are
actually
carrying
as
such.
P
So
what's
a
collaboration
benefit
for,
let's
say
100
megabits,
with
the
global
threshold
compared
to
the
local
one,
and
this
graph
depicts
the
amount
of
missed
traffic.
So
now
they
are
reordered
for
the
ones
to
the
left
that
missed
the
most.
If
I
compare
this
to
to
the
to
the
globally
detectable
traffic,
we
find
that
for
some
sites
we
see
that
80
of
the
traffic
is
locally
undetectable
for
this
certain
threshold.
And
then,
if
we
apply
other
thresholds,
we
even
find
a
worse
picture
for
sc3.
P
In
this
example
for
a
gigabit
of
one
threshold
of
one
gigabit,
we
find
that
up
to
90
of
the
attacks
that
were
actually
carried
out
by
the
ISP
would
have
not
been
detected
as
such
locally
with
a
local
threshold.
P
Next,
in
order
to
exchange
all
the
information,
we
are
proposing
an
exchange
platform
on
that
this
is
the
overall
picture.
Let's
go
through
this
slowly
start
with
the
top
part,
which
is
basically
what
it
matters
or
a
similar
Endeavors
are
doing
to
date.
There
is
a
government's
body
on
top
because
we
do
not
believe
that
things
like
trust
models
or
stuff,
or
things
like
that
can
be
carried
out
by
machines
only
so
this
needs
manual
or
human
involvement.
P
P
They
are
more
or
less
building
a
community
just
likewise
to
the
ixps
community,
because
you
know
more
more
peers
accumulate
an
ISP,
the
more
community
grows
and
more
attractive
becomes
for
other
peers
same
as
same
economy
systems
envisioned
here's.
The
more
people
are
involving
in
the
do.
This
information
exchange
point
the
dxp,
the
more
value
or
more
attractive
it
might
become
to
others
to
join.
P
We
believe
that
there
there's
a
need
for
contracts
in
order
to
get
off
this
running
smoothly,
so
the
government's
body
handles
slas
and
also
processes
of
use
cases
for
the
center
part.
We
have
two
dxp
members
to
the
left
and
to
the
right
in
the
center.
We've
got
the
information
exchange
point
for
itself
and
what
they
basically
do
is
when
they
choose
to
collaborate
with
the
with
the
dxp,
so
they
become
a
member
of
it.
P
Then
they
adhere
to
the
government's
rules
that
were
defined
before
and
then
exchange
the
information
about
ongoing
attacks
that
they
can
locally
see,
and
then
they
publish
it
to
a
pub
stream
buffer,
which
is
the
actual
database
of
this
dxp,
where
there
can
also
fetch
information
about
ongoing
attacks
from
there
and
then,
if
they
are
willing
to
do
so,
apply
local
filtering.
P
We
envisioned
two
different
scenarios
for
that,
so
we
envisioned
a
low
trust
scenario
where
the
peers
or
the
members
of
the
dxpd
site,
to
just
share
information
about
the
reflectors
IP,
because
there
are
some
I
would
say,
semi-sensitive
information
lists
on
the
web,
where
you
can
look
for
reflectors
that
have
been
successfully
scanned
by
some
guy,
and
so
the
sharing
of
the
reflectors
IP
address
is
considered
not
too
sensitive
to
whatever
the
extent
that
might
be-
and
the
second
scenario
is
the
high
trust
scenario
where
the
peers
choose
to
exchange
all
of
the
information
about
everything
that
they
are
seeing
locally.
P
That
is
the
solution
destination
IP
address,
as
well
as
the
volume
and
the
attack
vectors
of
the
ongoing
attack.
Lastly,
we
Quantified
the
benefit
of
that
to
the
left.
You
can
see
an
evaluation
of
the
scenario
of
a
low
trust
information
exchange
and
what
we
see
is
a
clear
benefit
for
all
of
the
sites.
We
have
once
again
the
red
bars
that
show
the
ground
truth:
data
of
the
actual
attacks
going
on
and
compared
to
what
we
saw
before
now.
