 Greetings DEF CON! I'm Dave and I am here to talk about short-lived BGP prefix hijacking. I'm going to probably level with you right up front. I'm kind of terrified of public speaking and there's an awful lot of you. The last DEF CON that I was at, there was only about like 20 people. Really it was me and about 20 other people. So I'm going to try to talk you know slowly and not faint and try not to drop F-bombs and if I do I'll try to drop the F-bombs really quickly. Thanks! Feels great! All right so who the hell do I think I am? I'm Dave like I said I think I covered that. I'm Dave. Hello? I thought of that. These actually are slides that are on the interweb so if you're brave enough to use you know the Wi-Fi here you go to Skeptek.org and just sort of follow along. I can't make the fonts bigger unfortunately. You know what? Good damn point. Control plus. How's that? Applause! I'm pumped now. All right we're good. Okay so I wrote this book it's about building Nagios infrastructures or something I don't remember really. I'll pop my head but you should buy it because I get four dollars. I write the monitoring column for Login Magazine if you're like a used next person. I actually brought some books with me they're way over there in that black bag so you know I'll be handing them out or doing whatever. So you can find me at those places if you see me I'm usually lonely so come up and talk to me. I'm much better in person I promise. So really what this talk is about is in my opinion my humble opinion and we probably have nothing but spammers in the audience anyway so your opinions don't count. In my opinion I believe that we are incentivizing spammers to attack the network layer by using things like RBLs and I'm going to give you basically some historical context around why I think this and I'm going to then cover an attack that I think is really scary and that I would like to sort of nip in the bud by hopefully convincing you to stop using RBLs. So this is sort of the context portion of the talk and what I have here is I have a timeline that starts in 1978 with Gary Thurick. You guys remember Gary Thurick? Does anybody know this story? Gary Thurick a book to the first person you can tell me where Gary Thurick worked. There you go. So Gary Thurick was a sales engineer at Digital Equipment Corporation in 1978 and he had a problem and his problem was basically that he knew a lot of people on the east coast. He knew lots of you know MIT people and he knew lots of Cambridge people who were into computers but he didn't know what even a west coast and so what Gary Thurick decided he was going to do was he was going to host a couple you know meet and greets basically on the west coast so that people could come and look at the new DEC PDP 20 the DEC implementation of the PDP 20 at the time and in order to invite them he thought it would be neat you know in digital and you know net aware if he could email every single person on the west coast who was on ARPANET at the time and tell them hey we're going to have this meet and greet come and see the PDP 20 and needless to say it pissed a lot of people off. It's really funny it's amusing actually because at the time you know that the send mail interface was like and this is send space mail not send mail. You know it was not very helpful and so Gary not wanting to actually do this himself had his secretary manually type in all 600 addresses and so she and it's great you can see this on you can go and look it's it's hilarious she starts in the subject line and just you know and the subject line buffer is one line long so then she wraps to you know two and then CC and then you have this big long list of CC addresses and then that overflows because CC dress line was I don't know like 320 lines or something like that and then it actually wraps into the body of the message it's it's neat it's kind of you know sort of old school anyway but anyway so the poor woman had to type in all of these addresses manually and they sent the mail and it only went to like half the recipients they wanted it to go to because it was obviously most of the addresses were in the message body and holy crap did it generate you know some backlash and also some other really interesting things happen like you have these really neat emails that are coming from like RMS Richard Solomon who are saying things like you know yeah I guess it's kind of annoying but if it has to do with jobs or chicks you know send it to me and I'm good with that it's out there I'm paraphrasing obviously but yeah so and by the way all of these dots I'm not going to spend this much time on so 1978 you basically have the world's first spam so the period between 1970 to 1994 not a lot is going on you have a couple right there before the the green card spam right and these are not you know these are like you know I love Jesus and can I you know get some money from my scholarship you know fund or something I don't remember exactly what the point of that one was but none of them were commercial and unsolicited until Cantor and Siegel and the real difference with Cantor and Siegel Cantor and Siegel is a pair of lawyers they're eventually disbarred lawyers who were so despicable that even other lawyers decided they were too despicable to be lawyers anymore and really the weird thing about them that was unprecedented at the time was that they were completely unapologetic about it when people were spamming Usenet before this you know the Usenet community would you know rear up and say you know wow you're spamming us and people would say oh my god I'm sorry you know and then go away or you know learn to be polite Cantor and Siegel were really happy with it I mean they were like yeah backlash they wrote a book actually about the whole thing that sold like I think four and a half copies it's selling a little bit better than my book at this point but they wrote a book and created a you know consulting firm for guerrilla marketing on the internet and like I said were eventually disbarred so between 94 and 95 you sort of this is like sort of the infant infantile period of the web and people who sort of have this sense for you know holy crap that could make me a lot of money and I have no morals you know that type of you know sort of intellect was you know looking over at Cantor and Siegel and noticing holy crap you know there's actually probably some money to be made here at this point you have you know you have the actual interweb so to speak and you have lots of people on it already most of them you know like Unichel accounts and stuff but still you had quite a few people you could reach with any given message so by 95 you have and this is just one year later you have the first commercial for sale spamware basically for all intents and purposes it's like a pearl script or something but it's you know it's being commercially sold as you know software and along with it an email address list of one million people that you can you know reach supposedly and also in this time you have these sort of weird agencies called the freedom nights and there's an acronym there that I can't remember off my head but so like there's these trade groups that are coming up that are saying you know let's legitimize this is a business strategy and blah blah blah and there's a lot of argument going back and forth and a lot of it is really neat and naive and cool it's you know it's it's like the it's like people you know who nowadays would be like you know shoot them you know just shoot them public hangings right it's like these people but they're sort of on the other side they're like well censorship and you know blah blah this is probably not a good idea some of you who are older might remember cancel moose cancel moose was a guy like somewhere in the Netherlands who was one of the very first people who could cancel UDP postings kind of it will and he you know also it was he was he had this sort of enigmatic you know I guess a lot of you you know will probably relate to this he had you know like the codename cancel moose and no one knew who he was and he was you know like this shadowy enigmatic character and he generated a lot of discussion around this time about you know just what is you know just what is a netizens right around not receiving someone else's email so at this point basically in my timeline I have a split and what I'm doing here is I'm and you could disagree with this if you want and you'd probably be you know you probably have a valid point but what I'm doing is I'm separating the anti-spam right solutions into two basic groups and the one on the top the green dots is content filters right so like this this is you know various forms of content filter that have sort of evolved around you know over the years down here at the bottom I have what I call delivery countermeasures and these are solutions that are based on basically taking some you know some you know indicator right IP address or you know email address of sender you know just some token right in the email and we're going to use that this singular token we're going to block the message so and in the center I have what the spammers are doing so you can sort of see you know like right off the top of your head what's happening down here is we have kind of an arms race going on with the delivery countermeasures you start off with cancel moose then you start going into like you know static IP and static you know from address filters which cause joe job attacks which you know beget rbl which you know causes you know whatever open relays there you go you know and it's sort of kind of you know bouncing back and forth between you know spammer and anti-spam this goes on for well about 20 years at this point this has been going on this sort of delivery countermeasure war and you sort of you start off and I'm assuming most you guys know like when I say gray listing right like we're you know I see head nod heads nodding so when I say rbl basically just a blacklist of IP addresses that you know somebody else is doing here you have this is around 1999 here you have e-stamps and hash cash and these are like my e-stamps is a micropayment system right so like every email you send has basically a check at the bottom of it a paypal check or you know use third-party verification of your choice type provider thing and so you send me mail and the mail has this little check at the bottom of it if I want your mail I don't cash the check right and it's like a check for two cents or whatever it is but if you know I didn't want your mail and I think you're mean then I cash the check which even now seems sort of kind of silly hash cash was sort of the same idea right so we're going to take this we're going to make a micropayment system but instead of charging money we're going to charge CPU cycles so when you send me a mail I'm going to give you you know some marginally difficult value to factor and then you factor it to prove that you're who you say you are and the idea is that spammers basically aren't going to waste the time factoring they have too much spam to send so then 2000 we start getting into legal stuff we're going to you know sue the spammers and you know we're going to sue the ISPs who aren't blocking port 25 from their customers etc etc round about 2002 in the delivery counter measures war you have a paper from paul vixie who wrote vixie cron and a bunch of other stuff he's a big guy he writes a paper it's called repudiating mail from you should I can pronounce that and the paper is basically about hey we're going to take dns and we're going to make it into this authentication mechanism right so now when you send me an email I'm going to go back and I'm going to ask your dns server hey dns server where should this person be sending mail from and if your dns server says that it's you know someplace other than where you're actually sending it to me from then I block your mail this was then adopted this idea was then adopted by aol microsoft and it's now called spf sender permitted from it goes under a couple of the names that I can't recall off the top of my head it's an awful lot of you out there and it's really really popular among well second most popular like second largest adopter and this is from a damn I can't remember the name of the company the guy where John Graham coming or the company where John Graham Cummings works a book to the person who knows where John Graham Cummings works no it's like a Sophos there you go Sophos so Sophos comes out with a paper like a month ago and they actually have a like a list of who is implementing spf procedurally within their you know organizations and the second you know second favorite right the second top implementer was like you know corporate or you know really corporate companies like the American Express is in the bank of America's of the world can you get through the first most popular like who spf is for a book what shout it out no spammers spammers love spf because basically I mean an entire cottage industry at this point has grown up around registering lots of domain names right so you have like you know domain garden you know like all these companies that will actually just generate on the fly like 200 you know domain names random you know guaranteed never generated before you know names for you you know and you you know publish and you know reverse lookup record for these and you say you know I'm that makes me legitimate you know like yay I can send to AOL users now so spf is really really popular among experiments I love this idea I think it's just great so spf sort of a lot of people are still using it actually but you know I'm not working so well so at this point in the delivery counter in the delivery counter measures game we sort of reverted back to rbls and now we have like this preponderance of them I mean they're like there's like 20,000 rbls and you know regional specific you know with you know dot co dot uk addresses and things like this and literally just thousands of them 20,000 maybe I'm an exaggeration I'm prone to hyperbole I should have mentioned that too so by contrast if you look up here into the content filtering section what you see is the very first content filters were probably Nancy McCullough's proc mail fax somewhere around there sort of mid 1994 right where people are just sort of using you know static static string filters in proc mail and that sort of continues until you hit like spam assassin and spam assassin is basically okay and there are arguments you can make either way spam assassin being a content delivery measure and you know content filter but basically the idea behind spam assassins we're gonna you know you know I'm not gonna bother then you have 1999 you have another paper from Paul Vixy this was actually the first paper spf came later but Paul Vixy wrote a paper which basically said okay here's what we're going to do we're going to take all of these emails we're going to make a fuzzy hash some of them and then we're going to keep a global database of fuzzy hash sums and then every mail you get you can just you know you can generate the hash on yourself and you can pair it to the database and if it's spam you block it and this worked pretty well there are two implementations that I'm aware of that people are using a lot right now and that's the distributed check something clearing house and Viples razor and Viples razor the former or the latter has been included into a lot of commercial products as well so the idea there was I think a good idea it's and a lot of people are still using it it's gotten it doesn't deal very well with random strings like if you can break the fuzzy fuzzy hash some enough so that it's you know a little too fuzzy then you get mail passed and the other weakness it has is despite the fact that there is sort of a nascent you know reputation system around you know who gets to send mail into what's the you know spam database there's definitely some some database poisoning going on there and it's you know it's sort of reducing the effectiveness of it over time my opinion and this by the way I'm not the CEO of anything I like Mo my own lawn I have a job probably a lot like you guys like a systems administrator for a web hosting company so most of this is based on my experience the experience of people I talked to at universities and you know just various research I've done I published a paper at usenix in 2004 at Lisa which basically outlines some implementation work we did so if you want to check up on me there you go so then finally in 2002 we have my friend and yours what the hell's that guy's name again who wrote a plan for spam for a book all right Paul Graham can't believe I didn't remember his name anyway I ran out of books I better start remembering so Paul Graham writes a plan for spam and poof we have Bayesian night Bayesian classifiers and this turns out to be a pretty darn good idea and this is now it's 2007 I believe and we're you know we basically have a category killer for content filters now you don't see and when I say that what I mean is there are better ways to do artificial intelligence and machine learning right I mean there are like you know vector-based algorithms there's you know expert systems there's I mean this is you know a pretty old you know science right people in 1968 were using you know Bayesian learning to prove that their algorithms were superior right I mean it's kind of like if you're if you're like the artificial intelligence scientist guy and you want to show everyone in the world that yours your your learning algorithm is good the first thing you do is you make sure that it can beat a Bayesian learning algorithm it's kind of you know sort of the thing that it's the bar to cross right but what you don't see is you don't see a lot of fancy machine learning coming into spam filtration and some of it is because it's not applicable and others others of it are because Bayesian classifiers work really well I mean they really really do and and since you know since that initial essay we've had a couple right refinements on the the technique we've had you know Chi square and you have Markov you know discriminators and you have you know a couple different algorithms you have some some data cleaning you know type the Zdarski paper on noise reduction Bayesian noise reduction but you don't have a naive Bayesian classifier replacement right at this point and the little secret in despite a lot of really smart people who should know better standing up at conferences and saying that Bayesian is dead the dirty little secret of naive Bayesian classifiers is they've been here for five years they haven't been beaten yet there's no answer to them yet on the spammer side as far as I can tell and most of the problems that people have with them are implementation problems so we as a sysadmin community I think need to look at them a lot more closely and when I say they when I say NBC I'm not talking about spam assassin if you are thinking to yourself well I use spam assassin this guy is full of shit it's Bayesian classifiers and I create that's true spam assassin spacing classifier is not that great but there are really really rigorous implementations out there that I urge you to try bogafilter crm 114 and d spam any one of those anyway let's get to the fun part so I guess I think you know I pretty much covered the conclusions I don't think delivery kind of measures are working for us and that's just a little you know something I picked up on the 10 years that they haven't been working so I'm thinking maybe we should you know not use them anymore and this is kind of why we have some evidence that spammers are actually starting to use short-lived bgp prefix hijacking to get their mail delivered and I miss maybe some of you know what it is and for those of you who do I don't know why all of you showed up anyway and there were better talks to go to so I'm just going to tell you what it is so you have bgp border gateway protocol is basically the internet protocol of choice for backbone providers to talk to each other and tell each other where a given ip prefixes so if I'm the owner of you know 64.000 forward slash eight and I want you to know where it is I'm probably speaking excuse me bgp to you it's a transport layer protocol so it's actually you know they speak tcp and it's it's a vector path protocol which means that when I say to you hey other router I know this prefix and here's how you get to it that router will actually pass the entire path okay so and this this whole thing and the path itself is made up of a combination of as paths and as shorthand for autonomous systems so you have if you can imagine 20 20,000 people on the internet somewhere there about a couple months ago anyway not people organizations that run the internet so if you imagine the internet as sort of this cooperative entity between a lot of private networks you have about 22,000 private networks and you have a couple different types of people there you have level tier one providers excuse me like the level threes in the sprints of the world you have the tier two providers who are what most people deal with as an isp like the aols and the msn's and then you have a whole bunch of you know university networks and things of that nature and the the thing about bgp is you would think I I don't know if I don't think Dan Greer is talking here but you know that whole biological diversity thing where you know like everybody connects to everybody else and it's all redundant and you know yeah you would think that there would be a lot of redundant paths everywhere and in fact there are but the problem is there's an economic layer there too right so we're not just talking about a routing protocol and hey if I can get to 64,000 from your router that doesn't necessarily mean I'm going to send you my packets there's the concept of this layered right like isp structure where you have these tier ones and tier ones are really really big like level three owns their own transatlantic cable big I think they own two of their own transatlantic cables that's how big they are and so if you're as big as level three level three will peer with you and if you get level three to peer with you that means that you don't have to pay them for transport on their network anymore okay and then so aol pays level three so that means that this is a transport relationship thank you I'm saving that one I got some math coming up I think I'm probably yeah okay so when you think about it if I am independently connected to two tier ones let's say I'm independently connected to like you know MCI and I'm connected to level three and MCI has a packet that is destined for a level three network they could route through me except I'm paying them for transport so I'm not going to be advertising that headblock right it's just the economics of the situation and this is called zero valley routing policy right so what you have is a lot of interconnected hosts but most of them first they prefer they prefer a customer network then they prefer a peer then they prefer you know sort of any path they can find but that's really important it'll become more important later so BGP prefix hijacks happen when I am not the owner of 64 000 and I advertise it to you okay and so what this does is BGP not an authenticated protocol and there are some you know there's an ITF working group out there working on it there are various standards all of them requiring PKI so what are the odds of any of them actually coming into play anytime in this century so what you have is this unauthenticated networking protocol right so anybody can just pop up and say hey I'm 00000 send me your traffic and actually a really scary conversation with someone at usenix seco 6 who told me that a great number of governments including our own find this what was the word useful um so this isn't a new tax been going on for a long time there there are you know papers going back decades on it um in the past like you know the slide says people used it just basically to you know sell IPs to other people which is you know technically something you can't do um what what could you do with it right so these ones there are three different types um well there's a bunch of different times I'm going to cover three of them uh there's the you know just normal prefix hijack where you have a prefix and I advertise exactly it uh there's a sub sub domain prefix hijack sub prefix hijack something like that the word sub is somehow involved is my point um and they uh you basically because the way BGP works is um less or more specific uh advertisements work uh are overwrite less specifics ones uh unless you have um like filters in place usually people filter at the 24 level so if you have smaller than a 24 net block no one's going to pay attention to you um but if you're a 24 network and you're advertising a net block that's the same that's in that's in you know someone else's 16 block you're going to win okay um so if you think about it I as a spammer since I don't really care right about your net block at all I could just if you have a if you have you know like a 24 I could advertise the 8 on your 24 uh and you would win for everything that matters to you you would never notice right um so like the spammer is just you know sort of up there grabbing addresses uh and some of the traffic is working and some of it isn't and the stuff that isn't is the stuff that you've allocated right um which is you know sneaky and underhanded that's why I like it um so what could you do with this you could do all of those other you know you get all those acronyms at the bottom of that slide um it's fun stuff um the the internet in general is still a small network right you have like 22,000 hosts out there so the um the time it takes to converge a BGP advertisement is really highly dependent on where you are in the network and who you're appeared to um if you're multi-homed it takes longer if you're just a single you know customer of a tier one uh you could get you know a propagation out there in two three minutes um it's you know it's fast stuff so I mean you could uh for example uh BGP you know advertise a net block um you know DOS the RIA or whatever it is you wanted to do and give back the IP addresses and you know be gone and no one would have any way really to know where you were or where you were when you did it so um this is all boring router stuff uh sort of helping you visualize what's going on here so C and D are my you know tier one providers and I have AS 42 who's my happy OS or happy AS excuse me and he's uh you know advertising this net block 24 uh and then you have the evil router that comes along up here AS 666 and he advertises um right the same net block and these are the routers he fools right so um they're actually a bunch of different ways to I mean this is this is really kind of um dumbing it down uh there are a lot of ways to influence BGP decisions um and a lot of people who are actually trying to do mathematical models to figure out who would uh be you know um fooled in the event of a of a large scale PGP or BGP um hijack uh are having to say things like well we're just going to assume you know randomly uh in in the in the absence of you know shortest shortest path and you know the rest of the indicators we're just going to you know generate a random number and you know hope for the best so um it's kind of up in the air the other thing about BGP is uh different other thing about any routing protocol at all is that uh different providers have implemented it differently in their systems so you have Cisco with you know these BGP characteristics and you have uh Nortel with those and it's kind of hard to predict what's actually going to happen is my point you can stop me if I go off on a big tangent like that again um okay so that last one we're basically assuming that you know uh AS 666 is evil and it wants our you know uh net address but that isn't necessarily true for the case of the spammer right the spammer doesn't care what IP address he uses he doesn't want yours he doesn't give a shit um he basically just wants some IPs right that aren't listed on rbls and your IPs probably aren't listed on rbls well hope yeah yeah um never mind uh so yeah definitely doesn't want your IPs um so now we have AS 66 and we moved we moved it down to the side here and basically what we're showing here is that if if 666 moves itself around in the network um he can influence who he um traps and this is you know this is a very specific example and this is you know based on path um but there is a mathematical model here and um actually moheat lad at uh UCLA has a paper called understanding I don't know has understanding of the title and then like bgp uh and something else good paper you should read it uh google moheat lad it's out there uh but basically they've you know they actually have a mathematical model that describes how um resilient a given system would be in the case of a uh bgp attack and what they found was um that if you are a uh direct customer to more than one um uh top tier isp then you can do a lot of damage and you're highly resilient against other people's damage so that's if you want to be you know taking over other people's networks that's where you want to be you want to be multi-homed to uh one or more tier one providers um so that's you know if AS 66 wants you know more people to believe him the problem is um that AS 66 uh you know really doesn't have to use anybody's ip's right like you know he doesn't want yours he doesn't want mine why would he want anyone's at all he could just use unallocated space space that the internet registries haven't allocated yet right um and everybody knows uh not a lot of that space uh left right so yes read xqcd i kind of love this webcomic um so what this is is this is a map of the internet using a uh a fractal called a heimdall fractal and it what it does is it preserves uh block space continuous blocks of address space right um and it is a fractal like you could zoom in on it and it would you know become all fractally you know what fractals do it's infinitely recursive or whatever um but obviously you can't do that here because it's just a jpeg um but what we're seeing here is we're seeing all the um class a network we're seeing all you know the the eight networks in the entire internet uh and the and we're seeing you know who is assigned to each one so you know here's two two class a networks that are designed to uh that organization di five a the hell dissa thank you anyway so here's the math problem and i i meant i meant to do this on the board uh or i meant to do this i'm sorry on the plane on the way over um but that's a long story so uh and i do this oops i do this every once in a while um we can take one well okay imagine for a second we have a thousand spammers uh so and each family wants to use a single ip address a day uh for a year and they never want to use the same address price right so you have 364 days in a year you have thousand spammers you have 364 thousand addresses right um each one of these blocks in green is a an address space of uh two to the 24 ip addresses right um so a book to the first person who can defy uh you know two to the 24 by 365 thousand and tell me how many years a spam of 1000 spammers get out of a single net block um it's not a happy number it's like a lot i have no idea what the answer is so somebody else like verify them or something else bad question to ask at defcon um sorry 42 that's a good answer i'll take that over the real answer anyway um 365 thousand yeah well excellent so close to 42 sorry i already gave the web book kind of be an asshole if i take it back um so there you go uh you have a good 40 years basically that a spammer that a thousand spammers could use uh basically one of these squares and there are quite a few of these squares right um and you know there's some hyperbole there but there's not a lot i mean there there are net blocks in there that are you know rfc 1911 net blocks that you can't use and no one will route for you uh but the basic premise is um you know any given spammer really could just start uh doing whatever the hell they wanted with the ip ip address space um and there's not a lot we can do about it i've i've talked with um a lot of the level a lot of the you know the top tiers at like nano conferences and stuff and they're not even considering this to be an attack yet um they're considering this to be misconfiguration and if it's lasting for 15 minutes they don't care um you know it was a temporary misconfiguration uh well that's that's you know that's best case they're configuring they're they're they're considering a misconfiguration in the best case worst case is uh hey that's one more path to route uh you know stuff too um that was actually a response i got from someone was well you know hey if i have multiple paths better for me i'm an isp um so yeah so uh spammers are doing this now um and this is basically how i know they're doing it now um this is out of a paper shamelessly stolen from a paper by uh nick fiemstra out of georgiatek um and what you're seeing here is georgiatek has a spam sinkhole um right it's a three letter domain and they just let it sit there and collect spam no valid mail comes to the system um so what they're doing is uh they're getting the spam and they're doing you know lots of uh text parsing on it to just to see what kind of stuff is happening eventually one of them got the bright idea hey uh let's take our logs of you know what ip addresses we got spam from let's correlate them uh with the bgp prefix origin changes and we'll see if there's any correlation between um you know an origin change us getting a spam and the origin changing back and so uh this is sort of the zoomed in version and this is sort of the zoomed out version and what you see is origin change spam spam spam spam spam origin change back um so i mean that's like taking a freaking snapshot i mean you can't really get a lot closer than that it's it's happening right um and they actually quantify this and it's not happening an awful lot um but as we saw in the um time uh you know don't make me show you the uh right the time thing again uh stuff in spammer bill happens very quickly right so and one spammer catches on that another spammer is getting his mail delivered this way uh lots of other spammers are going to eventually start doing it it's not a threat it's a promise so how do you pull this off spammers um how easy is it um how you know what do i have to be where do i have to be etc um it's actually surprisingly easy to pull off um you have to have some cash to be to do some real damage right because you have to get right underneath a tier one and it's better if you're multi-homed um but you can you know like like the slide says use a shady isp be a shady isp or work at a shady isp and there's also a lot of social engineering that you can do um at that level you know like hey i think you're filtering my announcements like you know especially if you're multi-homed and if you're a relatively large network and you're multi-homed um they're just going to believe what you say right like hey i have a path to you know 65 80 whatever right um and they're not even really i mean if you're like co-vad they're not going to question you um so you be like covarr and then like you know i don't know whatever use your imagination um so and they're really not focused on this attack at all and they're they're very much of the opinion that um nobody's doing it and we don't care um so it's it's pretty easy to get in there i've heard rumors and that's in america um going into other countries becomes you know an awful lot easier uh and it sort of depends then on you know how much damage you can do but um really i've heard rumors that there are um you know like zen uml type uh zen uml type systems in you know places like uh china that you can get uh for the purpose of just making bogus uh bgp advertisements i highly recommend going to nanog and talking to you know just sort of some of the the profits there because i mean they're um they tell great stories about getting advertisements like 000 from places like vietnam and um some of it actually working and yeah there's i think there's a lot more of this going on than than even we suspect right um and not offer spamming but anyway uh that sort of wraps up my talk what was that like a half an hour was i really fast 42 minutes 3 40 excellent and i'm out of books so questions comments points of clarification okay right so to paraphrase that for those who couldn't hear um the question is basically why isn't a regional internet registry able to just basically tell people hey um that origin isn't sorry okay and there are a couple of those out there there's actually like uh i don't know if you've heard of why can't we get a third party how about that to tell us um look uh here's all of the prefixes that exist and here's where their origins should be right um so why can't we mitigate this with you know just sort of a a list of right stuff um and this has actually been tried well there's a couple different like i said there's the itf working group that's working on stuff like that there's also a solution called uh pgbgp wow amazing i said that right the first time which is pretty good bgp right which is sort of based on um that sort of thing right like every time somebody gives me an advertisement i'm going to go to this database and check the problem is that um even people who are using these and and this was uh this actually happened uh march 2005 um google had an outage maybe you remember it um and there's a paper out there uh by a couple guys in canada um who looked at origin changes for uh you know the google rout routers while they were having this outage google later said that it was a um dns outage as i recall uh but they did find actually that there were some um origin changes that happened during that period and on top of that they found routers that were um you know using things like uh filters right i mean you would think you could just solve this with this person is advertising something they're not allowed to uh i'll just have that in the filter and it'll be done right um the problem is what i was explaining to you before about the economy the economics of bgp um you can't assume that even if you're using a filter uh that the route is going to come from someone you have filtered um the other thing is is that you can do things with bgp like as path prepend uh which means that you don't necessarily have to to uh to be the origin anymore you can just sort of inject yourself into the as path and that'll work for you um for a great number of people um it's i should back up and say just sort of um you know uh conceptually right um we're having the same problem here with spammers that we've always had in the past and that problem is that we're assuming we can give them some token or credential and we can expect them to not use someone else's right um and we're also assuming that the protocols involved are robust enough uh to prevent them from using someone else's uh and the problem really at a conceptual level is that none of that is true and it never has been um and we really need to rethink you know a lot of the underlying protocols and you know a lot of people are doing that but like i said a lot of them depend on things like um uh pki and you know pipe dreams um anyway questions comments points clarification it's a good question by the way yes in the middle i didn't didn't quite catch it right yeah okay so like rfc 1911 space um just unallocated space in general right um to my knowledge they aren't obviously because this is working they aren't um i think that and that's by the way totally where i don't want to go guys right like that's the whole point that i'm here giving this talk i don't want to blacklist unallocated ip space right i mean i understand that's the next logical step in the right the and there as i there is actually a maps rbl that does this there's a maps rbl that your cisco router can consume that will actually you know if it's you know not valid ip address space that um you know as defined by the maps rbl uh then we won't write route it right and that's just that scares the crap out of me like i i don't want to live in that world and that's so totally why i'm here um but also um yeah i don't think it's logistically feasible at this point um because you know there's sort of a decentralized nature um to right like i'm one second so you so let's say uh i'm the the rir and i give a whole bunch of unallocated space to you know level three and let's say level three doesn't use it for four years right like then what do you do um and then you have the problem with that same solution also what happens when ipv6 gets big and you have spammers that are either well what happens until ipv6 gets big and you have spammers hiding behind ipv4 you know nat boxes or after ipv6 gets big and you have spammers hiding behind ipv4 you know uh legacy boxes right so then what are you going to do are you going to say um well if it's coming from the entire ipv6 network i don't accept their mail um i think there are some really scary places we can go and i'd really appreciate not going there so i'm getting the five minute warning and i want to give the next speaker some time but i understand i'm being taken to a uh question and answer room um sounded ominous to me uh so i'll meet you guys there if you guys want to come oh wait which room am i going to 109