[72003] in North American Network Operators' Group
RE: BGP list of phishing sites?
daemon@ATHENA.MIT.EDU (Smith, Donald)
Mon Jun 28 17:13:03 2004
Date: Mon, 28 Jun 2004 15:12:12 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: "Scott Call" <scall@devolution.com>, <nanog@nanog.org>
Errors-To: owner-nanog-outgoing@merit.edu
I agree phishing bgp feed would disrupt the ip address=20
to all ISP's that listened to the bgp server involved.
I was addressing a specific issue with listening to such=20
a server and that is the loss of control issue. Sorry if that wasn't
clear.
So would ISP's block an phishing site if it was proven=20
to be a phishing site and reported by their customers?
Donald.Smith@qwest.com GCIA
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
Brian Kernighan jokingly named it the Uniplexed Information and
Computing System (UNICS) as a pun on MULTICS.
> -----Original Message-----
> From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]=20
> Sent: Monday, June 28, 2004 2:58 PM
> To: Smith, Donald
> Cc: Scott Call; nanog@nanog.org
> Subject: RE: BGP list of phishing sites?
>=20
>=20
> Hi Donald,
> the bogon feed is not supposed to be causing any form of=20
> disruption, the=20
> purpose of a phishing bgp feed is to disrupt the IP address..=20
> thats a major=20
> difference and has a lot of implications.
>=20
> Steve
>=20
> On Mon, 28 Jun 2004, Smith, Donald wrote:
>=20
> > Some are making this too hard.
> > Of the lists I know of they only blackhole KNOWN active=20
> attacking or=20
> > victim sites (bot controllers, know malware download locations etc)=20
> > not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients=20
> > (infected
> > pc's)
> > are usually not included but could make it on the list given enough
> > attacks.
> > It does mean giving up some control of your network which may not be
> > acceptable to some ISP's.
> > Its not much different then listening to an automated bogon feed.
> >=20
> >=20
> > Donald.Smith@qwest.com GCIA
> > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC=20
> > Brian Kernighan jokingly named it the Uniplexed Information and=20
> > Computing System (UNICS) as a pun on MULTICS.
> >=20
> > > -----Original Message-----
> > > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> > > Behalf Of Stephen J. Wilcox
> > > Sent: Monday, June 28, 2004 11:56 AM
> > > To: Scott Call
> > > Cc: nanog@nanog.org
> > > Subject: Re: BGP list of phishing sites?
> > >=20
> > >=20
> > >=20
> > > On Sun, 27 Jun 2004, Scott Call wrote:
> > >=20
> > > > On the the things the article mentioned is that ISP/NSPs
> > > are shutting
> > > > off
> > > > access to the web site in russia where the malware is being
> > > downloaded
> > > > from.
> > > >=20
> > > > Now we've done this in the past when a known target of=20
> a DDOS was
> > > > upcoming
> > > > or a known website hosted part of a malware package, and it=20
> > > is fairly
> > > > effective in stopping the problems.
> > > >=20
> > > > So what I was curious about is would there be interest in a
> > > BGP feed
> > > > (like
> > > > the DNSBLs used to be) to null route known malicious sites
> > > like that?
> > > >=20
> > > > Obviously, both operational guidelines, and trust of=20
> the operator
> > > > would
> > > > have to be established, but I was thinking it might be=20
> > > useful for a few
> > > > purposes:
> > > >=20
> > > > 1> IP addresses of well known sources of malicious code=20
> (like in=20
> > > > 1> the
> > > > example above)
> > > > 2> DDOS mitigation (ISP/NSP can request a null route of a
> > > prefix which
> > > > will save the "Internet at large" as well as the NSP from
> > > the traffic
> > > > flood
> > > > 3> etc
> > > >=20
> > > > Since the purpose of this list would be to identify and
> > > mitigate large
> > > > scale threats, things like spammers, etc would be outside
> > > of it's charter.
> > > >=20
> > > > If anyone things this is a good (or bad) idea, please=20
> let me know.=20
> > > > Obviously it's not fully cooked yet, but I wanted to throw
> > > it out there.
> > >=20
> > > Personally - bad.
> > >=20
> > > So what do you want to include in this list.. phishing? But
> > > why not add bot C&C,=20
> > > bot clients, spam sources, child porn, warez sites. Or if you=20
> > > live in a censored=20
> > > region add foreign political sites, any porn, or other=20
> > > messages deemed bad.
> > >=20
> > > Who maintains the feed, who checks the sites before adding
> > > them, who checks them=20
> > > before removing them.=20
> > >=20
> > > What if the URL is a subdir of a major website such as
> > > aol.com or ebay.com or angelfire.com ... what if the URL is a=20
> > > subdir of a minor site, such as yours or=20
> > > mine?=20
> > >=20
> > > What if there is some other dispute over a null'ed IP,
> > > suppose they win, can=20
> > > they be compensated?
> > >=20
> > > Does this mean the banks and folks dont have to continue to
> > > remove these threats now if the ISP does it? Does it mean the=20
> > > bank can sue you if you fail to do it?=20
> > >=20
> > > What if you leak the feed at your borders, I may not want to
> > > take this from you and now I'm accidentally null routing it=20
> > > to you. Should you leak this to downstream ASNs? Should you=20
> > > insist your Tier1 provides it and leaks it to you?..=20
> > > just you or all customers?
> > >=20
> > > What if someone mistypes an IP and accidentally nulls
> > > something real bad(TM)?=20
> > > What if someone compromises the feeder and injects prefixes=20
> > > maliciously?
> > >=20
> > > What about when the phishers adapt and start changing DNS to
> > > point to different IPs quickly, will the system react=20
> > > quicker? Does that mean you apply less checks=20
> > > in order to get the null route out quicker? Is it just /32s=20
> > > or does it need to=20
> > > be larger prefixes in the future? Are there other ways=20
> > > conceivable to beat such=20
> > > a system if it became widespread (compare to spammer tactics)
> > >=20
> > > What if this list gets to be large? Do we want huge amounts
> > > of /32s in our=20
> > > internal routing tables?
> > >=20
> > > What if the feeder becomes a focus of attacks by those
> > > wishing to carry out=20
> > > phishing or other illegal activities? This has certainly=20
> > > become a hazard with=20
> > > spam RBLs.
> > >=20
> > >=20
> > > Any other thoughts?
> > >=20
> > > Steve
> > >=20
> > >=20
> > >=20
> >=20
>=20
>=20
