BGP list of phishing sites?

warning. this is about humans rather than about IOS configs. hit D now.

>> Also, an "easy fix" like this may lower the pressure on the parties
>> who are really responsible for allowing this to happen: the makers
>> of insecure software / insecure operational procedures (banks!) and
>> gullible users.

> actually, a bgp feed of this kind tends to supply the "missing
> causal vector" whereby someone who does something sloppy or bad ends
> up suffering for it.

??? I don't understand?

the root cause of network abuse is humans and human behaviour, not
hardware or software or corporations or corporate behaviour. if most
people weren't sheep-like, they would pay some attention to the results
of their actions and inactions. actions like buying something from a
spammer or clicking the "unsubscribe me" button in spam mail, or running
microsoft outlook. inactions like not installing patches that microsoft
has supplied free of charge over the years. inactions like leaving
their cable/DSL pee cee up 24x7 and never wondering why the activity
light on their modem flickers constantly.

but the vast majority of humanity is and has always been sheep-like.
while i could talk about certain election victories and other meatspace
examples, that would be even more off-topic than we already are, so
let's just put it like this: if you want people to notice the results of
their actions and inactions, then they have to be brought into the
equation. don't let worms be symbiotic, make them host-killing
parasites, and that will make the host bodies sit up and take notice.
this trick works every time.

> ... the internet is very survivable and the necessary traffic always
> finds a way to get through. fixing layer >7 problems by denying
> layer 3 service has indeed proven to be the only way to get remote
> CEO's to care (or notice).

Still, anti-spam blacklists are pretty much universally applied inside
SMTP implementations these days. So if 3828747.dhcp.bigcable.com is
blacklisted because it sources spam, people subscribing to the
blacklist will no longer receive spam from that host, but the host is
still capable of interacting with the net in general and the blacklist
users in particular over a host of other protocols.

i'm trying to figure out why you think it's in your best interest to
limit the impact of your defensive activities, or to limit the impact of
sheep-like behaviour on the sheep-like humans who own these infected
hosts. in psycho- babble the term would best apply to your proposal is
"enabler". why do you want to enable this kind of sheep-like behaviour?
what's in it for you? if you think it'll leave more pee cee's online
and able to access your shopping cart system that's one thing. but if
you think you're somehow helping the owners of these pee cees you're
wrong. and you are in fact hurting yourself, and the rest of us, every
time you choose to be an "enabler" rather than letting these people stew
in their own sheep-like juices.

if it's easier for you to BGP-blackhole these bad sources and the only
reason you don't is because you think it would be unfair, then you're
part of the problem and you're helping to make the problem worse.

...
My position is that end-user networks should decide for themselves if
this is something they want, but it would be wrong for transit
networks to make these decisions for all their customers, especially
as they seem to be growing more and more impervious to incoming email
or phone support requests that require knowledge of the proper order
of the letters "I" and "P".

thanks for explaining your position, and very clearly i might add.
we're not so different -- i think "decide for themselves" is the right
meme. but where we differ is on the questions of ownership and
responsibility. every network has to take responsibility for the
traffic is spews, and cannot just say "take it up with my customer"
since they're getting paid to make the spew possible. and every network
has to be able to say "this shall not pass!" concerning traffic that
does not match their "AUP", and the only recourse their customers can
have is to sign up with a different network.

naturally, sean's and chris's employers don't see it that way at all,
and prefer to take no responsibility and exercise no control, except
where revenue is concerned.

It's wholy unfair to the innocent parties affected by the blacklisting.
i.e. the collateral damage.

Say a phising site is "hosted" by geocities. Should geocities IP addresses
be added to the blacklist?

What if it made it onto an akamaized service? Should all of akamai be
blacklisted?

LINX produced a paper recently on why BGP poisoning is exactly the wrong
answer to removing access to undesirable web content (i.e. phising sites).
I've asked if it can be made public.

Simon

Simon Lockhart wrote:

It's wholy unfair to the innocent parties affected by the blacklisting.

i.e. the collateral damage.

You�ll get burned anyway in a bad neighborhood because of the bandwidth consumed by the crap.

Say a phising site is "hosted" by geocities. Should geocities IP addresses
be added to the blacklist?

What if it made it onto an akamaized service? Should all of akamai be blacklisted?

As with any list, whitelisting space that takes care of complaints is always an option.

LINX produced a paper recently on why BGP poisoning is exactly the wrong answer to removing access to undesirable web content (i.e. phising sites).
I've asked if it can be made public.

