RE: BGP list of phishing sites?
my sister called me last night to tell me that she was unable to receive mail from southwest airlines, and that her e-ticket was in limbo for some flight somewhere. i checked and sure enough southwest airlines has sent me three or messages per day that i don't want, for most days out of the last six months. since neither southwest nor their ISP was willing to take any responsibility for this unwanted e-mail, i blackholed them, and i guess that means they'll have to fax that e-ticket. or something. it's not my problem. meanwhile your sister has the hassle of getting southwest to send that fax, or changing her travel plans. i'm sure glad you're not running my isp. --mat
Re: BGP list of phishing sites?
None of this would be an issue, if abuse desks were: 1. Responsive 2. Responsible 3. Empowered 4. Accountable Today, they are none of the above. A lot of people on this list are opposed to increasing government regulation of the Internet industry. But how would you feel about a law which required all network operators to have an abuse department which is responsive, responsible, empowered and accountable? Now that is an area where the FCC and CRTC and Ofcom and the ACA could probably do some good for the industry. --Michael Dillon
Re: BGP list of phishing sites?
When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull. If they are notified that they are an accessory to a crime and do not take any action, then doesn't this make the provider liable to criminal charges? Did you really inform the provider's legal department of this fact or did you just send an email to some dumb droids in the abuse department? Quite frankly, I don't consider messages to the complaints/abuse department to be notice. How long does it take to find a head office fax number and draft up a legalistic looking notice document addressed to their legal department? Some people in this industry seem to want to manage it as a secret club for insiders and solve all problems of the industry in one cliquish venue. I just don't think that is an appropriate way to operate on the scale of today's Internet. --Michael Dillon
Re: BGP list of phishing sites?
meanwhile your sister has the hassle of getting southwest to send that fax, or changing her travel plans. i'm sure glad you're not running my isp. if i were running your isp, paying customers would get to choose.
Re: BGP list of phishing sites?
--- Iljitsch van Beijnum [EMAIL PROTECTED] wrote: Einstein taught as that even the simple act of observation influences our surroundings. Wouldn't it make sense to try to leverage this influence such that the future is shaped more to our liking, however small the change may be? nitpick: it wasn't Einstein, but rather Heisenberg who developed the uncertainty principle. The uncertainty principle only speaks of electrons (or other small wavicles) and describes how it's not possible to know both the position and momentum. If you're not interested in knowing both of those at the same time, the uncertainty principle does not apply. The principle has been analogized to describe larger systems and items, and is a useful but not always completely accurate metaphor. It is entirely possible to observe some things without affecting them. -David Barak -Fully RFC 1925 Compliant __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Re: BGP list of phishing sites?
So you think it's futile to try to get software vendors to improve their products. I suppose I can go along with that to a certain degree. But how can you expect end-users to work around the brokenness in the software they use? This seems both unfair and futile. at my aforementioned sister's house, i did it by buying an off-the-shelf $99 firewall and a $79 copy of suse-9 and spending an afternoon showing her how to use them. i guess the general form of the answer is tell people to get some tech support rather than believing what their vendors say. i'm not an expert on d-link firewalls, or on linux, but i know enough to know that running MSIE and Outlook and not having a firewall was her problem. Einstein taught as that even the simple act of observation influences our surroundings. Wouldn't it make sense to try to leverage this influence such that the future is shaped more to our liking, however small the change may be? as sad as this is, the best way to accomplish that is by heaping public scorn and ridicule on sean's and chris's employers every time they whine about how folks are widely blackholing their customers. you won't convince sbc or mci, but you might convince a lurker or two. But the real issue is that this is even necessary. The biggest problem we have with IP is that it doesn't provide for a way for a receiver to avoid having to receiving unwanted packets. It would be extremely useful if we could fix that. you realize that the virtual circuit X.25/TP4 people are laughing their asses off as they read those words, don't you? It's easy to laugh if you don't have a world wide network to run. i once had the honour of taking over a network dave rand had built, which became an unprofitable dot-bomb on my watch. ouch! but it wasn't because we refused to take money from spammers, or because we disconnected folks pre-emptively when they violated their AUP. so, that's not what i meant. if you want to put enough intelligence into the network so that a receiver can avoid having to receive unwanted packets then you'll need to decide how to throttle flow solicitations or else those flow solicitations will become the new form of spam and ddos. this will require state, not just in your hosts and upstream router and provider, but globally, end to end. and if you do that you'll have bitten into the rotten apple of circuit switching and x.25 and atm that the IP folks have been saying all these years wouldn't scale and wasn't necessary. and so, the people on the other side (the losing side, in my opinion) of that argument will laugh their asses off, whether they have a world wide network to run, or not.
