BL of Compromised Hosts?

william(at)elan.net william at elan.net
Mon Feb 23 08:12:50 UTC 2004



On 22 Feb 2004, Robert E. Seastrom wrote:

> "Michel Py" <michel at arneill-py.sacramento.ca.us> writes:
> 
> > There is a regrouping of BGP feeds for various "questionable" hosts and
> > networks around AS29467; 
That is actually not correct. The AS29467 will stay as being used for 
BOGON and similar data. It is quite likely that other ASNs would be used 
for other "questionable" hosts, possibly one for various anti-spam lists 
and other for yet more "questionable" hosts such as DoS sources, etc. 

Current problem is that RIR policies are not allowing for ASNs to be 
allocated for this activity and they want it proven as working concept 
before addition of policy for this matters is considered (I have partially 
written draft for ARIN policy proposal that can change it but want to see 
how it works out with AS29467 first too; until then hopefull experimental
resource policies can be used or ASNs would come from RIPE, which is more 
open to community needs in general)

> >read
> > http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt and
> > feel free to contact the authors. 
> 
> It behooves the prospective user of said feed to read and understand
> draft-py,
Which you do not appear to have done as the info you gave is either wrong 
(possibly based on rumors which are not correct) or is taken based on 
information that is coming from places other then the draft itself and 
is in the development stage.

The draft is not about data sources the draft about the changes that need 
to be done to the router software in handing BGP that would actually allow 
for use of outside BGP feed for filtering (or marking) routes (allowing 
for such feeds to come from AS numbers other then your own). Nothing in 
that draft is being done in real life yet and current bogon bgp feed
implementatations are done through what can be called a bgp hack which 
breaks default route, causes leaks to outsiders if not properly filtered 
and has limitations on implementation. That draft discusses using distributed
prefix filtering (which typically comes from IBGP peer to effect routes 
being sent to that peer) and extending that to allow routes from EBGP
peer to effect routes coming from or going to other peers. 

The draft which was originally only for bogon filtering during private
discussions between authors it was changed to be more general to be used 
for other situations, unfortunetly it does still suffer from being too 
BOGON specific and when draft was sent to IDR they immediatly complained
about that too. It is however intention of the authors that any specifics 
about what is currently being done (and any urls mentioned) and examples 
to be taken as only the examples and not as part of the draft's discussed 
concept of distributing filtering filtering through BGP.

> carefully research the pedigree of the data sources that go
> into the soup, and draw his own conclusions - taking as conservative
> and discriminating an approach as he deems necessary in terms of what
> he accepts.
There is no "soup" - mixing different lists into same one is discouraged. 
Its expected that specific filter-list route servers would carry one or 
more of one or more kinds of bgp filtering lists. The ASNs used would be 
either for certain concepts (like bogons) or for groups of route servers 
that carry common feeds. Each route server group would have to be identified
by differnt ASN and in order for that route server to carry multiple lists 
the lists are separated based on different communities which route server 
would identify through some website or by other means. It is up to the 
actual route server maintainer to decide which lists they would carry as
being available for their users and futher up to the actual users to decide
which of the lists available at the route server they would choose to use.

Currently only bogon route server has been partially tested, there is 
nothing other then bogon lists that were tested under the brs, i.e. under 
the ASN29467. The lists that cymru is providing are not being done under 
this ASN and they also provide couple other "private" filtering lists, which
I hope would stay under different ASN. I also tested couple other lists 
and also under different private ASN (and those are not currently in active
production as I find current bgp filtering technique to be inadequate).

> Wait, you say, filtering routes is easily done by any experienced
> user, right?  Well, yes.  Not everyone's an experienced user, though.
> My primary concern here is one of education; the danger with a roll-up
> feed such as this one is that the default case is to accord equal
> credence to every blacklist;
I find that most admins that decides on RBL lists are well educated about 
what lists they choose to use are (the end-users are however not always 
well informed about it and that is where most of the complaints are 
coming from). I suspect that BGP admins are by their nature even better 
educated and will likely do even more research prior to using anything.

> the naive end-user would discover that
> not only had he signed up for the spiritual equivalent of MAPS
> (conservative, responsive, and responsible)
Your knowledge of MAPS is somewhat historical. Its no longer considered 
responsive and is least effective of all spam lists and not well
maintained and that is despite that its almost the only list that people
are actually paying for. Nevertheless I'm certain many/most in the internet
community are forever greatefull to MAPS for introducing this concept.

> but also SPEWS
> (hard-to-reach, petty, vindictive, and probably going to list my home
> mail server or maybe my whole /24 in retalliation for casting them in
> a negative light in a public forum).
As some know I'm not big fan of spews, I do not like their tactics of 
listing entire ISP blocks including users that have nothing to do with 
the particular spamming incidents (although their approach has certain 
effectiveness as seen for example in recent case with NAC). I do not 
however find it likely that they would list somebody just because of 
anti-spews comments, nor do other things you listed for them really
apply as they do good research before listing blocks. There is also
certain misconceptions between people who do not understand different 
"levels" in spews listings and complain that their block is listed 
eventhough it is often only being "watched" (which is a good reminder for 
ISP to pay closer attention to their abuse handling situation).

> > The different sources have different but commonly known communities.
> 
> ... which are undocumented in draft-py itself, and among the URLs
> listed in Section 2 for more information, only Team Cymru offers a BGP
> community advisory on their web page.  So, I must not be part of the
> "in-crowd" to know these "commonly known" communities...

It has been suggested that draft be rewritten and even more be removed from 
it to be less bogon specific and to only describe this kind of filtering 
in the concept with non-specific examples if possible. Do not take the 
draft to be directly associated with bogon route server or any other bgp 
filtering projects except that it describes how these kind of filtering 
services would operate.

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the NANOG mailing list