North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: BGP list of phishing sites?
I agree phishing bgp feed would disrupt the ip address to all ISP's that listened to the bgp server involved. I was addressing a specific issue with listening to such a server and that is the loss of control issue. Sorry if that wasn't clear. So would ISP's block an phishing site if it was proven to be a phishing site and reported by their customers? Donald.Smith@qwest.com GCIA pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS. > -----Original Message----- > From: Stephen J. Wilcox [mailto:firstname.lastname@example.org] > Sent: Monday, June 28, 2004 2:58 PM > To: Smith, Donald > Cc: Scott Call; email@example.com > Subject: RE: BGP list of phishing sites? > > > Hi Donald, > the bogon feed is not supposed to be causing any form of > disruption, the > purpose of a phishing bgp feed is to disrupt the IP address.. > thats a major > difference and has a lot of implications. > > Steve > > On Mon, 28 Jun 2004, Smith, Donald wrote: > > > Some are making this too hard. > > Of the lists I know of they only blackhole KNOWN active > attacking or > > victim sites (bot controllers, know malware download locations etc) > > not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients > > (infected > > pc's) > > are usually not included but could make it on the list given enough > > attacks. > > It does mean giving up some control of your network which may not be > > acceptable to some ISP's. > > Its not much different then listening to an automated bogon feed. > > > > > > Donald.Smith@qwest.com GCIA > > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > > Brian Kernighan jokingly named it the Uniplexed Information and > > Computing System (UNICS) as a pun on MULTICS. > > > > > -----Original Message----- > > > From: firstname.lastname@example.org [mailto:email@example.com] On > > > Behalf Of Stephen J. Wilcox > > > Sent: Monday, June 28, 2004 11:56 AM > > > To: Scott Call > > > Cc: firstname.lastname@example.org > > > Subject: Re: BGP list of phishing sites? > > > > > > > > > > > > On Sun, 27 Jun 2004, Scott Call wrote: > > > > > > > On the the things the article mentioned is that ISP/NSPs > > > are shutting > > > > off > > > > access to the web site in russia where the malware is being > > > downloaded > > > > from. > > > > > > > > Now we've done this in the past when a known target of > a DDOS was > > > > upcoming > > > > or a known website hosted part of a malware package, and it > > > is fairly > > > > effective in stopping the problems. > > > > > > > > So what I was curious about is would there be interest in a > > > BGP feed > > > > (like > > > > the DNSBLs used to be) to null route known malicious sites > > > like that? > > > > > > > > Obviously, both operational guidelines, and trust of > the operator > > > > would > > > > have to be established, but I was thinking it might be > > > useful for a few > > > > purposes: > > > > > > > > 1> IP addresses of well known sources of malicious code > (like in > > > > 1> the > > > > example above) > > > > 2> DDOS mitigation (ISP/NSP can request a null route of a > > > prefix which > > > > will save the "Internet at large" as well as the NSP from > > > the traffic > > > > flood > > > > 3> etc > > > > > > > > Since the purpose of this list would be to identify and > > > mitigate large > > > > scale threats, things like spammers, etc would be outside > > > of it's charter. > > > > > > > > If anyone things this is a good (or bad) idea, please > let me know. > > > > Obviously it's not fully cooked yet, but I wanted to throw > > > it out there. > > > > > > Personally - bad. > > > > > > So what do you want to include in this list.. phishing? But > > > why not add bot C&C, > > > bot clients, spam sources, child porn, warez sites. Or if you > > > live in a censored > > > region add foreign political sites, any porn, or other > > > messages deemed bad. > > > > > > Who maintains the feed, who checks the sites before adding > > > them, who checks them > > > before removing them. > > > > > > What if the URL is a subdir of a major website such as > > > aol.com or ebay.com or angelfire.com ... what if the URL is a > > > subdir of a minor site, such as yours or > > > mine? > > > > > > What if there is some other dispute over a null'ed IP, > > > suppose they win, can > > > they be compensated? > > > > > > Does this mean the banks and folks dont have to continue to > > > remove these threats now if the ISP does it? Does it mean the > > > bank can sue you if you fail to do it? > > > > > > What if you leak the feed at your borders, I may not want to > > > take this from you and now I'm accidentally null routing it > > > to you. Should you leak this to downstream ASNs? Should you > > > insist your Tier1 provides it and leaks it to you?.. > > > just you or all customers? > > > > > > What if someone mistypes an IP and accidentally nulls > > > something real bad(TM)? > > > What if someone compromises the feeder and injects prefixes > > > maliciously? > > > > > > What about when the phishers adapt and start changing DNS to > > > point to different IPs quickly, will the system react > > > quicker? Does that mean you apply less checks > > > in order to get the null route out quicker? Is it just /32s > > > or does it need to > > > be larger prefixes in the future? Are there other ways > > > conceivable to beat such > > > a system if it became widespread (compare to spammer tactics) > > > > > > What if this list gets to be large? Do we want huge amounts > > > of /32s in our > > > internal routing tables? > > > > > > What if the feeder becomes a focus of attacks by those > > > wishing to carry out > > > phishing or other illegal activities? This has certainly > > > become a hazard with > > > spam RBLs. > > > > > > > > > Any other thoughts? > > > > > > Steve > > > > > > > > > > > > >