Phishing and BGP Blackholing

Happy New Year all,

I'm curious if anyone can answer whether there has been any traction
made relative to blocking egress traffic (via BGP) on US backbones which
is destined to IP addresses used for fraudulent purposes, such as
phishing sites.

I'm sure there are several challenges to implementing this...

Regards,
Dylan Joy
Network Security Analyst, BECU

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.

The biggest challenge I can see is scrubbing phishing reports that
aren't.. themselves.. maliciously crafted phishing attacks against a
registry of such addresses. Likewise, since BGP isn't application aware,
when you blackhole an address that's both website and mail server, how do
you inform the end user about their problem, or get a notice from them
that it's been fixed?

This kind of solution has a huge trust factor hole in it.

Distributing a BGP based blackhole list is trivial. The intelligence that
goes into it is the hard part. There are companies that provide managed
services like this (bgp blackhole route servers for known problem sites,
like drone C&C's). (disclaimer: I do development for one.)

- billn

you have sent a message to me which seems to contain a legal
warning on who can read it, or how it may be distributed, or
whether it may be archived, etc.

i do not accept such email. my mail user agent detected a legal
notice when i was opening your mail, and automatically deleted it.
so do not expect further response.

yes, i know your mail environment automatically added the legal
notice. well, my mail environment automatically detected it,
deleted it, and sent this message to you. so don't expect a lot
of sympathy.

and if you choose to work for some enterprise clueless enough to
think that they can force this silliness on the world, use gmail,
hotmail, ...

randy

Hi. You have sent a message to the entire list that seems to be some sort
of automatically generated product of the Smugotron-2000, intended to
annoy a single person but is actually annoying everyone. Your mail user
agent detected something you didn't like, and instead of simply deleting
it, went out of it's way to be annoying.

I do not accept such mail. Yes, I know your mail environment automatically
responded to it, but seriously, why inflict your curmudgeonly attitude on
everyone else? Thankfully, I'm not quite as pedantic as all that, so I
took the time to hand craft this missive, just for you! When I'm done,
I'll think about coding myself an auto-responder that sends you something
else, just like it, whenever you post.

Because that's cool, right?

</troll>

- billn

I'm curious if anyone can answer whether there has been any traction
made relative to blocking egress traffic (via BGP) on US backbones which
is destined to IP addresses used for fraudulent purposes, such as
phishing sites.

I'm sure there are several challenges to implementing this...

Well, there's the whole "collateral damage" issue - often, these things pop up
on hosting sites, where trying to null-route www.phishers-r-us.com will
also break access to several thousand other domains hosted on the same
set of hardware (notice that same exact issue of collateral damage ended
up derailing a Pennsylvania law regarding the blocking of sites hosting
child pornography).

Then there's the whole trust issue - though the Team Cymru guys do an awesome
job doing the bogon feed, it's rare that you have to suddenly list a new
bogon at 2AM on a weekend. And there's guys that *are* doing a good job
at tracking down and getting these sites mitigated, they prefer to get the
sites taken down at the source. I'm not sure they would *want* to be trying
to do a BGP feed.

NOTICE: This communication and any attachments may contain privileged or
otherwise confidential information.

After you post to NANOG, it's not confidential, no matter what your legal eagles
pretend.

There has been some issue recently on a French similar mailing-list (FRnOG),
an CTO of a major ISP said something vague about a technology in an
example and in a few hours that created a hearsay among popular news
websites. Quickly the rumor became a certainty and once the information
was refuted, it was difficult for thoses websites to ruin their news
which was often tagged "scoop", attributing words to this admin that he
even never said.

"Think before you post" is more effective than a legal disclaimer.

The biggest challenge I can see is scrubbing phishing reports that
aren't.. themselves.. maliciously crafted phishing attacks against a
registry of such addresses.

Can you rephrase that? I want to understand but I'm failing.

Likewise, since BGP isn't application aware,
when you blackhole an address that's both website and mail server, how do
you inform the end user about their problem, or get a notice from them
that it's been fixed?

This kind of solution has a huge trust factor hole in it.

However, it has been done with MAPS... they do indeed have a BGP-compatible
DNS lookup thingamabob, and for a while Above.net was using it.

Apart from MAPS blacklisting the whole netblock of a site that was selling
(but not using) spam software, there are also externalities involved.
Above.net started blackholing traffic to those sites, but they did it for
all the traffic that crossed their network, not just the traffic they
originated. So the net result was that some of these sites were not reachable,
just because your traffic traversed above.net, and sometimes they were. And as
you point out, there was no way to know what was happening without effort.
For the kind of user that gets fooled by a phishing site, I'm sure it could
get very confusing.