P
There
are
lots
of
more
bars,
otherwise,
the
colored
than
red
appearing,
meaning
that
they
can
now
see
more
than
before,
more
of
the
attacks
than
before,
just
by
exchanging
the
information
short
hint,
maybe
on
the
boosted
factor
to
the
left.
What
does
that
mean
is
because
the
ixps
only
see
the
reflector
IPS,
as
I
just
explained,
they
might
not
see
all
of
the
traffic,
because
maybe
the
shared
reflector
IPS
are
not
in
not
visible
at
alert.
It
is
local
ISP.
P
P
That
is
one
gigabit
threshold
we
initially
use
for
to
reach
again
the
100
000
attacks
that
we
see,
because
we
know
they
see
actually
that
much,
but
by
boosting
the
traffic
we
needed
to
be
very
careful
not
to
run
into
false
positives
and
by
manually
inspecting
we
saw
that
most
of
the
attacks,
but
basically
every
of
these
attacks,
I
think
7
out
of
900,
that
I
inspected
were
actually
false,
positives
and
all
of
the
other
ones
were
other
details.
Attacks
that
were
not
caught
or
a
very
conservative
filtering
to
the
right.
P
The
high
trust
scenario
we
can
see
is
more
or
less
a
linear
incline
of
of
attacks
that
are
now
globally
visible
because
the
more
iceps
you
add
to
the
information
exchange
platform,
the
more
information
is
shared
and
the
more
attacks
can
be
detected
locally.
P
All
right
so
to
wrap
up
this
we
found
about
80
about
half
of
the
attacks
are
located
more
than
three
locations,
putting
strong
interest
on
understanding
more
about
the
geographic
distribution
of
the
Adidas
attacks,
as
well
as
the
geographic
distribution
of
the
ice
piece
that
are
very
useful
along
the
path
as
a
mitigation
Point.
P
Next
we
found
that
80
of
the
globally
detectable
attacks
would
have
not
been
detected
locally
because
of
the
various
ISP
sizes,
and
we
found
that
about
45
of
reflectors
are
just
the
next
hop
of
the
ixp,
so
that
once
again,
emphasis
emphasizing
on
the
Strategic
role
or
the
useful
role
in
the
position
of
the
ISP
in
along
the
path
that
dropped
the
traffic
early
and
lastly,
we
post
the
dxp
will
show
that
90
of
more
attacks
can
be
detected.
P
Local
to
due
to
the
collaboration
of
the
sites,
I
hope
that
this
somehow
gave
you
some
interesting
thoughts
on
on
collaboration
and
exchange,
informations
and
exchange
information
between
isps
in
order
to
maybe
have
a
chat
on
that
and
maybe
sanitize
some
things.
I
know
that
they're
here
in
the
iitf
there
are
some
Endeavors
ongoing
on
such
information
exchange,
proposals
or
Protocols
are
alike,
I'm
very
happy
to
have
any
conversations
on
that
and
hope.
P
A
That
was
impressively
on
time
finish.
A
Does
anybody
have
questions
for
Daniel
and
I'm
afraid
my
my
machinist
drops
off
the
Wi-Fi
again,
so
I
cannot
see
the
queue
very
easily.
The
queue
is
empty
on
the
lines.
Anyone
in
the
room
have
questions.
P
P
P
J
Hi
this
is
Karen
I
had
a
quick
question,
one
researcher
to
another:
what's
the
follow-up
research
you're
going
to
do
from
this.
P
Now
we're
looking
into
telescope
usability
of
combining
or
uniting
ixps
we,
so
we
once
again
talk
to
ourselves,
but
now
we've
got
13
isps
upcoming
work
next
year
with
the
follow-up
work
here
is:
maybe
we
can
use
a
combined
data
set
of
all
of
the
isps
flow
data
that
they
see
in
order
to
get
early
detection
for
scanning
activity,
because
we
might
know
some
telescope
IP
ranges
and
whether
we
see
traffic
that
is
going
into
a
telescope
at
the
isps
and
we
are
going
to
measure
to
what
extent
that
makes
sense
to
also
exchange
telescope
information
between
the
isps
now.