Re: BGP list of phishing sites?
On Tue, 29 Jun 2004 [EMAIL PROTECTED] wrote: If they are notified that they are an accessory to a crime and do not take any action, then doesn't this make the provider liable to criminal charges? You would think it would. But who bothers to prosecute? No one. Did you really inform the provider's legal department of this fact or did you just send an email to some dumb droids in the abuse department? Yes and I was told they would not do anything unless they received a subpoena or law enforcement forced them to shut it down, and that if I wanted action I should talk to the police instead. Quite frankly, I don't consider messages to the complaints/abuse department to be notice. How long does it take to find a head office fax number and draft up a legalistic looking notice document addressed to their legal department? Not long, but its a waste of time because they wont do anything anyway. The only way to get their attention is with blacklists. -Dan
Re: BGP list of phishing sites?
On 29-jun-04, at 22:53, David Barak wrote: Einstein taught as that even the simple act of observation influences our surroundings. Wouldn't it make sense to try to leverage this influence such that the future is shaped more to our liking, however small the change may be? nitpick: it wasn't Einstein, but rather Heisenberg who developed the uncertainty principle. Einstein's take on this was to ridicule it somewhat: When a person such as a mouse observes the universe, does that change the state of the universe? The principle has been analogized to describe larger systems and items, and is a useful but not always completely accurate metaphor. It is entirely possible to observe some things without affecting them. Is it? If I want to look at you, I must bounce photons off of you. Similar stuff needs to happen for other types of observation. This may not have a very large effect on you, but there is _some_ effect.
Re: BGP list of phishing sites?
--- Iljitsch van Beijnum [EMAIL PROTECTED] wrote: The principle has been analogized to describe larger systems and items, and is a useful but not always completely accurate metaphor. It is entirely possible to observe some things without affecting them. Is it? If I want to look at you, I must bounce photons off of you. Similar stuff needs to happen for other types of observation. This may not have a very large effect on you, but there is _some_ effect. for some value of _some_, right? ;) I agree that there is an affect, but not necessarily due to the observation itself: consider a webcam. Whether I am observing you in the camera is not dependent on my interacting with you per se: the photons were already on their way from you to the lens. You could argue that those photons cause a change, but I would respond that the photons would have caused that change regardless of whether they are measured. Perhaps some beer and philosophy at the October meeting? = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
Re: BGP list of phishing sites?
warning. this is about humans rather than about IOS configs. hit D now. Also, an easy fix like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users. actually, a bgp feed of this kind tends to supply the missing causal vector whereby someone who does something sloppy or bad ends up suffering for it. ??? I don't understand? the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions. actions like buying something from a spammer or clicking the unsubscribe me button in spam mail, or running microsoft outlook. inactions like not installing patches that microsoft has supplied free of charge over the years. inactions like leaving their cable/DSL pee cee up 24x7 and never wondering why the activity light on their modem flickers constantly. but the vast majority of humanity is and has always been sheep-like. while i could talk about certain election victories and other meatspace examples, that would be even more off-topic than we already are, so let's just put it like this: if you want people to notice the results of their actions and inactions, then they have to be brought into the equation. don't let worms be symbiotic, make them host-killing parasites, and that will make the host bodies sit up and take notice. this trick works every time. ... the internet is very survivable and the necessary traffic always finds a way to get through. fixing layer 7 problems by denying layer 3 service has indeed proven to be the only way to get remote CEO's to care (or notice). Still, anti-spam blacklists are pretty much universally applied inside SMTP implementations these days. So if 3828747.dhcp.bigcable.com is blacklisted because it sources spam, people subscribing to the blacklist will no longer receive spam from that host, but the host is still capable of interacting with the net in general and the blacklist users in particular over a host of other protocols. i'm trying to figure out why you think it's in your best interest to limit the impact of your defensive activities, or to limit the impact of sheep-like behaviour on the sheep-like humans who own these infected hosts. in psycho- babble the term would best apply to your proposal is enabler. why do you want to enable this kind of sheep-like behaviour? what's in it for you? if you think it'll leave more pee cee's online and able to access your shopping cart system that's one thing. but if you think you're somehow helping the owners of these pee cees you're wrong. and you are in fact hurting yourself, and the rest of us, every time you choose to be an enabler rather than letting these people stew in their own sheep-like juices. if it's easier for you to BGP-blackhole these bad sources and the only reason you don't is because you think it would be unfair, then you're part of the problem and you're helping to make the problem worse. ... My position is that end-user networks should decide for themselves if this is something they want, but it would be wrong for transit networks to make these decisions for all their customers, especially as they seem to be growing more and more impervious to incoming email or phone support requests that require knowledge of the proper order of the letters I and P. thanks for explaining your position, and very clearly i might add. we're not so different -- i think decide for themselves is the right meme. but where we differ is on the questions of ownership and responsibility. every network has to take responsibility for the traffic is spews, and cannot just say take it up with my customer since they're getting paid to make the spew possible. and every network has to be able to say this shall not pass! concerning traffic that does not match their AUP, and the only recourse their customers can have is to sign up with a different network. naturally, sean's and chris's employers don't see it that way at all, and prefer to take no responsibility and exercise no control, except where revenue is concerned.
