Phishing and BGP Blackholing
billn at billn.net
Wed Jan 3 01:20:01 UTC 2007
The biggest challenge I can see is scrubbing phishing reports that
aren't.. themselves.. maliciously crafted phishing attacks against a
registry of such addresses. Likewise, since BGP isn't application aware,
when you blackhole an address that's both website and mail server, how do
you inform the end user about their problem, or get a notice from them
that it's been fixed?
This kind of solution has a huge trust factor hole in it.
Distributing a BGP based blackhole list is trivial. The intelligence that
goes into it is the hard part. There are companies that provide managed
services like this (bgp blackhole route servers for known problem sites,
like drone C&C's). (disclaimer: I do development for one.)
On Tue, 2 Jan 2007, Joy, Dylan wrote:
> Happy New Year all,
> I'm curious if anyone can answer whether there has been any traction
> made relative to blocking egress traffic (via BGP) on US backbones which
> is destined to IP addresses used for fraudulent purposes, such as
> phishing sites.
> I'm sure there are several challenges to implementing this...
> Dylan Joy
> Network Security Analyst, BECU
> NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.
More information about the NANOG