Re: BGP list of phishing sites?
warning. this is about humans rather than about IOS configs. hit D now.
Also, an "easy fix" like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users.
actually, a bgp feed of this kind tends to supply the "missing causal vector" whereby someone who does something sloppy or bad ends up suffering for it.
??? I don't understand?
the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions. actions like buying something from a spammer or clicking the "unsubscribe me" button in spam mail, or running microsoft outlook. inactions like not installing patches that microsoft has supplied free of charge over the years. inactions like leaving their cable/DSL pee cee up 24x7 and never wondering why the activity light on their modem flickers constantly. but the vast majority of humanity is and has always been sheep-like. while i could talk about certain election victories and other meatspace examples, that would be even more off-topic than we already are, so let's just put it like this: if you want people to notice the results of their actions and inactions, then they have to be brought into the equation. don't let worms be symbiotic, make them host-killing parasites, and that will make the host bodies sit up and take notice. this trick works every time.
... the internet is very survivable and the necessary traffic always finds a way to get through. fixing layer >7 problems by denying layer 3 service has indeed proven to be the only way to get remote CEO's to care (or notice).
Still, anti-spam blacklists are pretty much universally applied inside SMTP implementations these days. So if 3828747.dhcp.bigcable.com is blacklisted because it sources spam, people subscribing to the blacklist will no longer receive spam from that host, but the host is still capable of interacting with the net in general and the blacklist users in particular over a host of other protocols.
i'm trying to figure out why you think it's in your best interest to limit the impact of your defensive activities, or to limit the impact of sheep-like behaviour on the sheep-like humans who own these infected hosts. in psycho- babble the term would best apply to your proposal is "enabler". why do you want to enable this kind of sheep-like behaviour? what's in it for you? if you think it'll leave more pee cee's online and able to access your shopping cart system that's one thing. but if you think you're somehow helping the owners of these pee cees you're wrong. and you are in fact hurting yourself, and the rest of us, every time you choose to be an "enabler" rather than letting these people stew in their own sheep-like juices. if it's easier for you to BGP-blackhole these bad sources and the only reason you don't is because you think it would be unfair, then you're part of the problem and you're helping to make the problem worse.
... My position is that end-user networks should decide for themselves if this is something they want, but it would be wrong for transit networks to make these decisions for all their customers, especially as they seem to be growing more and more impervious to incoming email or phone support requests that require knowledge of the proper order of the letters "I" and "P".
thanks for explaining your position, and very clearly i might add. we're not so different -- i think "decide for themselves" is the right meme. but where we differ is on the questions of ownership and responsibility. every network has to take responsibility for the traffic is spews, and cannot just say "take it up with my customer" since they're getting paid to make the spew possible. and every network has to be able to say "this shall not pass!" concerning traffic that does not match their "AUP", and the only recourse their customers can have is to sign up with a different network. naturally, sean's and chris's employers don't see it that way at all, and prefer to take no responsibility and exercise no control, except where revenue is concerned.
On Mon Jun 28, 2004 at 04:47:21PM +0000, Paul Vixie wrote:
if it's easier for you to BGP-blackhole these bad sources and the only reason you don't is because you think it would be unfair, then you're part of the problem and you're helping to make the problem worse.
It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. Say a phising site is "hosted" by geocities. Should geocities IP addresses be added to the blacklist? What if it made it onto an akamaized service? Should all of akamai be blacklisted? LINX produced a paper recently on why BGP poisoning is exactly the wrong answer to removing access to undesirable web content (i.e. phising sites). I've asked if it can be made public. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x(01)37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x(01)37701) | non sit, noli BBC Internet Ops | Email: Simon.Lockhart@bbc.co.uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Simon Lockhart wrote:
It's wholy unfair to the innocent parties affected by the blacklisting.
i.e. the collateral damage.
You´ll get burned anyway in a bad neighborhood because of the bandwidth consumed by the crap.
Say a phising site is "hosted" by geocities. Should geocities IP addresses be added to the blacklist?
What if it made it onto an akamaized service? Should all of akamai be blacklisted?
As with any list, whitelisting space that takes care of complaints is always an option.
LINX produced a paper recently on why BGP poisoning is exactly the wrong answer to removing access to undesirable web content (i.e. phising sites). I've asked if it can be made public.
Looking forward to it. Pete
--On 28 June 2004 18:43 +0100 Simon Lockhart <simon.lockhart@bbc.co.uk> wrote:
It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage.
Say a phising site is "hosted" by geocities. Should geocities IP addresses be added to the blacklist?
