[72002] in North American Network Operators' Group
RE: BGP list of phishing sites?
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Mon Jun 28 17:02:26 2004
Date: Mon, 28 Jun 2004 21:57:53 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: "Smith, Donald" <Donald.Smith@qwest.com>
Cc: Scott Call <scall@devolution.com>, <nanog@nanog.org>
In-Reply-To: <9921AB57EA49D242A076864C5F473D3C650086@itdene2km08.AD.QINTRA.COM>
Errors-To: owner-nanog-outgoing@merit.edu
Hi Donald,
the bogon feed is not supposed to be causing any form of disruption, the
purpose of a phishing bgp feed is to disrupt the IP address.. thats a major
difference and has a lot of implications.
Steve
On Mon, 28 Jun 2004, Smith, Donald wrote:
> Some are making this too hard.
> Of the lists I know of they only blackhole KNOWN active attacking or
> victim sites (bot controllers, know malware download locations etc) not
> porn/kiddie porn/pr/choose-who-you-hate-sites ... clients (infected
> pc's)
> are usually not included but could make it on the list given enough
> attacks.
> It does mean giving up some control of your network which may not be
> acceptable to some ISP's.
> Its not much different then listening to an automated bogon feed.
>
>
> Donald.Smith@qwest.com GCIA
> pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
> Brian Kernighan jokingly named it the Uniplexed Information and
> Computing System (UNICS) as a pun on MULTICS.
>
> > -----Original Message-----
> > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> > Behalf Of Stephen J. Wilcox
> > Sent: Monday, June 28, 2004 11:56 AM
> > To: Scott Call
> > Cc: nanog@nanog.org
> > Subject: Re: BGP list of phishing sites?
> >
> >
> >
> > On Sun, 27 Jun 2004, Scott Call wrote:
> >
> > > On the the things the article mentioned is that ISP/NSPs
> > are shutting
> > > off
> > > access to the web site in russia where the malware is being
> > downloaded
> > > from.
> > >
> > > Now we've done this in the past when a known target of a DDOS was
> > > upcoming
> > > or a known website hosted part of a malware package, and it
> > is fairly
> > > effective in stopping the problems.
> > >
> > > So what I was curious about is would there be interest in a
> > BGP feed
> > > (like
> > > the DNSBLs used to be) to null route known malicious sites
> > like that?
> > >
> > > Obviously, both operational guidelines, and trust of the operator
> > > would
> > > have to be established, but I was thinking it might be
> > useful for a few
> > > purposes:
> > >
> > > 1> IP addresses of well known sources of malicious code (like in the
> > > example above)
> > > 2> DDOS mitigation (ISP/NSP can request a null route of a
> > prefix which
> > > will save the "Internet at large" as well as the NSP from
> > the traffic
> > > flood
> > > 3> etc
> > >
> > > Since the purpose of this list would be to identify and
> > mitigate large
> > > scale threats, things like spammers, etc would be outside
> > of it's charter.
> > >
> > > If anyone things this is a good (or bad) idea, please let me know.
> > > Obviously it's not fully cooked yet, but I wanted to throw
> > it out there.
> >
> > Personally - bad.
> >
> > So what do you want to include in this list.. phishing? But
> > why not add bot C&C,
> > bot clients, spam sources, child porn, warez sites. Or if you
> > live in a censored
> > region add foreign political sites, any porn, or other
> > messages deemed bad.
> >
> > Who maintains the feed, who checks the sites before adding
> > them, who checks them
> > before removing them.
> >
> > What if the URL is a subdir of a major website such as
> > aol.com or ebay.com or angelfire.com ... what if the URL is a
> > subdir of a minor site, such as yours or
> > mine?
> >
> > What if there is some other dispute over a null'ed IP,
> > suppose they win, can
> > they be compensated?
> >
> > Does this mean the banks and folks dont have to continue to
> > remove these threats now if the ISP does it? Does it mean the
> > bank can sue you if you fail to do it?
> >
> > What if you leak the feed at your borders, I may not want to
> > take this from you and now I'm accidentally null routing it
> > to you. Should you leak this to downstream ASNs? Should you
> > insist your Tier1 provides it and leaks it to you?..
> > just you or all customers?
> >
> > What if someone mistypes an IP and accidentally nulls
> > something real bad(TM)?
> > What if someone compromises the feeder and injects prefixes
> > maliciously?
> >
> > What about when the phishers adapt and start changing DNS to
> > point to different IPs quickly, will the system react
> > quicker? Does that mean you apply less checks
> > in order to get the null route out quicker? Is it just /32s
> > or does it need to
> > be larger prefixes in the future? Are there other ways
> > conceivable to beat such
> > a system if it became widespread (compare to spammer tactics)
> >
> > What if this list gets to be large? Do we want huge amounts
> > of /32s in our
> > internal routing tables?
> >
> > What if the feeder becomes a focus of attacks by those
> > wishing to carry out
> > phishing or other illegal activities? This has certainly
> > become a hazard with
> > spam RBLs.
> >
> >
> > Any other thoughts?
> >
> > Steve
> >
> >
> >
>