P
This
is
once
again
confirmation
confirmation
but
sensitive
data
that
needs
to
be
governed
and
there's
need
for
an
exchange
and
of
information
on
on
that
again,
but
the
overall
Endeavor
is
to
mitigate
or
be
prepared
for
Adidas
attacks
before
they
even
arise,
derived
from
scanning
activity
that
we
can
see
at
the
isg.
Please
don't
steal
my
ideas
not
published
yet
thanks.
G
Hi,
so
from
what
I
understood,
it
looks
more
like
you're
looking
at
volumetric
attacks
at
this
point
of
time,
where
this
kind
of
a
thing
would
work
so
any
thoughts
on
application
layer
attacks
because
from
DDOS
the
volumetric
is
kind
of
deviate
you
and
then
the
real
Attack
is
your
application
layer
attack
where
the
scrubbing
Center
comes,
plays
a
major
role.
So
that's
my
first
question:
can.
P
I,
pull
up
come
on
after
that,
because
I
don't
like
double
questions.
I
always
forget
the
first
one.
Very
shortly
is
yes,
we
are
looking
at
volumetric
attacks
that
is
amplification
data's
attacks,
because
the
type
of
data
we
can
get
at
the
ixps
like
very
hard
sample,
huge
sampling
factors
and
usually
aggregated
so
things
like
packet,
packet
attacks
or
student
attacks
in
floods,
or
some
case
like
that
they
are
just
not
visible
with
the
database
that
we
have.
P
We
are
looking
at
volumetric
attacks
because
they
are
from
the
database
that
we
have
more
or
less
the
easily
I
wouldn't
say
easy,
but
they
are
derivable
at
all
other
attack
vectors
are
either
invisible
or
our
sampling
methods
that
we
have
to
apply.
They
just
do
not
allow
for
any
specific
other
things
like
that.
So
amplification
that
deals
attacks.
Are
they
low
hanging
fruits?
You
look
at
up
front.
P
We
might
someday
maybe
invest
more
time
in
digging
into
other
stuff
or
GPU
other
layers
problem
with
other
layers
is,
we
do
not
see
them
at
all,
so
application
layer
is
absolute
logo.
There's
no
way
to
get
there
layer.
4
information
is
what
it
was
quite
a
bit
of
a
struggle
to
to
achieve,
but
we
could
do
this
now
eventually,
but
layer
7
is
no
way
for
us
to
have
any
information
on
that
second
question:
please.
G
And
I
think
you
kind
of
answered
it
because
my
question
was
more
on
with
increasing
encrypted
flows,
quick
adoption
and
all
of
that
the
visibility
is
actually
going
to
be
much
lesser,
even
for
isps
so
in
that
context,
where
do
you
see
the
DDOS
attack
detection
going
and
any
thoughts
or
any?
Do
you
have
any
plans
on
how
to
handle
that
problem
like
given
that
you
don't
have
visibility
at
this
point?
Yeah?
Maybe.
P
Yeah
I'm
not
sure,
with
regard
to
extending
the
visibility.
I
think
this
is
yeah.
Basically
not
nothing.
I
can
influence
I
think
we
also
can't
do
this
with
our
members.
We're
just
not
allowed
because
of
due
to
laws
and
I,
say
I
would
use
what
we
have
so
far
and
make
the
best
of
it
and
other
layers.
On
top
of
that,
I
don't
think
we
will
ever
look
into
that
got.
G
A
All
right,
thank
you,
Daniel.
Thank
you
to
all
of
the
speakers.
Three
fantastic
talks
this
time,
a
reminder
that
the
nominations
for
the
2023
applied.
Networking
research
prize
are
open.
So,
if
you
know
of
any
good
work,
any
interesting
people
any
interesting
papers,
please
do
nominate
nominations
closed
at
the
end
of
next
week.
Thank
you.
Everybody.