Re: BGP list of phishing sites?
On Sun, 27 Jun 2004, Scott Call wrote: On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Personally - bad. So what do you want to include in this list.. phishing? But why not add bot CC, bot clients, spam sources, child porn, warez sites. Or if you live in a censored region add foreign political sites, any porn, or other messages deemed bad. Who maintains the feed, who checks the sites before adding them, who checks them before removing them. What if the URL is a subdir of a major website such as aol.com or ebay.com or angelfire.com ... what if the URL is a subdir of a minor site, such as yours or mine? What if there is some other dispute over a null'ed IP, suppose they win, can they be compensated? Does this mean the banks and folks dont have to continue to remove these threats now if the ISP does it? Does it mean the bank can sue you if you fail to do it? What if you leak the feed at your borders, I may not want to take this from you and now I'm accidentally null routing it to you. Should you leak this to downstream ASNs? Should you insist your Tier1 provides it and leaks it to you?.. just you or all customers? What if someone mistypes an IP and accidentally nulls something real bad(TM)? What if someone compromises the feeder and injects prefixes maliciously? What about when the phishers adapt and start changing DNS to point to different IPs quickly, will the system react quicker? Does that mean you apply less checks in order to get the null route out quicker? Is it just /32s or does it need to be larger prefixes in the future? Are there other ways conceivable to beat such a system if it became widespread (compare to spammer tactics) What if this list gets to be large? Do we want huge amounts of /32s in our internal routing tables? What if the feeder becomes a focus of attacks by those wishing to carry out phishing or other illegal activities? This has certainly become a hazard with spam RBLs. Any other thoughts? Steve
Re: BGP list of phishing sites?
On Jun 28, 2004, at 1:56 PM, Stephen J. Wilcox wrote: Personally - bad. Another personal response (edited from my response to the LINX paper): Fighting phishing web sites is a necessary and important task. Of course, part of why it is necessary is because end users are ignorant, untrained, and/or gullible. But the fact remains that phishing is a burden on society and the Internet. Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage. Perhaps even more dangerous is the need for verification. For the list to be at all effective, it has to move very, very quickly, as the phishing sites move very quick. Creating an environment where the list is updated quickly increases the chance of mistakes or even malicious filtering. In short, I cannot see a BGP list actually cutting down on phishing without massive collateral damage. Reducing the collateral damage will likely make the list ineffective against phishing sites. The combination makes this a no-win situation. All, IMHO, of course. :) -- TTFN, patrick
Re: BGP list of phishing sites?
Simon Lockhart wrote: It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. You´ll get burned anyway in a bad neighborhood because of the bandwidth consumed by the crap. Say a phising site is hosted by geocities. Should geocities IP addresses be added to the blacklist? What if it made it onto an akamaized service? Should all of akamai be blacklisted? As with any list, whitelisting space that takes care of complaints is always an option. LINX produced a paper recently on why BGP poisoning is exactly the wrong answer to removing access to undesirable web content (i.e. phising sites). I've asked if it can be made public. Looking forward to it. Pete
Re: BGP list of phishing sites?
