RE: BGP-based blackholing/hijacking patented in Australia?

Andre Oppermann wrote:
If you remember the very old story on Slashdot where
some guy in Australia managed to secure a patent on a
"circular transportation device" (a.k.a. "Wheel") it
will explain many things...

I mean no disrespect to people from down under, but I have heard several
times that if Al Gore was Australian he would have secured a patent that
he invented the Internet...

Michel.

Hi,

Just to ease peoples concerns, the patent has nothing to do with blackholing. A brief description of the way it works can be found here:

http://www.scamslam.com/ScamSlam/whatis.shtml

We have not disclosed the site address to the "public" at this stage, the text of the site is only draft form for the purposes of editing and needs to be "polished". Perhaps the article wasn't as articulate in conveying this, but I'm sure you appreciate journalists sometimes don't get it right

Kind Regards

Bevan Slattery
PIPE Networks

sorry cant find a really good link, this is what BT have been doing in the UK
for a couple months:
http://msnbc.msn.com/id/5158457/

In answer to the critics, what an ISP chooses to do with its traffic
*internally* is up to the ISP, and bear in mind you are not suggesting the scope
of the service is anything more than an ISPs own network. This is not IP
hijacking by any means, more like transparent caching and blacklisting.

Steve

>
> Hi,
>
> Just to ease peoples concerns, the patent has nothing to do with
> blackholing. A brief description of the way it works can be found here:
>
> http://www.scamslam.com/ScamSlam/whatis.shtml

And based on what I've read, the above has a lot to do with blackholing, I
don't see how patent can be claimed on this system with so many cases of
prior work of similar nature.

sorry cant find a really good link, this is what BT have been doing in the UK
for a couple months:
http://msnbc.msn.com/id/5158457/

In answer to the critics, what an ISP chooses to do with its traffic
*internally* is up to the ISP, and bear in mind you are not suggesting
the scope of the service is anything more than an ISPs own network. This
is not IP hijacking by any means, more like transparent caching and
blacklisting.

I agree with above, its not hijacking as far as it does not effect the
whole internet and it only effects local ISP that chooses to use such a
service. To me this all looks like a transparent firewall, which instead
of completely blocking access to ip, provides redirection to explanation
page. However usually firewalls have static setup and maintained 100%
by sysadmin at the location, here its letting somebody else to control
your firewall and allow to add new entries there in real-time and I'd be
carefull in choosing to trust such external service. At the same time
this all sounds a lot like real time dns blacklist service and those
are widely used and commerical services such as MAPS do exist as well
as numerious non-commercial dnsbl which are trusted by thousands of ISPs.

Now I hate to be giving advice to company I do not like (based on their
insistance of patent and based even more on the answer just given on nanog
by company representative to post by Mychel Py; the answer said this is
hostile list and chosen not to answer ANY of the legitimate concerns
sited by Mychel, this was completely inappropriate behavior if they are
insterested in having this technology and their company seriously
considered), but I think what is being proposed could be done better
and safer if instead of being pushed and marketed as complete block of
bad sites, the same or similar technology is marketed as automated warning
for end-users of potentially bad and unsafe websites.

The only imlementation change to do this would be to provide a link from
the webpage where user might have been redirected to the original website
they wanted to access (it would have to be done by using proxy service
since ip is not directly available). In such a case, this service in case
of possibly bad ips only functions as an additional warning that webpage
user wanted to access is considered not to be safe and may be used by
phishers (is that correct term?). Most users would listen to such a
warning and not give any of personal information if this was to be a
bank website if they otherwise would have believed the phishing email.
At the same time, if blackholing this site was not correct and user
really does want to go to that website, person can just click on the
link to continue.

William,

And based on what I've read, the above has a lot to do with blackholing, I
don't see how patent can be claimed on this system with so many cases of
prior work of similar nature.

The service mainly uses the process of what we have made a patent application. The application is regarding that particular process (not blackholing).

I agree with above, its not hijacking as far as it does not effect the
whole internet and it only effects local ISP that chooses to use such a
service.

The service doesn't use a transparent firewall/proxy, but instead updates routing information by BGP and that traffic gets sent to:from the system via a tunnel.

here its letting somebody else to control
your firewall and allow to add new entries there in real-time and I'd be
carefull in choosing to trust such external service.

As per above.

At the same time
this all sounds a lot like real time dns blacklist service and those
are widely used and commerical services such as MAPS do exist as well
as numerious non-commercial dnsbl which are trusted by thousands of ISPs.

true.

the answer said this is
hostile list and chosen not to answer ANY of the legitimate concerns
sited by Mychel, this was completely inappropriate behavior if they are
insterested in having this technology and their company seriously
considered)

It depends on which side you look at it from. I actually respect ISP lists in that if well considered and measured discussion is able to be undertaken, then they are indeed extremely valuable and very informative. However in my experience, when someone doesn't have the courtesy to first ask, but instead rants about what they think and not what they know, then any response to such a comment, merely inflames the matter to a level where any reasonable discussion/points are drowned out by emotive flame throwing.

I decided, as part of my respect to the list and the people who participate within it that I wouldn't turn it in to a flamefest. I can't remember saying that the list is hostile, but made a somewhat smart remark regarding the hostility from a particular person when I tried to enter some discussion on the issue. A person, who as it appears got it wrong that the patent is regarding "blackholing" then got it wrong that we were "firewalling" then decided to make some emotive comments that were not very constructive.

