RE: RBL-type BGP service for known rogue networks?
Genuity used to do a lot of work with this type of service, they refered me to Paul Vixie for mediation when a site we hosted back when I was at AnaServe decided to spam the world and they blackholed us. Also, Paul Vixie (www.vix.net, I think)has some links to services of this type originally geared towards SPAM, but I'm sure it has these types of capabilities. -----Original Message----- From: Dan Hollis [mailto:goemon@sasami.anime.net] Sent: Thursday, July 06, 2000 11:53 AM To: 'nanog@merit.edu' Subject: RBL-type BGP service for known rogue networks? Is there any RBL-type BGP service for blackholing known rogue networks? Eg, networks which harbor script kiddies and refuse to take any action when notified of ongoing attacks? For instance the network tin.it (194.243.154.0 - 194.243.155.255) appears to be rogue. -Dan
On Thu, 6 Jul 2000, Karyn Ulriksen wrote:
Genuity used to do a lot of work with this type of service, they refered me to Paul Vixie for mediation when a site we hosted back when I was at AnaServe decided to spam the world and they blackholed us.
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?) -Dan
On Thu, 6 Jul 2000, Karyn Ulriksen wrote:
Genuity used to do a lot of work with this type of service, they refered me to Paul Vixie for mediation when a site we hosted back when I was at AnaServe decided to spam the world and they blackholed us.
and it worked great, until customer/marketing pressures forced us to discontinue using it.
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
the bgp-blackhole effect works just the same wether your after script kids or spammers. -b
On Thu, 6 Jul 2000, brett watson wrote:
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?) the bgp-blackhole effect works just the same wether your after script kids or spammers.
Yes I KNOW THAT ALREADY. Thank you. Nobody has answered the question if theres any database for script kiddie networks. Yes I know theres already RBL RSS etc for SPAMMERS and yes I know theres BGP blackholing for SPAMMERS. What nobody is answering is if theres any BGP blackholing service for SCRIPT KIDDIE NETWORKS. Anyone? Anyone? Bueller? -Dan
On 07/06/00, Dan Hollis <goemon@sasami.anime.net> wrote:
What nobody is answering is if theres any BGP blackholing service for SCRIPT KIDDIE NETWORKS.
If there is, they're keeping quiet about it. But, if you've got the time and patience and phone manners required to start and maintain one, perhaps we should talk about it off-list. -- J.D. Falk "Laughter is the sound Product Manager that knowledge makes when it's born." Mail Abuse Prevention System LLC -- The Cluetrain Manifesto
On Thu, 06 Jul 2000 12:22:09 PDT, Dan Hollis said:
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Thu, 6 Jul 2000 Valdis.Kletnieks@vt.edu wrote:
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed.
There are ways of confirming, and they wouldnt be blackholed unless it was confirmed. I know the issues with forged source IPs and the blackhole list would take that into account. -Dan
At Thursday 03:39 PM 7/6/00, Valdis.Kletnieks@vt.edu wrote:
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed. --
How about an RFC2644-compliance blacklist? whitelist/blacklist, your choice. Setting up a process to verify compliance to this particular RFC is a daunting task, even for whitelists where network providers actively seek inclusion into such a list. What you do with such a list would be up to you: CAR'ing source packets from networks that are not whitelisted seems like a good idea, just not Cisco CPU-wise. I can think of lots of other RFC-compliance-based white/blacklists, personally, not all of which would require this much effort to verify eligibility. There is none, to my knowledge, as running such lists is not a trivial task in terms of resources and manpower, as the people who run lists like MAPS RBL, RSS, ORBS and others can tell you. One more note on ORBS before my final verdict (after Networkers in Orlando): I have searched extensively for the last few weeks for evidence that something improper was happening as far as announcements and propagation of their routed prefixes goes: nothing hinting to foul play turned up, anywhere.
Karyn Ulriksen wrote:
Genuity used to do a lot of work with this type of service, they refered me to Paul Vixie for mediation when a site we hosted back when I was at AnaServe decided to spam the world and they blackholed us.
Also, Paul Vixie (www.vix.net, I think)has some links to services of this type originally geared towards SPAM, but I'm sure it has these types of capabilities.
The Mail Abuse Prevention System (MAPS) Realtime Blackhole List was the first widely-used service of this type, I think: http://www.mail-abuse.org It can be used via BGP or DNS. But it's only meant for use with spammers, and I don't know if Paul and co. have packaged it up for use by others. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Pictures of two of my 'children': http://www.WrinkleDogs.com About Spamfighters: "We're not net nazis. We're dot communists." - W. Arnold
participants (7)
-
brett watson
-
Dan Hollis
-
J.D. Falk
-
Kai Schlichting
-
Karyn Ulriksen
-
Steve Sobol
-
Valdis.Kletnieks@vt.edu