Phishing and BGP Blackholing
Andy Davidson
andy at nosignal.org
Wed Jan 3 13:15:12 UTC 2007
On 3 Jan 2007, at 01:02, Joy, Dylan wrote:
> I'm curious if anyone can answer whether there has been any
> traction made relative to blocking egress traffic (via BGP) on US
> backbones which is destined to IP addresses used for fraudulent
> purposes, such as phishing sites. I'm sure there are several
> challenges to implementing this...
I have often thought that this would be a brilliant idea (on paper),
when working with one of my clients who suffer regular denial of
service attacks through open http and socks proxies. They are a
multi-homed end site running bgp4 on their edge networks.
From a 'problem solving' perspective, a Team Cymru-style bgp peer
that injected very specific routes into their routing table, and
matching configuration which caused those particular routes to be
dropped would be ideal. Additions and deletions would be as close to
real-time as possible.
From a political perspective, I could only advocate to clients such
a service that had a strict policy of adding routes to addresses
because of a provable policy infringement. For example, a route for
1.2.3.4/32 would only be announced by my bgp-blacklist peer if it
could be demonstrated that a device reachable at 1.2.3.4 was an open
http proxy (or socks proxy, or smtp relay).... and not because a
phishing site was hosted there. Different priorities for different
networks I guess ..
No interest in a service which requires companies running a blocked
proxy to pay before the route/block is lifted. Also no interest in a
service which blocks entire networks in the event of a policy
infringement, only the polluting hosts. I mention this paragraph
thanks to some of the policies of DNS-based email-abuse blacklists.
Phishing is content - when a service opens which filters based on
content, there's a whole new can of worms being opened - what *else*
is abusive content ? Does it stop being abusive content at some
point ? If phishing is abusive, is pornography abuse ? A mouthy
anti-West news agency ?
Anyone going to talk about this at Toronto ? Trying to justify
taking a week 'off' to visit ... ;-)
--
Regards, Andy Davidson
http://www.devonshire.it/ - 0844 704 704 7 - Sheffield, UK
More information about the NANOG
mailing list