From: Bill Nash (no email)
Date: Wed Jan 03 2007 - 12:24:38 EST
On Wed, 3 Jan 2007, Andy Davidson wrote:
> From a 'problem solving' perspective, a Team Cymru-style bgp peer that
> injected very specific routes into their routing table, and matching
> configuration which caused those particular routes to be dropped would be
> ideal. Additions and deletions would be as close to real-time as possible.
>
> From a political perspective, I could only advocate to clients such a service
> that had a strict policy of adding routes to addresses because of a provable
> policy infringement. For example, a route for 1.2.3.4/32 would only be
> announced by my bgp-blacklist peer if it could be demonstrated that a device
> reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp
> relay).... and not because a phishing site was hosted there. Different
> priorities for different networks I guess ..
disclaimer: I do development work for the company I'm about to endorse.
I endorsed this product before when I was a client. I've since left my
previous position and gone to work on it. This is one of the very few
posts I'll ever make that's in any way representative of an employer.
Mainnerve's Darknet product is exactly that: A managed blacklist of
malicious/hacked sites. Currently, phishing sites and open proxies, make
it into blacklist, but drone network C&Cs do. Darknet is intended to
intercept traffic leaving your network to known C&Cs. Currently, this
involves a device deployed to your network, that hosts a BGP peer to your
network to supply the blackhole routes, redirecting the C&C traffic to the
darknet device for packet analysis.
I'm currently working on a newer implementation that involves just a BGP
peering session and a GRE tunnel, to eliminate the hardware deployment and
simplify the whole process, so it functions very much like the bogon
filter.
- billn
|
|
|