[In the message entitled Re: BGP list of phishing sites? on Jun 28, 18:43, Simon Lockhart writes:] On Mon Jun 28, 2004 at 04:47:21PM +, Paul Vixie wrote: if it's easier for you to BGP-blackhole these bad sources and the only reason you don't is because you think it would be unfair, then you're part of the problem and you're helping to make the problem worse. It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. Say a phising site is hosted by geocities. Should geocities IP addresses be added to the blacklist? None of this would be an issue, if abuse desks were: 1. Responsive 2. Responsible 3. Empowered 4. Accountable Today, they are none of the above. If any of you out there think that isn't the case with your network, please let me know. I'll be happy to provide you with the spam from your network over the last 24 hours (or 24 days, or 24 months, or whatever other period you like). Blackholing is simply a way to draw immediate, and unmistakable attention to a problem, instead of sweeping it under the carpet. The problem is going to get worse before it gets better, much as it pains me to say that. Let's look at ways that it can be made better. A BGP feed, or other real time distribution method, can be used to let your abuse desk know that there is a problem, and to address it faster. It can be abused for this purpose as well, so it's important for *whatever* method is used to be run by responsible, accountable people. Think about it. Please. --
Re: BGP list of phishing sites?
On Mon, 28 Jun 2004, Patrick W Gilmore wrote: Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage. I think part of the point of this blacklist is similar to other blacklists. It makes providers remove their head from their ass and actually start cleaning up their networks. When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull. -Dan
Re: BGP list of phishing sites?
On Jun 28, 2004, at 2:43 PM, Dan Hollis wrote: On Mon, 28 Jun 2004, Patrick W Gilmore wrote: Unfortunately, I worry that this cure is worse than the disease. Filtering IP addresses are not the right way to attack these sites - the move too quickly and there is too much danger of collateral damage. I think part of the point of this blacklist is similar to other blacklists. It makes providers remove their head from their ass and actually start cleaning up their networks. When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull. If the blacklist is only for sites which are weeks, or even a couple days old, that probably would remove most of the objections. (I _think_ - I have not considered all the ramifications, but it sounds like a plausible compromise.) Unfortunately, that type of blacklist wouldn't stop 99% of the phishing scams in operation. -- TTFN, patrick
Re: BGP list of phishing sites?
On Mon, 28 Jun 2004, Dan Hollis wrote: When a provider hosts a phishing site for _weeks on end_ and does _nothing_ despite being notified repeatedly, sometimes a blacklist is the only cluebat strong enough to get through the provider's thick skull. there are other reasons aside from 'lameness' that the ISP might keep the site up: 1) law enforcement request, to prolong/preserve investigation 2) legal request by phishee (mother site being phished) to prolong/preserve investigation Just a thought as sometimes childporn sites stay up longer than desirable due to these same reasons.
Re: BGP list of phishing sites?
--On 28 June 2004 18:43 +0100 Simon Lockhart [EMAIL PROTECTED] wrote: It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. Say a phising site is hosted by geocities. Should geocities IP addresses be added to the blacklist? What if it made it onto an akamaized service? Should all of akamai be blacklisted? This is an issue wider than spam, phishing, etc. That would depend on whether your block by IP address (forget whether this is BGP black hole lists, DNSRBL for SMTP etc.) is of a) IP address that happen to have $nasty at one end of them; or b) IP address for whom no abuse desk even gives a response (even we know, go away) when informed of $nasty. It also depends on whether your response is drop all packets (a la BGP blackhole) or apply greater sanctions. Seems to me (b) is, in general, a lot more reasonable than (a) particularly where there is very likely 1 administrative zone per IP address (for example HTTP/1.1). It also better satisfies Paul's criterion of being more likely to engender better behaviour (read: responsibility of network work operators for downstream traffic) if behaviour of the reporter is proportionate targeted. WRT apply greater sanctions, it is possible of course, though perhaps neither desirable nor scalable, to filter at layer3 all sites on given IPs to minimize collateral damage. See http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/ This is effectively what tools like spamassassin do when taking RBL type feeds as a scoring input to filtering, in a mail context. Alex
Re: BGP list of phishing sites?
