Daniel Golding wrote:
Gadi,
This report isn't terribly useful without the IP addresses (or URLs) in question. How could an ISP start investigating and/or null routing these addresses without having the list?
I suppose I'm skeptical because some of those ASNs are not big content hosters. Some are transit-only ASN's.
Also, if you are using WHOIS to check the IP addresses for their owner, how are you correlating to ASN? Through an IRR? Or is there a route lookup somewhere in the mix?
Even if you won't release full data (although I can't imagine why not), you need to fully disclose the methodology. "Digested" is insufficient when ISPs and hosters are being called out by name.
To answer all your above welcomed questions... We will release the data we can, sorry. That said - We are looking for ways to release the actual IP's (phishing web pages) information in a sort of a blacklisting service. Currently the data is mixed with suspected CP sites and that's a no-no for release. There are steps to take, and you are right - that's one of them, and perhaps even more important than we currently believe. As to the usefulness of this particular report, it is about showing the problem, not killing sites. As to "proving" to the ISP's - Each of the respected service providers can contact us and get the information directly, and then make up their own minds. As to the exact methodology used, I'll have to refuse to divulge that information publicly at this time. You don't have to believe the data. You can believe in some of the public names associated with this work. Statistics may be a "blown out of proportions" word here, as all we do in this particular case is count. And sorry, we'll keep calling these service providers by name, and "put our money where our mouth is" when they ping us back, like we did with The Planet, PNAP, KrCERT and others on our botnets C&C report. Also, we give credit where credit is due to service providers who show they are serious. Keep in mind, although we won't go for "amateur" work, this is volunteer work. :) Gadi.