Distributing a BGP based blackhole list is trivial. The intelligence that
goes into it is the hard part. There are companies that provide managed
services like this (bgp blackhole route servers for known problem sites,
like drone C&C's). (disclaimer: I do development for one.)

As another poster discusses, collateral damage is of concern. I do some
forensics for a web hosting company and occasionally someone sets up a
phishing web site instead of spambots and IRC connections. Typically we
can make it inoperable within a few minutes of knowing exactly what is
going on (chmod -R 000 ...), so I think a detailed email to abuse is going
to be more effective, as long as they have the ability to read and respond
to the email in a timely fashion.

For companies that aren't that timely, I would think that'd be a good
candidate for firewalling. I know next to nothing about BGP yet, but
I suspect that you could direct traffic for that IP to go through a
firewall device (or implement an ACL, though I suppose that would
mandate the slow path in a router), to block TCP ports 80 and 443 with
a TCP reject, to give some feedback, or an ICMP administratively
unreachable. This also gives the end-user the ability to figure out
who is doing the blocking and get in touch with them (or at least their
network guy acting as their agent, I suspect most end-users can't track
down a provider by IP or sniff to get the IP in the first place).

IIRC, Riverhead DoS-mitigation systems use a similar mechanism for
filtering out DoS packets en route.

Oh, and yes, even for one IP, you're still going to have collateral
damage if they're doing shared hosting, since one IP serves many
sites. The only way around this is to actually do layer 7 decoding,
but if the intruder can already set up one phishing account, I
would be hesitant to assume the other co-located sites are really
safe to browse.

I suspect the trust problem is pretty easy to deal with, if you
have a human and GPG. Usenet cancel messages, rmgroup messages,
key distribution for mixmaster remailers... the hardest problem
is deciding who you trust, and getting their key securely; the
rest is easily automated. Although some sites might be difficult
to distinguish from phishing sites; recently discussed on the
cryptography list was (IIRC) a Citibank email that told users
to log into some site and enter confidential data... the site was
legit but did not have citi anywhere in the domain name, and was
located in New Zealand. Some people tried to explain why this
was bad to Citibank, and apparently a clue was nowhere to be found.

And yet, people trust them with their money.

As an operator of a large collections of Web hosting sites, I appreciate the work of those guys who track down sites and send alerts. I can then surgically remove the offending phishing sites quickly. When a customer does the sites (and I've had a few of those) I usually find multiple phishing payload sites...and the account is so closed so quickly that the perps don't even have time to fetch the data they collected.

The champaionship record is nine payload-sites for different phishing targets.

I have to ask.

The 'stock' disclaimer message says 'may'.

It also says 'If you are not the intended recipient...'

Key words - 'if' and 'may'.

Since the post is being made to NANOG, we can assume the NANOG Audience (defined as anyone whos on the list _or_ who can read the web archive; ala; everyone) is infact the intended recipient, and we can ignore the rest of it.

... so I fail to see why a big deal should be made out of it. Especially when they're generally enforced on large companies by their lawyers, and the Network Operators likely have very little to do with it.

So why the big deal?

(Personally I still vote for the use of non-corporate mail addresses on mailing lists. Tends to filter out the roge out-of-office notices too...)

Mark.

> The biggest challenge I can see is scrubbing phishing reports that
> aren't.. themselves.. maliciously crafted phishing attacks against a
> registry of such addresses.

Can you rephrase that? I want to understand but I'm failing.

If you decide to operate some sort of registry for these sites, what's to
stop a user from crafting what appears to be a malicious submission, with
the intent of getting someone blackholed, just for grins and giggles?

Again, trust factor.

IIRC, Riverhead DoS-mitigation systems use a similar mechanism for
filtering out DoS packets en route.

I think Prolexic also uses a similiar method.

Oh, and yes, even for one IP, you're still going to have collateral
damage if they're doing shared hosting, since one IP serves many
sites. The only way around this is to actually do layer 7 decoding,
but if the intruder can already set up one phishing account, I
would be hesitant to assume the other co-located sites are really
safe to browse.

Well, in many of those cases, you're talking about shared hosting
environments, hundreds of mom and pop sites that actually are safe to
browse, but running whatever vulnerable content-management kit was
provided to them that got the box popped in the first place.

- billn

I didn't see the original post but the topic came
up in 2005 here in the UK as the banks here wanted to
use BGP filtering in the same light. The LINX prepared
a paper on the issues with BGP blackholing and recommended
that if the banks want to trade on the Internet that
they should introduce authentication systems that are fit
for purpose (SecureID for example (many banks had already
done this)). I will try and find a link to the paper
that was prepared. After we presented the paper the idea
was not taken forward.