Looking forward to it.

Pete

This is an issue wider than spam, phishing, etc.

That would depend on whether your block by IP address (forget whether
this is BGP black hole lists, DNSRBL for SMTP etc.) is of
a) IP address that happen to have $nasty at one end of them; or
b) IP address for whom no abuse desk even gives a response (even
   "we know, go away") when informed of $nasty.

It also depends on whether your response is "drop all packets" (a la
BGP blackhole) or "apply greater sanctions".

Seems to me (b) is, in general, a lot more reasonable than (a) particularly
where there is very likely >1 administrative zone per IP address (for
example HTTP/1.1). It also better satisfies Paul's criterion of being more
likely to engender better behaviour (read: responsibility of network work
operators for downstream traffic) if behaviour of the reporter is
proportionate & targeted.

WRT "apply greater sanctions", it is possible of course, though perhaps
neither desirable nor scalable, to filter at layer>3 all sites on given IPs
to minimize collateral damage. See
http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/

This is effectively what tools like spamassassin do when taking RBL type
feeds as a scoring input to filtering, in a mail context.

Alex

the root cause of network abuse is humans and human behaviour, not
hardware or software or corporations or corporate behaviour. if most
people weren't sheep-like, they would pay some attention to the results
of their actions and inactions.

It's easy to blame the user, and usually they deserve it, even if they're innocent this time they're guilty of something else. But if software is created in such a way that regular users manage to screw up consistently, maybe the software can be improved rather than the user chastised?

actions like buying something from a
spammer or clicking the "unsubscribe me" button in spam mail,

The problem is that a few in a thousand that do this ruin things for the rest. In anything involving humans it's useless to expect the right thing to happen 100% of the time.

or running microsoft outlook.

Can't argue with you there.

inactions like leaving their cable/DSL pee cee up 24x7 and never wondering why the activity light on their modem flickers constantly.

My cable modem activity light starts blinking as soon as there is a link and never stops. A /20 can generate a significant amount of ARP traffic during the best of times...

if you want people to notice the results of their actions and inactions, then they have to be brought into the equation.

Ah, you are a BOFH follower. Unfortunately, rudeness rarely results in enlightenment.

Still, anti-spam blacklists are pretty much universally applied inside
SMTP implementations these days. So if 3828747.dhcp.bigcable.com is
blacklisted because it sources spam, people subscribing to the
blacklist will no longer receive spam from that host, but the host is
still capable of interacting with the net in general and the blacklist
users in particular over a host of other protocols.

i'm trying to figure out why you think it's in your best interest to
limit the impact of your defensive activities, or to limit the impact of
sheep-like behaviour on the sheep-like humans who own these infected
hosts.

That's not what I'm worried about. If people do the wrong thing, by all means let them suffer the consequences so they may think twice about doing it again. What worries me is the potential for hurting innocent bystanders, or even active subversion of these mechanisms. I mean, what better way to DoS someone than have them put on a blacklist?

i think "decide for themselves" is the right meme.

Good!

but where we differ is on the questions of ownership and
responsibility. every network has to take responsibility for the
traffic is spews, and cannot just say "take it up with my customer"
since they're getting paid to make the spew possible. and every network
has to be able to say "this shall not pass!" concerning traffic that
does not match their "AUP", and the only recourse their customers can
have is to sign up with a different network.

I think the one true way is to be found somewhere between the extremes of controlling every little thing a customer does and not doing anything. But the real issue is that this is even necessary. The biggest problem we have with IP is that it doesn't provide for a way for a receiver to avoid having to receiving unwanted packets. It would be extremely useful if we could fix that.

Software definitely needs to improve.

However, if you mailed out an attachment with the subject "this is a virus, do not click on it", encrypted it and put the password in the body, the virus would still spread like wildfire.

Never underestimate the power of human stupidity.

Which is why blacklists that depend on the ISP to continually train "lusers" or risk disconnectivity for non-stupid users may not be the right approach. People who run such ISPs CANNOT train all lusers all the time. And the alternative is to not have end-user ISPs (i.e. not an option).

Or maybe that is the way to go. I really don't know at this point.

But I do know if I were still running an ISP, I would instantly filter any user / host / netblock proven to be infected / C&C / phishing site / etc. And I would not subscribe to any blacklist which had entries for non "bad" IPs.

As I Am Not An ISP, I can only vote with my dollars.

Your network, your decision. My dollars, my decision. And I buy a lot of bandwidth....