Re: Phishing and BGP Blackholing

[Bill Nash <billn () billn net>]

On Tue, 2 Jan 2007, Travis H. wrote:

> On Tue, Jan 02, 2007 at 06:20:01PM -0700, Bill Nash wrote:
> > The biggest challenge I can see is scrubbing phishing reports that 
> > aren't.. themselves.. maliciously crafted phishing attacks against a 
> > registry of such addresses.
>
> Can you rephrase that?  I want to understand but I'm failing.

If you decide to operate some sort of registry for these sites, what's to 
stop a user from crafting what appears to be a malicious submission, with 
the intent of getting someone blackholed, just for grins and giggles?

Again, trust factor.

> IIRC, Riverhead DoS-mitigation systems use a similar mechanism for
> filtering out DoS packets en route.

I think Prolexic also uses a similiar method.

> Oh, and yes, even for one IP, you're still going to have collateral
> damage if they're doing shared hosting, since one IP serves many
> sites.  The only way around this is to actually do layer 7 decoding,
> but if the intruder can already set up one phishing account, I
> would be hesitant to assume the other co-located sites are really
> safe to browse.

Well, in many of those cases, you're talking about shared hosting 
environments, hundreds of mom and pop sites that actually are safe to 
browse, but running whatever vulnerable content-management kit was 
provided to them that got the box popped in the first place.

- billn