|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: BGP list of phishing sites?
Hi Donald, the bogon feed is not supposed to be causing any form of disruption, the purpose of a phishing bgp feed is to disrupt the IP address.. thats a major difference and has a lot of implications. Steve On Mon, 28 Jun 2004, Smith, Donald wrote: > Some are making this too hard. > Of the lists I know of they only blackhole KNOWN active attacking or > victim sites (bot controllers, know malware download locations etc) not > porn/kiddie porn/pr/choose-who-you-hate-sites ... clients (infected > pc's) > are usually not included but could make it on the list given enough > attacks. > It does mean giving up some control of your network which may not be > acceptable to some ISP's. > Its not much different then listening to an automated bogon feed. > > > [email protected] GCIA > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > Brian Kernighan jokingly named it the Uniplexed Information and > Computing System (UNICS) as a pun on MULTICS. > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of Stephen J. Wilcox > > Sent: Monday, June 28, 2004 11:56 AM > > To: Scott Call > > Cc: [email protected] > > Subject: Re: BGP list of phishing sites? > > > > > > > > On Sun, 27 Jun 2004, Scott Call wrote: > > > > > On the the things the article mentioned is that ISP/NSPs > > are shutting > > > off > > > access to the web site in russia where the malware is being > > downloaded > > > from. > > > > > > Now we've done this in the past when a known target of a DDOS was > > > upcoming > > > or a known website hosted part of a malware package, and it > > is fairly > > > effective in stopping the problems. > > > > > > So what I was curious about is would there be interest in a > > BGP feed > > > (like > > > the DNSBLs used to be) to null route known malicious sites > > like that? > > > > > > Obviously, both operational guidelines, and trust of the operator > > > would > > > have to be established, but I was thinking it might be > > useful for a few > > > purposes: > > > > > > 1> IP addresses of well known sources of malicious code (like in the > > > example above) > > > 2> DDOS mitigation (ISP/NSP can request a null route of a > > prefix which > > > will save the "Internet at large" as well as the NSP from > > the traffic > > > flood > > > 3> etc > > > > > > Since the purpose of this list would be to identify and > > mitigate large > > > scale threats, things like spammers, etc would be outside > > of it's charter. > > > > > > If anyone things this is a good (or bad) idea, please let me know. > > > Obviously it's not fully cooked yet, but I wanted to throw > > it out there. > > > > Personally - bad. > > > > So what do you want to include in this list.. phishing? But > > why not add bot C&C, > > bot clients, spam sources, child porn, warez sites. Or if you > > live in a censored > > region add foreign political sites, any porn, or other > > messages deemed bad. > > > > Who maintains the feed, who checks the sites before adding > > them, who checks them > > before removing them. > > > > What if the URL is a subdir of a major website such as > > aol.com or ebay.com or angelfire.com ... what if the URL is a > > subdir of a minor site, such as yours or > > mine? > > > > What if there is some other dispute over a null'ed IP, > > suppose they win, can > > they be compensated? > > > > Does this mean the banks and folks dont have to continue to > > remove these threats now if the ISP does it? Does it mean the > > bank can sue you if you fail to do it? > > > > What if you leak the feed at your borders, I may not want to > > take this from you and now I'm accidentally null routing it > > to you. Should you leak this to downstream ASNs? Should you > > insist your Tier1 provides it and leaks it to you?.. > > just you or all customers? > > > > What if someone mistypes an IP and accidentally nulls > > something real bad(TM)? > > What if someone compromises the feeder and injects prefixes > > maliciously? > > > > What about when the phishers adapt and start changing DNS to > > point to different IPs quickly, will the system react > > quicker? Does that mean you apply less checks > > in order to get the null route out quicker? Is it just /32s > > or does it need to > > be larger prefixes in the future? Are there other ways > > conceivable to beat such > > a system if it became widespread (compare to spammer tactics) > > > > What if this list gets to be large? Do we want huge amounts > > of /32s in our > > internal routing tables? > > > > What if the feeder becomes a focus of attacks by those > > wishing to carry out > > phishing or other illegal activities? This has certainly > > become a hazard with > > spam RBLs. > > > > > > Any other thoughts? > > > > Steve > > > > > > >
|