It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. maybe so. but it'll happen anyway, because victims often have no recourse that won't inflict collateral damage. the aggregate microscopic damage of this kind is becoming measurable and statistically interesting. Say a phising site is hosted by geocities. Should geocities IP addresses be added to the blacklist? What if it made it onto an akamaized service? Should all of akamai be blacklisted? you're using terms like unfair and innocent and should in ways that lead me to wonder if we're having two different conversations here. the internet has no government, no constitution, no laws, no rights, no police, no courts. don't talk about fairness or innocence, and don't talk about what should be done. instead, talk about what is being done and what will be done by the amorphous unreachable undefinable blob called the internet user base. if the cost:benefit is right for an endsystem to blackhole akamai or geocities then they will do it, no matter how unfair anybody else thinks it is, or how innocent other people think akamai/geocities might be, and no matter how much you or anybody may think that something different should be done. welcome to the dog-eat-dog phase. spammers and phishers don't care about what's fair or who's innocent. sean's and chris's employers certainly don't want to be lectured to about what others think should be done. the end result is that victims are caring less and less about false positives or collateral damage -- nobody wants to be the last one to stop caring, since the other name for that person is rube (or sometimes dupe.) while i've been keen to criticize sean's and chris's employers here, i do it for entertainment value (my own, and the lurkers who occasionally tell me i owe them a new keyboard because i was unexpectedly funny) and not because i think sean or chris or their employers are wondering what i think they should do. ... a) IP address that happen to have $nasty at one end of them; or b) IP address for whom no abuse desk even gives a response (even we know, go away) when informed of $nasty. ... Seems to me (b) is, in general, a lot more reasonable than (a) particularly where there is very likely 1 administrative zone per IP address (for example HTTP/1.1). It also better satisfies Paul's criterion of being more likely to engender better behaviour (read: responsibility of network work operators for downstream traffic) if behaviour of the reporter is proportionate targeted. my sister called me last night to tell me that she was unable to receive mail from southwest airlines, and that her e-ticket was in limbo for some flight somewhere. i checked and sure enough southwest airlines has sent me three or messages per day that i don't want, for most days out of the last six months. since neither southwest nor their ISP was willing to take any responsibility for this unwanted e-mail, i blackholed them, and i guess that means they'll have to fax that e-ticket. or something. it's not my problem. as a victim, i can't let it be my problem. if someone wants their traffic to be accepted then they'll have to maintain a good reputation, which will in the future be automated in various ways including webs of trust/guaranty, forfeitable deposits, micropayments, and living in better neighborhoods. in that way e-space will catch up to meat-space. WRT apply greater sanctions, it is possible of course, though perhaps neither desirable nor scalable, to filter at layer3 all sites on given IPs to minimize collateral damage. See http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/ collateral damage is irrelevant now. minimizing it makes the problem worse, maximizing it just costs you in lawyer payments, it's every endsystem for itself now. john gilmore warned me that i was hastening this day when i started the first RBL. i didn't consider it avoidable, then or now. we were both right.
RE: BGP list of phishing sites?
Some are making this too hard. Of the lists I know of they only blackhole KNOWN active attacking or victim sites (bot controllers, know malware download locations etc) not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients (infected pc's) are usually not included but could make it on the list given enough attacks. It does mean giving up some control of your network which may not be acceptable to some ISP's. Its not much different then listening to an automated bogon feed. [EMAIL PROTECTED] GCIA pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen J. Wilcox Sent: Monday, June 28, 2004 11:56 AM To: Scott Call Cc: [EMAIL PROTECTED] Subject: Re: BGP list of phishing sites? On Sun, 27 Jun 2004, Scott Call wrote: On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Personally - bad. So what do you want to include in this list.. phishing? But why not add bot CC, bot clients, spam sources, child porn, warez sites. Or if you live in a censored region add foreign political sites, any porn, or other messages deemed bad. Who maintains the feed, who checks the sites before adding them, who checks them before removing them. What if the URL is a subdir of a major website such as aol.com or ebay.com or angelfire.com ... what if the URL is a subdir of a minor site, such as yours or mine? What if there is some other dispute over a null'ed IP, suppose they win, can they be compensated? Does this mean the banks and folks dont have to continue to remove these threats now if the ISP does it? Does it mean the bank can sue you if you fail to do it? What if you leak the feed at your borders, I may not want to take this from you and now I'm accidentally null routing it to you. Should you leak this to downstream ASNs? Should you insist your Tier1 provides it and leaks it to you?.. just you or all customers? What if someone mistypes an IP and accidentally nulls something real bad(TM)? What if someone compromises the feeder and injects prefixes maliciously? What about when the phishers adapt and start changing DNS to point to different IPs quickly, will the system react quicker? Does that mean you apply less checks in order to get the null route out quicker? Is it just /32s or does it need to be larger prefixes in the future? Are there other ways conceivable to beat such a system if it became widespread (compare to spammer tactics) What if this list gets to be large? Do we want huge amounts of /32s in our internal routing tables? What if the feeder becomes a focus of attacks by those wishing to carry out phishing or other illegal activities? This has certainly become a hazard with spam RBLs. Any other thoughts? Steve
Re: BGP list of phishing sites?
