BGP list of phishing sites?
Happy Sunday nanogers... I was doing some follow up reading on the "js.scob.trojan", the latest "hole big enough to drive a truck through" exploit for Internet Explorer. On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1> IP addresses of well known sources of malicious code (like in the example above) 2> DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the "Internet at large" as well as the NSP from the traffic flood 3> etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Thanks -Scott
On Sun, 27 Jun 2004, Scott Call wrote:
Happy Sunday nanogers...
I was doing some follow up reading on the "js.scob.trojan", the latest "hole big enough to drive a truck through" exploit for Internet Explorer.
On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from.
Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems.
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that?
don't reinvent the wheel: www.cymru.com has a project already under way for this, with many operators participating at this time.
On 27-jun-04, at 20:17, Scott Call wrote:
On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from.
Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems.
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that?
I'm sure there is; but I'm slightly worried that transit networks may be tempted to subscribe to such a feed and in essence start censoring their customer's access to the net. Also, an "easy fix" like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users. Fixing layer 7+ problems at layer 3 just doesn't work and leads to significant collateral damage in the long run.
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that?
i dunno much about this new-fangled "DNSBL" thing you speak of, but the original MAPS RBL is still alive and well and available by BGP. the fine folks now running MAPS include Dave Rand (my co-founder) and if you visit their web site (www.mail-abuse.org) you can probably figure out how to sign up for it. there's a fee involved, but there are lawyers involved, and those two things seem to come in pairs.
I'm sure there is; but I'm slightly worried that transit networks may be tempted to subscribe to such a feed and in essence start censoring their customer's access to the net.
we (speaking for the original MAPS which i still had a hand in operating) faced that from most bgp-subscribing customers. there are easy workarounds.
Also, an "easy fix" like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users.
actually, a bgp feed of this kind tends to supply the "missing causal vector" whereby someone who does something sloppy or bad ends up suffering for it.
Fixing layer 7+ problems at layer 3 just doesn't work and leads to significant collateral damage in the long run.
that's what everybody always said about MAPS but it didn't happen. the internet is very survivable and the necessary traffic always finds a way to get through. fixing layer >7 problems by denying layer 3 service has indeed proven to be the only way to get remote CEO's to care (or notice). -- Paul Vixie
http://www.news.com.au/common/story_page/0,4057,9975753%255E1702,00.html -Henry --- Scott Call <scall@devolution.com> wrote:
Happy Sunday nanogers...
I was doing some follow up reading on the "js.scob.trojan", the latest "hole big enough to drive a truck through" exploit for Internet Explorer.
On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from.
Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems.
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that?
Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes:
1> IP addresses of well known sources of malicious code (like in the example above) 2> DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the "Internet at large" as well as the NSP from the traffic flood 3> etc
Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter.
If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there.
Thanks -Scott
On Sun, 27 Jun 2004, Scott Call wrote:
On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from.
Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems.
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that?
Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes:
1> IP addresses of well known sources of malicious code (like in the example above) 2> DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the "Internet at large" as well as the NSP from the traffic flood 3> etc
Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter.
If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there.
Personally - bad. So what do you want to include in this list.. phishing? But why not add bot C&C, bot clients, spam sources, child porn, warez sites. Or if you live in a censored region add foreign political sites, any porn, or other messages deemed bad. Who maintains the feed, who checks the sites before adding them, who checks them before removing them. What if the URL is a subdir of a major website such as aol.com or ebay.com or angelfire.com ... what if the URL is a subdir of a minor site, such as yours or mine? What if there is some other dispute over a null'ed IP, suppose they win, can they be compensated? Does this mean the banks and folks dont have to continue to remove these threats now if the ISP does it? Does it mean the bank can sue you if you fail to do it? What if you leak the feed at your borders, I may not want to take this from you and now I'm accidentally null routing it to you. Should you leak this to downstream ASNs? Should you insist your Tier1 provides it and leaks it to you?.. just you or all customers? What if someone mistypes an IP and accidentally nulls something real bad(TM)? What if someone compromises the feeder and injects prefixes maliciously? What about when the phishers adapt and start changing DNS to point to different IPs quickly, will the system react quicker? Does that mean you apply less checks in order to get the null route out quicker? Is it just /32s or does it need to be larger prefixes in the future? Are there other ways conceivable to beat such a system if it became widespread (compare to spammer tactics) What if this list gets to be large? Do we want huge amounts of /32s in our internal routing tables? What if the feeder becomes a focus of attacks by those wishing to carry out phishing or other illegal activities? This has certainly become a hazard with spam RBLs. Any other thoughts? Steve
On Jun 28, 2004, at 1:56 PM, Stephen J. Wilcox wrote:
Personally - bad.