Unfortunately since then an alternative technology route to do
filtering in proxies and transparent caches has appeared on the scene
and even more so the government here in the UK has been convinced
by mad^wmarketing people and is now under the false impression that
"it is now technically possible to filter the Internet". The aim of
this filtering is an admirable one for sure but the platform fundamentally
doesn't work and even more worryingly ideas are now being muted to
filter other content such as terrorism, phishing etc.

Regards,
Neil.

Because it's very rude -- like top-posting, or full-quoting, or sending
email marked up with HTML. Because it's an unprovoked threat. Because
it's an attempt to unilaterally shove an unenforceable contract down
the throats of everyone reading it. Because it's a tip-off that the
sender does not value the time or resources of recipients. Because it's
insulting. Because (borrowing from first link below) it's simply too
stupid for words.

Please see:

  Mailing and Posting Etiquette: Don't Send Bogus Legalistic Boilerplate
  http://www.river.com/users/share/etiquette/#legalistic

  Stupid Email Disclaimers
  http://www.goldmark.org/jeff/stupid-disclaimers/

  Stupid E-mail Disclaimers and the Stupid Users that Use Them
  http://attrition.org/security/rants/z/disclaimers.html

for longer (and much better) explanations. For a much long explanation
of these and related points, see:

  Miss Mailers Answers Your Questions on Mailing Lists
  http://www.faqs.org/faqs/mail/miss-mailers/

---Rsk

I have often thought that this would be a brilliant idea (on paper), when working with one of my clients who suffer regular denial of service attacks through open http and socks proxies. They are a multi-homed end site running bgp4 on their edge networks.

From a 'problem solving' perspective, a Team Cymru-style bgp peer that injected very specific routes into their routing table, and matching configuration which caused those particular routes to be dropped would be ideal. Additions and deletions would be as close to real-time as possible.

From a political perspective, I could only advocate to clients such a service that had a strict policy of adding routes to addresses because of a provable policy infringement. For example, a route for 1.2.3.4/32 would only be announced by my bgp-blacklist peer if it could be demonstrated that a device reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp relay).... and not because a phishing site was hosted there. Different priorities for different networks I guess ..

No interest in a service which requires companies running a blocked proxy to pay before the route/block is lifted. Also no interest in a service which blocks entire networks in the event of a policy infringement, only the polluting hosts. I mention this paragraph thanks to some of the policies of DNS-based email-abuse blacklists.

Phishing is content - when a service opens which filters based on content, there's a whole new can of worms being opened - what *else* is abusive content ? Does it stop being abusive content at some point ? If phishing is abusive, is pornography abuse ? A mouthy anti-West news agency ?

Anyone going to talk about this at Toronto ? Trying to justify taking a week 'off' to visit ...

I'm not going to pick on the "it's" (grammatically correct, but it refers the email disclaimers which I don't feel like commenting on) but I want to say that I've come to appreciate top-posting. With top-posts, there is no need to scroll down the list, and it is more like a conversation than injecting comments in-line.

Some say that top-posting reverses the conversation, but if you are thumbing through the archives of top-posted threads, each contribution is on the first screen and you can navigate message to message in time-order. In my personal opinion, reading through archives of in-lined threads is much more of a problem - for one because threads take off in other directions and an in-line conversation never stands alone. Usually with a few nested in-lines I loose "who said what" context too.

(As an exercise, try to prepare a reply in-line and then as a top-post. You will see that in-line means less typing, as you don't have to "rephrase the question." In-line is less work to render, but I think it is a poor communication style.)

As far as the HTML, I don't think I use it, but I fail to see why it's rude. Sorry, it is newer technology and it does screw up old tools. (I do get bit by it - the hotels seem to love HTML confirmations that I can't read on my work mailer.) It's my/reader's choice to not use newer tools.

I do agree that full quoting is a pain - especially when the message is less than 1% new content. Especially when all them new headers (DKIM keys and what not) fill up my screen first anyway. Yeah, I know, "upgrade."

There. I've said it...oh, and the disclaimers don't give me heartburn. I just ignore them.

* Neil J. McRae:

I didn't see the original post but the topic came
up in 2005 here in the UK as the banks here wanted to
use BGP filtering in the same light. The LINX prepared
a paper on the issues with BGP blackholing and recommended
that if the banks want to trade on the Internet that
they should introduce authentication systems that are fit
for purpose (SecureID for example (many banks had already
done this)).

Banks have deployed much more secure systems than SecureID, and there
have been successful attacks against them.

SecureID might be helpful if you want to differentiate your product
between automatic and manual use, but it doesn't do anything to
authenticate the party you are relaying information to. But it's
useless in a phishing context. If you want a token solution, at least
use something that factors in transaction-related data.

SecureID might be helpful if you want to differentiate your product
between automatic and manual use, but it doesn't do anything to
authenticate the party you are relaying information to. But it's
useless in a phishing context. If you want a token solution, at least
use something that factors in transaction-related data.