PWG Date: Mon, 28 Jun 2004 15:04:59 -0400 PWG From: Patrick W Gilmore PWG If the blacklist is only for sites which are weeks, or even PWG a couple days old, that probably would remove most of the PWG objections. (I _think_ - I have not considered all the PWG ramifications, but it sounds like a plausible compromise.) Put entries in without delay. Let operators configure BGP- munching boxen with a delay timer. PWG Unfortunately, that type of blacklist wouldn't stop 99% of PWG the phishing scams in operation. The sites do seem to move around. :( Anyone care for another round of discussion re PKI, DNSSEC, and authenticated SMTP? ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
RE: BGP list of phishing sites?
Hi Donald, the bogon feed is not supposed to be causing any form of disruption, the purpose of a phishing bgp feed is to disrupt the IP address.. thats a major difference and has a lot of implications. Steve On Mon, 28 Jun 2004, Smith, Donald wrote: Some are making this too hard. Of the lists I know of they only blackhole KNOWN active attacking or victim sites (bot controllers, know malware download locations etc) not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients (infected pc's) are usually not included but could make it on the list given enough attacks. It does mean giving up some control of your network which may not be acceptable to some ISP's. Its not much different then listening to an automated bogon feed. [EMAIL PROTECTED] GCIA pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen J. Wilcox Sent: Monday, June 28, 2004 11:56 AM To: Scott Call Cc: [EMAIL PROTECTED] Subject: Re: BGP list of phishing sites? On Sun, 27 Jun 2004, Scott Call wrote: On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Personally - bad. So what do you want to include in this list.. phishing? But why not add bot CC, bot clients, spam sources, child porn, warez sites. Or if you live in a censored region add foreign political sites, any porn, or other messages deemed bad. Who maintains the feed, who checks the sites before adding them, who checks them before removing them. What if the URL is a subdir of a major website such as aol.com or ebay.com or angelfire.com ... what if the URL is a subdir of a minor site, such as yours or mine? What if there is some other dispute over a null'ed IP, suppose they win, can they be compensated? Does this mean the banks and folks dont have to continue to remove these threats now if the ISP does it? Does it mean the bank can sue you if you fail to do it? What if you leak the feed at your borders, I may not want to take this from you and now I'm accidentally null routing it to you. Should you leak this to downstream ASNs? Should you insist your Tier1 provides it and leaks it to you?.. just you or all customers? What if someone mistypes an IP and accidentally nulls something real bad(TM)? What if someone compromises the feeder and injects prefixes maliciously? What about when the phishers adapt and start changing DNS to point to different IPs quickly, will the system react quicker? Does that mean you apply less checks in order to get the null route out quicker? Is it just /32s or does it need to be larger prefixes in the future? Are there other ways conceivable to beat such a system if it became widespread (compare to spammer tactics) What if this list gets to be large? Do we want huge amounts of /32s in our internal routing tables? What if the feeder becomes a focus of attacks by those wishing to carry out phishing or other illegal activities? This has certainly become a hazard with spam RBLs. Any other thoughts? Steve
RE: BGP list of phishing sites?
I agree phishing bgp feed would disrupt the ip address to all ISP's that listened to the bgp server involved. I was addressing a specific issue with listening to such a server and that is the loss of control issue. Sorry if that wasn't clear. So would ISP's block an phishing site if it was proven to be a phishing site and reported by their customers? [EMAIL PROTECTED] GCIA pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS. -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Monday, June 28, 2004 2:58 PM To: Smith, Donald Cc: Scott Call; [EMAIL PROTECTED] Subject: RE: BGP list of phishing sites? Hi Donald, the bogon feed is not supposed to be causing any form of disruption, the purpose of a phishing bgp feed is to disrupt the IP address.. thats a major difference and has a lot of implications. Steve On Mon, 28 Jun 2004, Smith, Donald wrote: Some are making this too hard. Of the lists I know of they only blackhole KNOWN active attacking or victim sites (bot controllers, know malware download locations etc) not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients (infected pc's) are usually not included but could make it on the list given enough attacks. It does mean giving up some control of your network which may not be acceptable to some ISP's. Its not much different then listening to an automated bogon feed. [EMAIL PROTECTED] GCIA pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen J. Wilcox Sent: Monday, June 28, 2004 11:56 AM To: Scott Call Cc: [EMAIL PROTECTED] Subject: Re: BGP list of phishing sites? On Sun, 27 Jun 2004, Scott Call wrote: On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in 1 the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Personally - bad. So what do you want to include in this list.. phishing? But why not add bot CC, bot clients, spam sources, child porn, warez sites. Or if you live in a censored region add foreign political sites, any porn, or other messages deemed bad. Who maintains the feed, who checks the sites before adding them, who checks them before removing them. What if the URL is a subdir of a major website such as aol.com or ebay.com or angelfire.com ... what if the URL is a subdir of a minor site, such as yours or mine? What if there is some other dispute over a null'ed IP, suppose they win, can they be compensated? Does this mean the banks and folks dont have to continue to remove these threats now if the ISP does it? Does it mean the bank can sue you if you fail to do it? What if you leak the feed at your borders, I may not want to take this from you and now I'm accidentally null routing it to you. Should you leak this to downstream ASNs? Should you insist your Tier1 provides it and leaks it to you?.. just you or all customers? What if someone mistypes an IP and accidentally nulls something real bad(TM)? What if someone compromises the feeder and injects prefixes maliciously? What about when the phishers adapt and start changing DNS to point to different IPs quickly, will the system react quicker? Does that mean you apply less checks in order to get the null route out quicker? Is it just /32s or does it need
Re: BGP list of phishing sites?
