North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Slightly OT: Looking for an old domain for spam collection
- From: Douglas Otis
- Date: Wed Mar 28 14:26:13 2007
On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote:
On Wed, 28 Mar 2007, Tony Finch wrote:
On Wed, 28 Mar 2007, Ken Simpson wrote:
What is particularly missing IMHO is a spoofed-BGP-route blacklist.
Anyone making any progress on that sort of thing?
completewhois has lists in various forms of bogon and hijacked
networks.
http://completewhois.com/bogons/bogons_usage.htm
This list apparently does not track much of the active spoofed
announcements. This is understandable, as this tracking remains a
difficult task.
Only bogon list will catch some real-time hijacking and only when
they are doing at the unannounced space (which does happen - see
presentation at couple nanogs ago about spammers announcing full /8
and using unallocated portions; there were other cases too that did
not use as large of an announcement).
The real-time hijacking (short-announcements that go away in about
an hour although some do stay longer) of someone else's space or
short-term announcements of unused legacy space can only be caught
when you know where correct announcements should come from and
until we have SIDR, there is no reliable way to do it. The way i'm
testing it is by comparing where routes for where announcements
come from before and setting certain time period before route is
considered "adequate" (this has obvious bad implications for those
changing from one ASN to another). If my project get sufficiently
stable for public consumption trials I'll let you know more but
from what I wrote you should get an idea on how set something like
it yourself (and I think this is something similar to what others
are doing too already, I'm unsure if they are making data public or
not).
Some of this information is incorporated within one of our temporary
lists, but not exclusively. The level of this activity is rather
disconcerting. Perhaps there should be a list dedicated for this
purpose for use beyond email, which appears to be the purpose of most
but not all such announcements.
-Doug
|