Phishing and BGP Blackholing

Bill Nash billn at billn.net
Wed Jan 3 17:24:38 UTC 2007


On Wed, 3 Jan 2007, Andy Davidson wrote:

> From a 'problem solving' perspective, a Team Cymru-style bgp peer that
> injected very specific routes into their routing table, and matching
> configuration which caused those particular routes to be dropped would be
> ideal.  Additions and deletions would be as close to real-time as possible.
> 
> From a political perspective, I could only advocate  to clients such a service
> that had a strict policy of adding routes to addresses because of a provable
> policy infringement.  For example, a route for 1.2.3.4/32 would only be
> announced by my bgp-blacklist peer if it could be demonstrated that a device
> reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp
> relay).... and not because a phishing site was hosted there.  Different
> priorities for different networks I guess ..

disclaimer: I do development work for the company I'm about to endorse.

I endorsed this product before when I was a client. I've since left my 
previous position and gone to work on it. This is one of the very few 
posts I'll ever make that's in any way representative of an employer.

Mainnerve's Darknet product is exactly that: A managed blacklist of 
malicious/hacked sites. Currently, phishing sites and open proxies, make 
it into blacklist, but drone network C&Cs do. Darknet is intended to 
intercept traffic leaving your network to known C&Cs. Currently, this 
involves a device deployed to your network, that hosts a BGP peer to your 
network to supply the blackhole routes, redirecting the C&C traffic to the 
darknet device for packet analysis.

I'm currently working on a newer implementation that involves just a BGP 
peering session and a GRE tunnel, to eliminate the hardware deployment and 
simplify the whole process, so it functions very much like the bogon 
filter.

- billn



More information about the NANOG mailing list