AS11296 -- Hijacked?
franck at genius.com
Wed Sep 29 19:04:16 CDT 2010
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/
List bad ASNs after proper investigation?
It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus...
----- Original Message -----
From: "Heath Jones" <hj1980 at gmail.com>
To: "Robert Bonomi" <bonomi at mail.r-bonomi.com>
Cc: nanog at nanog.org
Sent: Wednesday, 29 September, 2010 4:38:12 PM
Subject: Re: AS11296 -- Hijacked?
I dont think you quite get it. Don't worry, you don't seem to be alone.
The point here is simple. If someone posts making a recommendation for
every AS to filter some prefixes, not provide any references by
default, its not helpful.
When questioned about the rationale, if said person then declines to
provide evidence, the picture starts to form.
It is relatively easy to detect spam, it is easy to have enough
honeypots & filters matching corresponding bgp lookups to find out
path information. Immediately you have a technique which - regardless
of the lists a spammer reads - will catch spammer. By working as a
community, the accuracy and speed of detection increases. By sharing
information, things improve.
The problem is certainly not detection!! (in contrast to the clamed
need to hide detection methods)
Posting to a list like this telling everyone to block traffic might be
in some people's eyes as ok, but there are a few problems:
1) No peer review. The data has not been checked, the prefixes might
be incorrect. The methods might be completely wrong - who knows! This
is certainly the #1 issue.
2) Length of time to implement. Most serious ASs would do sanity
checking and even possibly a change window or atleast a signoff.
2) Post advertisment removal. What process to ASs have in place to
check and remove these rules? More sanity checking and another change.
3) The comment about ARIN, as if to imply that they are supposed to
somehow 'police' the internet. This shows a complete lack of
understanding of the architecture of the internet.
4) A person who blocks gmail for their own - non customer affecting -
mail server cannot be in a position to advise of real - customer
affecting - changes, and shows a recklessness towards adhoc blocking
As a hypothetical situation, say a new customer pops up on a network
with a prefix and origin that haven't been seen before.
This customer badly configured their mail server, its an open relay.
Spammers being smart, watch new BGP advertisments knowing that this
might be the case.
Some kind sir sees the spam coming from the open relay and posts on
here, telling everyone to block it, thus completely killling the new
customer network before its even got off the ground properly.
By the time it has come around, half the ISPs are blocking it and they
are completely screwed all because of 1 mistake and someone not having
their information peer reviewed and no action to notify or help out
Posting ASs & prefixes for people to block without any questioning is
just plain stupid and not the way to handle it.
If the goal is to get rid of spam, then why not put brains together
and come up with a much better system. IETF? Independant working
I can think of a number of ideas as I am typing this that could be
beneficial. I am happy of course to share with anyone interested.
Sure, people can post pretty much what they want and people can choose
to use or ignore, but we are a bit past that argument now.
There has been (to use your method) *zero* technical reasons
supporting the argument of blocking these prefixes. If you know of
one, please voice it.
ps. I have also received posts offline about the support for blocking
gmail / hotmail / whatever. I can appreciate that it is your own
personal infrastructure, you have your reasons, and if it works for
you then good. I certainly wouldn't do it for my customers, otherwise
they would constantly call. Phone spam :)
More information about the NANOG