North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Andy Davidson wrote: > From a 'problem solving' perspective, a Team Cymru-style bgp peer that > injected very specific routes into their routing table, and matching > configuration which caused those particular routes to be dropped would be > ideal. Additions and deletions would be as close to real-time as possible. > > From a political perspective, I could only advocate to clients such a service > that had a strict policy of adding routes to addresses because of a provable > policy infringement. For example, a route for 1.2.3.4/32 would only be > announced by my bgp-blacklist peer if it could be demonstrated that a device > reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp > relay).... and not because a phishing site was hosted there. Different > priorities for different networks I guess .. disclaimer: I do development work for the company I'm about to endorse. I endorsed this product before when I was a client. I've since left my previous position and gone to work on it. This is one of the very few posts I'll ever make that's in any way representative of an employer. Mainnerve's Darknet product is exactly that: A managed blacklist of malicious/hacked sites. Currently, phishing sites and open proxies, make it into blacklist, but drone network C&Cs do. Darknet is intended to intercept traffic leaving your network to known C&Cs. Currently, this involves a device deployed to your network, that hosts a BGP peer to your network to supply the blackhole routes, redirecting the C&C traffic to the darknet device for packet analysis. I'm currently working on a newer implementation that involves just a BGP peering session and a GRE tunnel, to eliminate the hardware deployment and simplify the whole process, so it functions very much like the bogon filter. - billn
|