For some history as to how/why we did this:

I work at PIPE Networks (which stands for Public Internet Protocol Exchange). We are a peering provider in .au - we are actually Australia's largest peering provider, but in the global sense that doesn't mean much

Being in the internet industry and Australian, we have a propensity to drink beer - and a lot of it. One night about 6 months ago, we hosted a Internet Industry night and quite a few of our biggest customers attended. The topic turned to how much of a "pain in the arse" phishing was for our ISP clients. When we enquired, our clients explained that they receive "requests" from the Australian Federal Police to "take down" phishing attacks. These can be via a number of means fax, email etc... Now to take down a site, it usually means blackhole. The ISP's didn't like that - but it was their only solution. You see, in Australia if you knowingly allow a carriage service (which internet transit is) to be used to conduct a crime, then that is a federal offence. So the ISP's were getting faxes and emails saying "block this" "block that". And they would have to.

It was discussed over many beers, that "we need a central system to do this" what can PIPE do. So we went away and thought about it. We knew blackholing was not appropriate from an ISP perspective, because the end user clicks on a link and gets an error page. They haven't learnt anything and could fall prey again. Secondly, they usually rang the ISP to say "I am trying to get to my bank site and it gives me an error".

So we created a system that uses BGP and tunnels to redirect that traffic and present something at least mildly intelligent to the users. The next issue we thought of is that we think what we are doing is somewhat unique, because it isn't blackholing, isn't firewalling isn't a lot of things.

So we thought, we would look at protecting what we are doing in case some big software/security firm flogs the concept and calls it their own and they might ask us to pay them money for our idea. Now if we are indeed re-inventing the wheel, then it's not going to fly simple as that. Beside if it is such a stupid idea, then no-one is going to use it regardless.

So at the end of the day, we are offering an optional service to our customers who may/may not use it, however one that makes their life easier and assists the AFP to distribute the scams other than via fax/email...

Cheers

[b]

I like point 13 where you highlight how the system is doesn't
work. In anycase I doubt that this patent is any more valid
outside of the blackholing part and I hope this gets stuck
in some lengthy patent legal argument preventing anyone
from using it! Why not ask the banks to be
responsible net users and protect their customers properly
with Token based authentication. Banks in Switzerland have
done this successfully.

Regards,
Neil.

Date: Fri, 13 Aug 2004 21:33:33 +1000
From: Bevan Slattery

The service doesn't use a transparent firewall/proxy, but
instead updates routing information by BGP and that traffic
gets sent to:from the system via a tunnel.

Search recent NANOG presentations. Keep an eye out for "Martini
Tunnels".

One night about 6 months ago, we hosted a Internet Industry
night and quite a few of our biggest customers attended.

IANAL, but I think this is helpful in establishing the critical
date of the claimed. PIPE appears to have joined Postini in
thinking a MITM attack is something new and exotic.

I've admittedly not read the entire thread, but Squid+GRE+WCCP
comes to mind. That combination has been around more than six
months.

Eddy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The only implementation change to do this would be to provide
a link from
the webpage where user might have been redirected to the
original website
they wanted to access (it would have to be done by using
proxy service since ip is not directly available). In such a
case, this service in case
of possibly bad ips only functions as an additional warning
that webpage user wanted to access is considered not to be
safe and may be used by
phishers (is that correct term?). Most users would listen to such a
warning and not give any of personal information if this was to be
a bank website if they otherwise would have believed the
phishing email. At the same time, if blackholing this site
was not correct and user really does want to go to that
website, person can just click on the link to continue.

Transparent banner insertion might be able to do this. Many of the
caches out there coded this, but operators ended up not using it.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The service doesn't use a transparent firewall/proxy, but
instead updates
routing information by BGP and that traffic gets sent to:from
the system
via a tunnel.

BGP Shunt to a tunnel is has been done by several providers on this
list for years. In some cases, it has been used for Lawful Intercept
(BGP Shunt down a GRE tunnel).

Then there is the BGP Shunt down a MPLS tunnel (the MPLS Shunt). Colt
was one of the first to deploy this:

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-eof-fis
chbach.pdf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've admittedly not read the entire thread, but
Squid+GRE+WCCP comes to mind. That combination has been
around more than six months.

Yep - WCCPv2 can be BGP triggered via a community. So you can have a
bunch of devices (not just web) on a WCCPV2 service group sitting on
the edge in standby mode. Kick out a BGP Community and you now have
traffic heading over to the now active WCCPv2 service group.

The industry has come up with lots of ways to do things like this.

Date: Fri, 13 Aug 2004 08:01:06 -0700
From: Barry Raveendran Greene

Yep - WCCPv2 can be BGP triggered via a community. So you

Speaking of questionable patents...

Eddy

Predating this is Bellwether (June 2000):
http://www.nanog.org/mtg-0006/hardie.html
Specifically:
http://www.nanog.org/mtg-0006/ppt/hardie/sld008.htm
http://www.nanog.org/mtg-0006/ppt/hardie/sld009.htm

-Hank

Indeed. In days of "yore", when people developed at least marginally
non-obvious operational techniques, people sent email to nanog about it,
explaining the technique and their experience (hence the NOG bit);
the reception wasn't always positive, but at least the criticism was
technical. I wonder what the driving factor was for the change.

Alex

I do miss the old days of this list, technical growth
and global participation in events was exciting...

-her

Bevan,

Would you be willing to export this database as a list of URLs
rather than a list of IPs?

I, for one, would like to run this on centralised proxy servers
and build ACLs for devices such as proxy servers and firewalls.
I don't want to speak BGP. A text file - whether its one line
per host, or some well-formatted and documented XML database -
would allow people to decide the best way to implement it with
their network.

It would be nice if it were hostname vs IP - it both stops
the possibility of entire ISPs being wiped out by IP
blocks and it also allows us to track the DNS changes
as the phishing people start running things in a similar
way to the spammers do.

It would also be nice if you were able to include some
metadata on what the scam is. It would allow people to
choose exactly which to include in our local filters.

Thankyou.

Adrian