Congress may require ISPs to block fraud sites H.R.3817

Bill Stewart nonobvious at gmail.com
Mon Nov 9 04:38:51 UTC 2009


If you're a consumer broadband provider, and you use a DNS blackhole
list so that any of your subscribers who tries to reach
bigbank1.fakebanks.example.com gets redirected to
fakebankwebsitelist.sipc.gov, you might be able to claim that you
complied with the law, though the law's aggressive enough that it
could be argued otherwise.

If you're a transit ISP providing upstream bandwidth the the broadband
provider, and some packets are addressed to 1.1.1.257, which is the IP
address of  a hosting site in Elbonia that carries
bigbank1.fakebanks.example.com and innocent.bystander.example.com, the
fact that the broadband ISP was using a DNS blackhole list doesn't
protect you, because you're still routing packets to 1.1.0.0/16.  You
could set up a /32 route to send that traffic to null0, censoring
innocent.bystander.example.com, or you could get fancy and route it to
some squid proxy that cleans up the traffic.  But of course the
phisher could be using fast-flux, so 5 minutes later that trick no
longer works, and by tomorrow the 100,000 phishing websites on the
list have added 1,000,000 routes to your peering routers...  Not
pleasant, but you don't really have much alternative.

-- 
----
             Thanks;     Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.




More information about the NANOG mailing list