[93890] in North American Network Operators' Group
Re: Phishing and BGP Blackholing
daemon@ATHENA.MIT.EDU (Travis H.)
Tue Jan 2 23:21:07 2007
Date: Tue, 2 Jan 2007 22:19:42 -0600
From: "Travis H." <travis+ml-nanog@subspacefield.org>
To: Bill Nash <billn@billn.net>
Cc: "Joy, Dylan" <DJoy@becu.org>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.64.0701021815310.9580@pegasus.billn.net>
Errors-To: owner-nanog@merit.edu
--GZVR6ND4mMseVXL/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 02, 2007 at 06:20:01PM -0700, Bill Nash wrote:
> The biggest challenge I can see is scrubbing phishing reports that=20
> aren't.. themselves.. maliciously crafted phishing attacks against a=20
> registry of such addresses.
Can you rephrase that? I want to understand but I'm failing.
> Likewise, since BGP isn't application aware,=20
> when you blackhole an address that's both website and mail server, how do=
=20
> you inform the end user about their problem, or get a notice from them=20
> that it's been fixed?
> This kind of solution has a huge trust factor hole in it.
However, it has been done with MAPS... they do indeed have a BGP-compatible
DNS lookup thingamabob, and for a while Above.net was using it.
Apart from MAPS blacklisting the whole netblock of a site that was selling
(but not using) spam software, there are also externalities involved.
Above.net started blackholing traffic to those sites, but they did it for
all the traffic that crossed their network, not just the traffic they
originated. So the net result was that some of these sites were not reacha=
ble,
just because your traffic traversed above.net, and sometimes they were. An=
d as
you point out, there was no way to know what was happening without effort.
For the kind of user that gets fooled by a phishing site, I'm sure it could
get very confusing.
> Distributing a BGP based blackhole list is trivial. The intelligence that=
=20
> goes into it is the hard part. There are companies that provide managed=
=20
> services like this (bgp blackhole route servers for known problem sites,=
=20
> like drone C&C's). (disclaimer: I do development for one.)
As another poster discusses, collateral damage is of concern. I do some
forensics for a web hosting company and occasionally someone sets up a
phishing web site instead of spambots and IRC connections. Typically we
can make it inoperable within a few minutes of knowing exactly what is
going on (chmod -R 000 ...), so I think a detailed email to abuse is going
to be more effective, as long as they have the ability to read and respond
to the email in a timely fashion.
For companies that aren't that timely, I would think that'd be a good
candidate for firewalling. I know next to nothing about BGP yet, but
I suspect that you could direct traffic for that IP to go through a
firewall device (or implement an ACL, though I suppose that would
mandate the slow path in a router), to block TCP ports 80 and 443 with
a TCP reject, to give some feedback, or an ICMP administratively
unreachable. This also gives the end-user the ability to figure out
who is doing the blocking and get in touch with them (or at least their
network guy acting as their agent, I suspect most end-users can't track
down a provider by IP or sniff to get the IP in the first place).
IIRC, Riverhead DoS-mitigation systems use a similar mechanism for
filtering out DoS packets en route.
Oh, and yes, even for one IP, you're still going to have collateral
damage if they're doing shared hosting, since one IP serves many
sites. The only way around this is to actually do layer 7 decoding,
but if the intruder can already set up one phishing account, I
would be hesitant to assume the other co-located sites are really
safe to browse.
I suspect the trust problem is pretty easy to deal with, if you
have a human and GPG. Usenet cancel messages, rmgroup messages,
key distribution for mixmaster remailers... the hardest problem
is deciding who you trust, and getting their key securely; the
rest is easily automated. Although some sites might be difficult
to distinguish from phishing sites; recently discussed on the
cryptography list was (IIRC) a Citibank email that told users
to log into some site and enter confidential data... the site was
legit but did not have citi anywhere in the domain name, and was
located in New Zealand. Some people tried to explain why this
was bad to Citibank, and apparently a clue was nowhere to be found.
And yet, people trust them with their money.
--=20
A: No.
Q: Should I include quotations after my reply?
<URL:http://www.subspacefield.org/~travis/> -><-
--GZVR6ND4mMseVXL/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRZsu3WQVZZEDJt9HAQLF1w/+KMtt512Iyp32tc4r+riQC1JBxL/tflen
rDeHeXbhSfuZpUoFxEAkoJ6Z/hELE4SnsfCA/vTxakBnfh4wfpB6jcwc8oqZGNkK
kvfb+MoxWRPl/Wq9jN8cwH2aA6+ZIq4L8M+CPgpaIPW32KG2rsrDlaonwyULoh82
zvNNujfGdrNiBsNqS63P3U1diyyiR8JAnIxQZQGcfO82XrEdff8JsIrlmi8CmU6l
G2rEp4qzHhDDuNqe964B5l7VbOARAyCn6adw0yK4qU3uH54XcMe/yg0tWkK6kg1d
7KXVmvB5OrF0jya2GyZG/gQiSJHl6+Baxl+ncEPYzIgYlsoSeIT+ynYZnRkfrrd2
34iY7sK37lUHrpjmOKcDfoo5LbwTDX7bIV8EkC3kW+DAAXzIr4EyK2bXqfCM23Td
ajuInIYLCAeWTA/OkasJxFdv7yQ+/sOwDb8PE15Y+p9ptJo1f5R1fdqBeM2AvXtg
a13wiI9fH1bLLkR4UcLwpepgqB36/MhsUqaVR+0O83QC5wcwthjYxr8R4IswT2Yq
1zxARLXu7/Lf+HMm9DTtguopAk37VLdkbqXZYGDNXCKunG3ZfyrBvtuYx7Yh1aDo
Saz5OfwnVsZvdBKhWjNzQNDSj+Sua8UEKIqCpKv5Aa5Cw3yAxq8ut9Bocco+25md
nRL2zHcJ64Q=
=xbuY
-----END PGP SIGNATURE-----
--GZVR6ND4mMseVXL/--
