North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RBL-type BGP service for known rogue networks?

  • From: Kai Schlichting
  • Date: Thu Jul 06 18:06:11 2000

At Thursday 03:39 PM 7/6/00, [email protected] wrote:

>The biggest problem is that it's a lot easier to verify that a given site
>is a spamhaus.  Remember that source IP addresses (which is all that your
>border router sees) are forgeable - making for a nice DOS attack.  Forge
>packets from a competitor's site, get them labelled as a skriptz kiddie site,
>and BGP-blackholed.
>-- 

How about an RFC2644-compliance blacklist? whitelist/blacklist, your choice.
Setting up a process to verify compliance to this particular RFC is a daunting
task, even for whitelists where network providers actively seek inclusion
into such a list. What you do with such a list would be up to you: CAR'ing
source packets from networks that are not whitelisted seems like a good idea,
just not Cisco CPU-wise.

I can think of lots of other RFC-compliance-based white/blacklists,
personally, not all of which would require this much effort to verify
eligibility.

There is none, to my knowledge, as running such lists is not
a trivial task in terms of resources and manpower, as the people who
run lists like MAPS RBL, RSS, ORBS and others can tell you.

One more note on ORBS before my final verdict (after Networkers in Orlando):
I have searched extensively for the last few weeks for evidence that
something improper was happening as far as announcements and propagation
of their routed prefixes goes: nothing hinting to foul play turned up,
anywhere.