Re: Phishing and BGP Blackholing

[Bill Nash <billn () billn net>]

The biggest challenge I can see is scrubbing phishing reports that 
aren't.. themselves.. maliciously crafted phishing attacks against a 
registry of such addresses. Likewise, since BGP isn't application aware, 
when you blackhole an address that's both website and mail server, how do 
you inform the end user about their problem, or get a notice from them 
that it's been fixed?

This kind of solution has a huge trust factor hole in it.

Distributing a BGP based blackhole list is trivial. The intelligence that 
goes into it is the hard part. There are companies that provide managed 
services like this (bgp blackhole route servers for known problem sites, 
like drone C&C's). (disclaimer: I do development for one.)

- billn

On Tue, 2 Jan 2007, Joy, Dylan wrote:

> Happy New Year all,
>
> I'm curious if anyone can answer whether there has been any traction
> made relative to blocking egress traffic (via BGP) on US backbones which
> is destined to IP addresses used for fraudulent purposes, such as
> phishing sites.  
>
> I'm sure there are several challenges to implementing this...
>
> Regards,
> Dylan Joy
> Network Security Analyst, BECU
>
>
>
>
> NOTICE: This communication and any attachments may contain privileged or otherwise confidential information.  If you 
> are not the intended recipient or believe that you may have received this communication in error, please reply to the 
> sender indicating that fact and delete the copy you received without printing, copying, retransmitting, 
> disseminating, or otherwise using the information. Thank you.