Phishing and BGP Blackholing

Andy Davidson andy at nosignal.org
Wed Jan 3 13:15:12 UTC 2007


On 3 Jan 2007, at 01:02, Joy, Dylan wrote:

> I'm curious if anyone can answer whether there has been any  
> traction made relative to blocking egress traffic (via BGP) on US  
> backbones which is destined to IP addresses used for fraudulent  
> purposes, such as phishing sites.   I'm sure there are several  
> challenges to implementing this...

I have often thought that this would be a brilliant idea (on paper),  
when working with one of my clients who suffer regular denial of  
service attacks through open http and socks proxies.  They are a  
multi-homed end site running bgp4 on their edge networks.

 From a 'problem solving' perspective, a Team Cymru-style bgp peer  
that injected very specific routes into their routing table, and  
matching configuration which caused those particular routes to be  
dropped would be ideal.  Additions and deletions would be as close to  
real-time as possible.

 From a political perspective, I could only advocate  to clients such  
a service that had a strict policy of adding routes to addresses  
because of a provable policy infringement.  For example, a route for  
1.2.3.4/32 would only be announced by my bgp-blacklist peer if it  
could be demonstrated that a device reachable at 1.2.3.4 was an open  
http proxy (or socks proxy, or smtp relay).... and not because a  
phishing site was hosted there.  Different priorities for different  
networks I guess ..

No interest in a service which requires companies running a blocked  
proxy to pay before the route/block is lifted.  Also no interest in a  
service which blocks entire networks in the event of a policy  
infringement, only the polluting hosts.  I mention this paragraph  
thanks to some of the policies of DNS-based email-abuse blacklists.

Phishing is content - when a service opens which filters based on  
content, there's a whole new can of worms being opened - what *else*  
is abusive content ?  Does it stop being abusive content at some  
point ?  If phishing is abusive, is pornography abuse ?  A mouthy  
anti-West news agency ?


Anyone going to talk about this at Toronto ?  Trying to justify  
taking a week 'off' to visit ... ;-)




-- 
Regards, Andy Davidson
http://www.devonshire.it/  -  0844 704 704 7  - Sheffield, UK





More information about the NANOG mailing list