Reading – BGP and Bulletproof Hosting Networks

Question 1

Describe the various rewiring activities that are unique to malicious ASes and how ASWatch captures these activities.

Answer 1

Malicious ASes change their providers often to avoid being detected or to avoid the negative consequences of their customers activities. Among these providers, they are also known to connect to Providers with lax security policies and / or long response times to abuse
complaints. Even still, Malicious ASes have longer periods of downtime, due to depeering from their neighboring ASes and detection avoidance strategies they employ.

ASWatch captures these activities by taking snapshots of AS relationships periodically and observing the changes in relationships over time. These activities are then used to feed the reputation engine that identifies malicious ASes.

Question 2

What is the motivation for malicious ASes to advertise fragmented BGP prefixes rather than their entire IP address space?

Answer 2

Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with simple blacklisting. Examples of this would be DoS, spamming, and phishing. If a malicious AS consistently advertises its entire IP address space, it runs a higher risk of having the entire IP space blacklisted when these activities are detected. Small fragments of advertised space allow malicious activities to continue their activities in a fresh IP space fragment when they are blacklisted.