Another personal response (edited from my response to the LINX paper): Fighting "phishing" web sites is a necessary and important task. Of course, part of why it is necessary is because end users are ignorant, untrained, and/or gullible. But the fact remains that phishing is a burden on society and the Internet. Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage. Perhaps even more dangerous is the need for verification. For the list to be at all effective, it has to move very, very quickly, as the phishing sites move very quick. Creating an environment where the list is updated quickly increases the chance of mistakes or even malicious filtering. In short, I cannot see a BGP list actually cutting down on phishing without massive collateral damage. Reducing the collateral damage will likely make the list ineffective against phishing sites. The combination makes this a no-win situation. All, IMHO, of course. :) -- TTFN, patrick
On Mon, 28 Jun 2004, Patrick W Gilmore wrote:
Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage.
I think part of the point of this blacklist is similar to other blacklists. It makes providers remove their head from their ass and actually start cleaning up their networks. When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull. -Dan
On Jun 28, 2004, at 2:43 PM, Dan Hollis wrote:
On Mon, 28 Jun 2004, Patrick W Gilmore wrote:
Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage.
I think part of the point of this blacklist is similar to other blacklists. It makes providers remove their head from their ass and actually start cleaning up their networks.
When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull.
If the blacklist is only for sites which are weeks, or even a couple days old, that probably would remove most of the objections. (I _think_ - I have not considered all the ramifications, but it sounds like a plausible compromise.) Unfortunately, that type of blacklist wouldn't stop 99% of the phishing scams in operation. -- TTFN, patrick
PWG> Date: Mon, 28 Jun 2004 15:04:59 -0400 PWG> From: Patrick W Gilmore PWG> If the blacklist is only for sites which are weeks, or even PWG> a couple days old, that probably would remove most of the PWG> objections. (I _think_ - I have not considered all the PWG> ramifications, but it sounds like a plausible compromise.) Put entries in without delay. Let operators configure BGP- munching boxen with a delay timer. PWG> Unfortunately, that type of blacklist wouldn't stop 99% of PWG> the phishing scams in operation. The sites do seem to move around. :( Anyone care for another round of discussion re PKI, DNSSEC, and authenticated SMTP? ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
On Mon, 28 Jun 2004, Dan Hollis wrote:
When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull.
there are other reasons aside from 'lameness' that the ISP might keep the site up: 1) law enforcement request, to prolong/preserve investigation 2) legal request by phishee (mother site being phished) to prolong/preserve investigation Just a thought as sometimes childporn sites stay up longer than desirable due to these same reasons.
When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is
the
only cluebat strong enough to get through the provider's thick skull.
If they are notified that they are an accessory to a crime and do not take any action, then doesn't this make the provider liable to criminal charges? Did you really inform the provider's legal department of this fact or did you just send an email to some dumb droids in the abuse department? Quite frankly, I don't consider messages to the complaints/abuse department to be "notice". How long does it take to find a head office fax number and draft up a legalistic looking "notice" document addressed to their legal department? Some people in this industry seem to want to manage it as a secret club for insiders and solve all problems of the industry in one cliquish venue. I just don't think that is an appropriate way to operate on the scale of today's Internet. --Michael Dillon
On Tue, 29 Jun 2004 Michael.Dillon@radianz.com wrote:
If they are notified that they are an accessory to a crime and do not take any action, then doesn't this make the provider liable to criminal charges?
You would think it would. But who bothers to prosecute? No one.
Did you really inform the provider's legal department of this fact or did you just send an email to some dumb droids in the abuse department?
Yes and I was told they would not do anything unless they received a subpoena or law enforcement forced them to shut it down, and that if I wanted action I should talk to the police instead.
Quite frankly, I don't consider messages to the complaints/abuse department to be "notice". How long does it take to find a head office fax number and draft up a legalistic looking "notice" document addressed to their legal department?
Not long, but its a waste of time because they wont do anything anyway. The only way to get their attention is with blacklists. -Dan
participants (10)
-
Christopher L. Morrow
-
Dan Hollis
-
Edward B. Dreger
-
Henry Linneweh
-
Iljitsch van Beijnum
-
Michael.Dillon@radianz.com
-
Patrick W Gilmore
-
Paul Vixie
-
Scott Call
-
Stephen J. Wilcox