Florian,
Sorry we didn't' specifically recommend any solution simply that
they need to look are more secure authentication systems to
minimize phishing issues. As you note even the most secure systems
can be beaten.

Neil.

This little piece will be top-posted, but everthing else will be inline. I'm also going to trim the pieces that I won't be responding to *gasp*!
Please don't shoot me - comments are inline

I'm not going to pick on the "it's" (grammatically correct, but it refers the email disclaimers which I don't feel like commenting on) but I want to say that I've come to appreciate top-posting. With top-posts, there is no need to scroll down the list, and it is more like a conversation than injecting comments in-line.

Most of the conversations I participare in are at least somehwat bi-directional, rather than having one person speak a chapter and requiring the other person to do the same with their responses.
Keep in mind I'm not saying you're wrong, I think we just interpret message flow a little differently.

Some say that top-posting reverses the conversation, but if you are thumbing through the archives of top-posted threads, each contribution is on the first screen and you can navigate message to message in time-order. In my personal opinion, reading through archives of in-lined threads is much more of a problem - for one because threads take off in other directions and an in-line conversation never stands alone. Usually with a few nested in-lines I loose "who said what" context too.

I disagree. The general convention has been that a paragraph or text block contains a complete thought, or at least a chain of sentences that are at least somewhat related to each other. People usually limit their response to just that little bit of text, so the "you-say-X, I-respond-Y" flow of the thread is indeed preserved.

(As an exercise, try to prepare a reply in-line and then as a top-post. You will see that in-line means less typing, as you don't have to "rephrase the question." In-line is less work to render, but I think it is a poor communication style.)

Again, I disagree, but that's just my opinion. Top-posting everything means I either have to scroll down through the whole message to locate the piece of text that person responded to, or perhaps have to locate the previous message because the person didn't bother to quote the previous message in their reply. Too much context-switching and caching makes for inefficient message reading

As far as the HTML, I don't think I use it, but I fail to see why it's rude. Sorry, it is newer technology and it does screw up old tools. (I do get bit by it - the hotels seem to love HTML confirmations that I can't read on my work mailer.) It's my/reader's choice to not use newer tools.

It makes assumptions that everyone a) wants to read HTML messages and/or b) has a mail reader capable of rendering them. I'm reading this message SSH session. Compared to firing up mozilla/thunderbird/evolution and X-forwarding the display to the machine I'm sitting in front of, this setup is substantially faster and more lightweight for remote reading.

There. I've said it...oh, and the disclaimers don't give me heartburn. I just ignore them.

I usually do as well, but when I receive a 1-line email from someone and it has a 1-page disclaimer at the bottom that chances are I will not read, then yes I get a little annoyed It's right up there with people who assume the rest of the world uses Outlook/Exchange, i.e. "Smith, Joe would like to recall the message 'ABCDEFG'".

jms

disclaimer: I do development work for the company I'm about to endorse.

I endorsed this product before when I was a client. I've since left my
previous position and gone to work on it. This is one of the very few
posts I'll ever make that's in any way representative of an employer.

Mainnerve's Darknet product is exactly that: A managed blacklist of
malicious/hacked sites. Currently, phishing sites and open proxies, make
it into blacklist, but drone network C&Cs do. Darknet is intended to
intercept traffic leaving your network to known C&Cs. Currently, this
involves a device deployed to your network, that hosts a BGP peer to your
network to supply the blackhole routes, redirecting the C&C traffic to the
darknet device for packet analysis.

I'm currently working on a newer implementation that involves just a BGP
peering session and a GRE tunnel, to eliminate the hardware deployment and
simplify the whole process, so it functions very much like the bogon
filter.

- billn

Someone pointed out my typo. This should read 'phishing sites and open
proxies don't make it into the blacklist'.

Sorry for any confusion the may have inflicted. Drink more coffee!

- billn

I'm as much of a netiquette-fiend as almost anyone i've ever met, but I do feel that there is a tendency to spend far too much time complaining about perceived rudeness and not enough time with focus on the point behind the message.

No matter how hard you try, top-posting is here to stay. MS Outlook has seen to that. So instead of taking the extreme approach (top posting = bad) I favour a compromise approach (inconsistent posting = bad; multiple responses to multiple individual points from a single email in a top post = bad) - which I like to think is more driven by commonsense than the need to exert ones old-school-ness on the rest of the populace. I can't be the only one...

I don't like disclaimers either. Theres a reason I use a privately managed mail system for contributing ot mailing lists, and not my corporate address (which, yes, gets a multiline legal disclaimer added to every post that leaves...)

But there are worse offenses. HTML emails - every author has a choice there, so that ones unforgivable IMHO. Top-Posting and Legalese Addendums to messages are both things that an end-user in a COE corporate environment has little control over.

Mark.