What if it made it onto an akamaized service? Should all of akamai be blacklisted?
This is an issue wider than spam, phishing, etc. That would depend on whether your block by IP address (forget whether this is BGP black hole lists, DNSRBL for SMTP etc.) is of a) IP address that happen to have $nasty at one end of them; or b) IP address for whom no abuse desk even gives a response (even "we know, go away") when informed of $nasty. It also depends on whether your response is "drop all packets" (a la BGP blackhole) or "apply greater sanctions". Seems to me (b) is, in general, a lot more reasonable than (a) particularly where there is very likely >1 administrative zone per IP address (for example HTTP/1.1). It also better satisfies Paul's criterion of being more likely to engender better behaviour (read: responsibility of network work operators for downstream traffic) if behaviour of the reporter is proportionate & targeted. WRT "apply greater sanctions", it is possible of course, though perhaps neither desirable nor scalable, to filter at layer>3 all sites on given IPs to minimize collateral damage. See http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/ This is effectively what tools like spamassassin do when taking RBL type feeds as a scoring input to filtering, in a mail context. Alex
On 28-jun-04, at 18:47, Paul Vixie wrote:
the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions.
It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised?
actions like buying something from a spammer or clicking the "unsubscribe me" button in spam mail,
The problem is that a few in a thousand that do this ruin things for the rest. In anything involving humans it's useless to expect the right thing to happen 100% of the time.
or running microsoft outlook.
Can't argue with you there.
inactions like leaving their cable/DSL pee cee up 24x7 and never wondering why the activity light on their modem flickers constantly.
:-) My cable modem activity light starts blinking as soon as there is a link and never stops. A /20 can generate a significant amount of ARP traffic during the best of times...
if you want people to notice the results of their actions and inactions, then they have to be brought into the equation.
Ah, you are a BOFH follower. Unfortunately, rudeness rarely results in enlightenment.
Still, anti-spam blacklists are pretty much universally applied inside SMTP implementations these days. So if 3828747.dhcp.bigcable.com is blacklisted because it sources spam, people subscribing to the blacklist will no longer receive spam from that host, but the host is still capable of interacting with the net in general and the blacklist users in particular over a host of other protocols.
i'm trying to figure out why you think it's in your best interest to limit the impact of your defensive activities, or to limit the impact of sheep-like behaviour on the sheep-like humans who own these infected hosts.
That's not what I'm worried about. If people do the wrong thing, by all means let them suffer the consequences so they may think twice about doing it again. What worries me is the potential for hurting innocent bystanders, or even active subversion of these mechanisms. I mean, what better way to DoS someone than have them put on a blacklist?
i think "decide for themselves" is the right meme.
Good!
but where we differ is on the questions of ownership and responsibility. every network has to take responsibility for the traffic is spews, and cannot just say "take it up with my customer" since they're getting paid to make the spew possible. and every network has to be able to say "this shall not pass!" concerning traffic that does not match their "AUP", and the only recourse their customers can have is to sign up with a different network.
I think the one true way is to be found somewhere between the extremes of controlling every little thing a customer does and not doing anything. But the real issue is that this is even necessary. The biggest problem we have with IP is that it doesn't provide for a way for a receiver to avoid having to receiving unwanted packets. It would be extremely useful if we could fix that.
On Jun 28, 2004, at 6:24 PM, Iljitsch van Beijnum wrote:
On 28-jun-04, at 18:47, Paul Vixie wrote:
the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions.
It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised?
Software definitely needs to improve. However, if you mailed out an attachment with the subject "this is a virus, do not click on it", encrypted it and put the password in the body, the virus would still spread like wildfire. Never underestimate the power of human stupidity. Which is why blacklists that depend on the ISP to continually train "lusers" or risk disconnectivity for non-stupid users may not be the right approach. People who run such ISPs CANNOT train all lusers all the time. And the alternative is to not have end-user ISPs (i.e. not an option). Or maybe that is the way to go. I really don't know at this point. But I do know if I were still running an ISP, I would instantly filter any user / host / netblock proven to be infected / C&C / phishing site / etc. And I would not subscribe to any blacklist which had entries for non "bad" IPs. As I Am Not An ISP, I can only vote with my dollars. Your network, your decision. My dollars, my decision. And I buy a lot of bandwidth.... :) -- TTFN, patrick
participants (6)
-
Alex Bligh
-
Iljitsch van Beijnum
-
Patrick W Gilmore
-
Paul Vixie
-
Petri Helenius
-
Simon Lockhart