First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect.
We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately.
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
You *might* be able to get a copy of the whois database as an optimisation so you don't have to hit their servers all the time - does that help?
I wouldn't rely on that though, but I don't see any other good options.
Perhaps you can only accept stuff from networks that you first saw an announcement for greater than 7 days ago, to prevent people popping up with a network for a day, spamming, and then disappearing? Likely to get lots of false positives in that though, and as soon as someone figures out your technique it's not going to work.
Religious war alert: does SIDR solve this? I guess only if you only accept signed advertisements.. I don't know if that is the intended default mode or not.. Need to do some reading I guess.
First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect.
Bogon is probably the correct term for any IP space that doesn't belong on the public Internet because it is reserved, unallocated, etc.
We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately.
Not too permanently, though. That space is likely to become allocated, and the new legitimate user thereof shouldn't have to beg thousands of networks to unblock it.
so
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
I'm not specifically aware of a more granular listing. It would have to be dynamic as new allocations occur all the time. The RIRs (ARIN, RIPE, APNIC, etc.) are the authoritative source for the space allocated to them, but I don't know if they have a real-time bogon list available.
In addition to the published list, Team Cymru has a BGP feed and other resources, but I don't know how granular it is with respect to unallocated space. See here:
If the /20 is being routed, and announced - chances are it IS allocated.
Don't bet on it. This is one of the oldest spammer tricks in the book. I worked
with ISPs as far back as the late 90s trying to track down poachers who
temporarily squat on an unallocated block and announce it to the world.
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler@aset.com
e: Jon.R.Kibler@gmail.com http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
Having been postmastering at various places for about a decade, I have
seen that too - yes. But cymru style filtering means its kind of out
of fashion now.
Though - a lot of the cases I've seen have been
1. Out of date whois client and the IP's been allocated after the
whois client came out (with a hardcoded list of unallocated IPs)
2. Whois db is out of date - comparatively rarer but known to occur
Especially if you see a mainstream carrier routing it instead of some
small outfit in Eastern Europe .. chances are its stale db somewhere
rather than totally unallocated block and phantom routing
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
Fear not, this will end when we run out of IPv4 space not too many months
down the road
I admit to remaining confused as to why we still keep seeing providers who fail
to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP
peer what they expect to announce and then filter based on that. I mean, come
on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy
connectivity from a provider that can't run their network in a proper fashion?
Vendor software defects and architecture limitations make it challenging to deploy a solution whereby BCP38 can be universally deployed.
Customers that are unwilling to announce all their space also make uRPF problematic. I'd like to see 'loose-rpf' universally deployed myself. There is no reason for unrouted space to have packets sourced from it. This makes up a fair percentage of traffic that root/gtld nameservers see (based on conversations i've had with operators over the years).
If you configure CPE devices and don't utilize anti-spoofing capabilities on the CPE-Lan, please add that to your templates. It is helpful to the internet as a whole, while you may not personally see return on your investment, others will.
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this.
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this.
Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
You are using it the wrong way .. most of the drop list is directly
spammer controlled space used as, for example, C&C for botnets.
You'd see tons of abuse and little or no smtp traffic from a lot of
those hosts.
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this.
