On Tue, Sep 28, 2004 at 01:35:32PM -0700, Steve Langasek wrote: > On Tue, Sep 28, 2004 at 02:10:55PM +0200, Florian Weimer wrote: > > In theory, there are filters to prevent that, but they have little > > effect in practice. Prefixes are a bit like mail addresses, and ASNs > > (both origin and transit) are comparable to Received: headers: both > > can be easily forged by an intermediate hop. (Even more accurate > > would be an analogy to Usenet and its Path: header.) Of course, > > forged email headers are extremely common, and BGP hijacking is > > relatively rare. But this might change if there is substantial > > incentive to spammers to attack Internet routing. > > One would hope that spammers making bogus BGP announcements would > finally be enough to make governments treat them like the criminal scum > they are and have them executed. Individual forged spams are difficult > to prosecute because there are millions of them with low individual > impact; but I don't think most ISPs would tolerate very many instances > of address space theft before bringing law enforcement to bear on the > perpetrators. Having been a senior network geek (read: responsible for BGP configs and the stability of the network as a whole) for a mid-size, multi-state ISP, I will simply say that it is entirely possible to inject bad BGP data in a way such that it doesn't matter how upset the impacted ISP is, as long as you don't target one of the major carriers (and spammers generally don't, they'd much rather target a company with a couple of /19s, also known as 'small potatos', for something like this). Why? Because BGP, like SMTP, was written in an era of trust-by-default, and as such, if you can get something past a single bad (or more often, completely absent) filter, anywhere in the world, you can generally get it heard far and wide. Once you pass the barrier to entry, there's no effective protection anyone else can do to block it except cut off the injection point completely (again, see Usenet... or more to the point, Usenet2). There are solutions, but most of them are economically impractical at this point in time - which has always been the name of the game in the business side of UCE, UBE, etc. If it costs more to track it down and prosecute it than it does to simply ignore it, it will be ignored. One important factor to keep in mind is that unlike your average consumer connection today (with the exception of remote hosting), the major carriers charge based on a variety of criteria that generally include maximum bandwidth (burst capacity), minimum committed bandwidth (steady capacity), and actual number of bits pushed (usage). That last one means they have a direct incentive NOT to stop a major source of bit-pushing; the first two are more indirect, but have similar effects. As such, the level of apathy is enormous; if anything happens about securing BGP, it won't be because it's a spammer, but rather, because it is a threat to the innate network stability, which leads to increased capital (hardware) costs to handle, and increased operator man-hours to troubleshoot it. The best you can hope for is the same situation that something like SPF or other sender-validation schemes propose for SMTP; a way to authenticate the claimed sender of a message is actually someone with control over the sending resources. It would allow better ASN-based filtering, but that's all. -- Joel Baker <fenton@debian.org>
Attachment:
signature.asc
Description: Digital signature