On Mon Jun 28, 2004 at 03:12:12PM -0600, Smith, Donald wrote: So would ISP's block an phishing site if it was proven to be a phishing site and reported by their customers? Would you block access to a kiddie porn site? Do you block access to warez sites? Both are illegal. I'm not convinced that phishing is illegal in its own right (except possible as passing off). Phishing sites only work because Banks won't invest in strong authentication, and users are stupid. Why should it become the ISPs problem to fix those inadequacies? Some banks in Europe use one-time-password token things (such as SecurID). Are those banks being caught out by phishing? Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x(01)37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x(01)37701) | non sit, noli BBC Internet Ops | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: BGP list of phishing sites?
On 28-jun-04, at 18:47, Paul Vixie wrote: the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions. It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised? actions like buying something from a spammer or clicking the unsubscribe me button in spam mail, The problem is that a few in a thousand that do this ruin things for the rest. In anything involving humans it's useless to expect the right thing to happen 100% of the time. or running microsoft outlook. Can't argue with you there. inactions like leaving their cable/DSL pee cee up 24x7 and never wondering why the activity light on their modem flickers constantly. :-) My cable modem activity light starts blinking as soon as there is a link and never stops. A /20 can generate a significant amount of ARP traffic during the best of times... if you want people to notice the results of their actions and inactions, then they have to be brought into the equation. Ah, you are a BOFH follower. Unfortunately, rudeness rarely results in enlightenment. Still, anti-spam blacklists are pretty much universally applied inside SMTP implementations these days. So if 3828747.dhcp.bigcable.com is blacklisted because it sources spam, people subscribing to the blacklist will no longer receive spam from that host, but the host is still capable of interacting with the net in general and the blacklist users in particular over a host of other protocols. i'm trying to figure out why you think it's in your best interest to limit the impact of your defensive activities, or to limit the impact of sheep-like behaviour on the sheep-like humans who own these infected hosts. That's not what I'm worried about. If people do the wrong thing, by all means let them suffer the consequences so they may think twice about doing it again. What worries me is the potential for hurting innocent bystanders, or even active subversion of these mechanisms. I mean, what better way to DoS someone than have them put on a blacklist? i think decide for themselves is the right meme. Good! but where we differ is on the questions of ownership and responsibility. every network has to take responsibility for the traffic is spews, and cannot just say take it up with my customer since they're getting paid to make the spew possible. and every network has to be able to say this shall not pass! concerning traffic that does not match their AUP, and the only recourse their customers can have is to sign up with a different network. I think the one true way is to be found somewhere between the extremes of controlling every little thing a customer does and not doing anything. But the real issue is that this is even necessary. The biggest problem we have with IP is that it doesn't provide for a way for a receiver to avoid having to receiving unwanted packets. It would be extremely useful if we could fix that.
Re: BGP list of phishing sites?
On Jun 28, 2004, at 6:24 PM, Iljitsch van Beijnum wrote: On 28-jun-04, at 18:47, Paul Vixie wrote: the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions. It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised? Software definitely needs to improve. However, if you mailed out an attachment with the subject this is a virus, do not click on it, encrypted it and put the password in the body, the virus would still spread like wildfire. Never underestimate the power of human stupidity. Which is why blacklists that depend on the ISP to continually train lusers or risk disconnectivity for non-stupid users may not be the right approach. People who run such ISPs CANNOT train all lusers all the time. And the alternative is to not have end-user ISPs (i.e. not an option). Or maybe that is the way to go. I really don't know at this point. But I do know if I were still running an ISP, I would instantly filter any user / host / netblock proven to be infected / CC / phishing site / etc. And I would not subscribe to any blacklist which had entries for non bad IPs. As I Am Not An ISP, I can only vote with my dollars. Your network, your decision. My dollars, my decision. And I buy a lot of bandwidth :) -- TTFN, patrick
Re: BGP list of phishing sites?
the root cause of network abuse is humans and human behaviour, not hardware or software or corporations or corporate behaviour. if most people weren't sheep-like, they would pay some attention to the results of their actions and inactions. It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised? we're just not communicating here. prescriptive statements (can be improved?) are inappropriate unless somebody's asking for your advice. in this case i think it's safe to say that software vendors don't care what we think about this topic and they have their own plans. same thing for sean's and chris's employers. see padlipsky for the best description to date on prescriptive vs. descriptive in the networking field. what matters isn't what folks ought to do, but what they will do and are doing, or won't do, etc. ... If people do the wrong thing, by all means let them suffer the consequences so they may think twice about doing it again. What worries me is the potential for hurting innocent bystanders, or even active subversion of these mechanisms. I mean, what better way to DoS someone than have them put on a blacklist? in the medium and long term, no arbitrary blacklist will have global or lasting effect. you don't need to take this effect into consideration, it's a marginal corner case at best, and a distraction. I think the one true way is to be found somewhere between the extremes of controlling every little thing a customer does and not doing anything. ah. you're pining for what are now thought of as the good old days, eh? when reasonable people wanted to do reasonable things and needed help from vendors and suppliers, and unreasonable people hadn't discovered the net yet and were still making money the old fashioned way (bilking little old ladies out of their life savings, etc). i have bad news and worse news. the bad news is, there's no going back. the worse news is, as carole king so aptly sang, THESE ARE the good old days. But the real issue is that this is even necessary. The biggest problem we have with IP is that it doesn't provide for a way for a receiver to avoid having to receiving unwanted packets. It would be extremely useful if we could fix that. you realize that the virtual circuit X.25/TP4 people are laughing their asses off as they read those words, don't you?
Re: BGP list of phishing sites?
On Sun, 27 Jun 2004, Scott Call wrote: Happy Sunday nanogers... I was doing some follow up reading on the js.scob.trojan, the latest hole big enough to drive a truck through exploit for Internet Explorer. On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? don't reinvent the wheel: www.cymru.com has a project already under way for this, with many operators participating at this time.
Re: BGP list of phishing sites?
On 27-jun-04, at 20:17, Scott Call wrote: On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? I'm sure there is; but I'm slightly worried that transit networks may be tempted to subscribe to such a feed and in essence start censoring their customer's access to the net. Also, an easy fix like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users. Fixing layer 7+ problems at layer 3 just doesn't work and leads to significant collateral damage in the long run.
Re: BGP list of phishing sites? Website behind Net attack offline
http://www.news.com.au/common/story_page/0,4057,9975753%255E1702,00.html -Henry --- Scott Call [EMAIL PROTECTED] wrote: Happy Sunday nanogers... I was doing some follow up reading on the js.scob.trojan, the latest hole big enough to drive a truck through exploit for Internet Explorer. On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Thanks -Scott
Re: BGP list of phishing sites?
So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? i dunno much about this new-fangled DNSBL thing you speak of, but the original MAPS RBL is still alive and well and available by BGP. the fine folks now running MAPS include Dave Rand (my co-founder) and if you visit their web site (www.mail-abuse.org) you can probably figure out how to sign up for it. there's a fee involved, but there are lawyers involved, and those two things seem to come in pairs. I'm sure there is; but I'm slightly worried that transit networks may be tempted to subscribe to such a feed and in essence start censoring their customer's access to the net. we (speaking for the original MAPS which i still had a hand in operating) faced that from most bgp-subscribing customers. there are easy workarounds. Also, an easy fix like this may lower the pressure on the parties who are really responsible for allowing this to happen: the makers of insecure software / insecure operational procedures (banks!) and gullible users. actually, a bgp feed of this kind tends to supply the missing causal vector whereby someone who does something sloppy or bad ends up suffering for it. Fixing layer 7+ problems at layer 3 just doesn't work and leads to significant collateral damage in the long run. that's what everybody always said about MAPS but it didn't happen. the internet is very survivable and the necessary traffic always finds a way to get through. fixing layer 7 problems by denying layer 3 service has indeed proven to be the only way to get remote CEO's to care (or notice). -- Paul Vixie
