[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Spam, ASNs, CIDRs, and d-u

* Karsten M. Self:

> Background:  ASN identifies the Autonomous System.  Effectively, these
> are the networks the Internet is networking between.  Each is defined by
> a single span of routing authorities, peers, etc., and largely,
> organizational authority.  In other words:  you've got an identifiable,
> accountable entity with a definable network space.  More to the point:
> they're _accountable_ for that space, and had damned well better be
> keeping it clean.

And there are only a few thousand ASNs which are actually used in the
Internet routing table, which means that maintaining a list of
responsible ones is indeed feasible.

> For more general information:
>     http://www.routeviews.org/
> The data are compiled directly from BGP router maps.  My understanding
> is that the zonefiles are downloadable (I'm checking on this now).
> They're certainly cacheable.

I've got a tool that builds optimized zone files from BGP table dumps.
However, you need quite a bit of RAM on the authoritative name server
(BIND 9 grows by 120 MB, I haven't tried nsd so far).  All you need is
a BGP (and Quagga), but we should be able to get one on some Debian
machine if we really want to try this approach.

Unfortunately, using BGP to combat spam on a large scale will result
in more spammers attacking BGP.  As BGP provides no real
authentication of announcements (there's no end-to-end mechanism, and
a trusted route registry faces huge organizational challenges), and
out-of-band documentation is *extremely* poor, this can result in very
annoying problems.  What's worse, tatical hijacking of netblocks for
spamming purposes is no longer a theoretical possibility, it has
already happened. 8-(

Reply to: