Donate
‹ Back
Deploy360 18 September 2014

BGPmon: Using BGP Data To Fight Spam

Dan York
By Dan YorkDirector of Web Strategy

BGPmon logoCan we use BGP data to find email spammers? And could securing BGP provide a mechanism to help reduce spam?

In a fascinating article on BGPmon’s site, Andree Toonk explores how they found that “IP squatting” is used by spammers.  Essentially the attack seems to work like this:

  1. The spammers identify a block of IP addresses (IPv4) that are not currently being used on the actual Internet.
  2. The spammers send out BGP announcements routing that block of IP addresses to their servers.
  3. The spammers send out their spam email messages.
  4. When done (or when the IP address block is blocked by anti-spam tools), the spammers stop announcing the BGP routes for those IP address blocks.

They then can move on to announcing other IP address blocks to send more spam.

The article provides a very compelling and very readable description of two case studies where they found this to happen. In one case the spammers also used an Internet Route Registry (IRR) to attempt to give their BGP route announcement more legitimacy.

The BGPmon article doesn’t get into solutions… but preventing these kind of attacks is precisely why we set up the Securing BGP topic area of this site.

A general area of “source address validation” is critical here – the idea being to have some way to know that the router announcing the BGP routes has the actual authority to do so. New tools such as RPKI are emerging that let us securely validate the origin of route announcements to prevent spammers from performing the attacks like this.  With such tools a router would reject BGP announcements that came from the spammers’ systems because the spammers would not be able to securely assert that they had the right to announce those IP address blocks.  The challenge, of course, is to get more routers start signing route announcements – and more routers start validating route announcements.  (Read about how Jan set up RPKI for his lab.)  There are other tools and methods being explored, too.  The point is to not allow “spoofed” IP address blocks to get into the global routing tables.

This idea of securing BGP route announcements is also part of the “Routing Resilience Manifesto” that continues to be developed as (voluntary) guidelines for network operators.

If we are collectively able to implement some of these mechanisms for securing BGP we can potentially make a significant reduction in the ability of spammers to send their email – and make the Internet more secure and working better in the process.  Please do check out our Securing BPG section and consider what you can do in your network today!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security
Deploy3601 April 2014

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

Over the weekend there were extremely disturbing reports out of Turkey of escalations in the attempts by the Turkish government...

Internet Resilience Discussions at IETF 104
Internet Resilience Discussions at IETF 104
IETF22 March 2019

Internet Resilience Discussions at IETF 104

Let’s look at what’s happening in the Internet Engineering Task Force (IETF) and the upcoming IETF 104 meeting in the...

No haven for spam: collaborating at WSIS Forum 2016 to address spam in emerging economies
No haven for spam: collaborating at WSIS Forum 2016 to address spam in emerging economies
Privacy4 May 2016

No haven for spam: collaborating at WSIS Forum 2016 to address spam in emerging economies

Spam is not a new issue. Its origins precede the arrival of the Internet. Remember all the unwanted mail, faxes,...

Join the conversation with Internet Society members around the world