Friday, March 7, 2008

Untraceable (2008), part 2

For those of you not in the know, black holing, a term used in the technical monologue from the previous post, is a technique used by internet service providers, also known as ISPs, to block access to phishing sites and other criminally themed internet destinations.

Black holing is usually done in two ways. The first is to prevent traffic from reaching the IP address of the server by manipulating the ISPs routing configuration, or routing table, to force any packet destined for the server to go to an non-existent network location. This is also called null routing.

The problem with this approach is that more than one Web site can be associated with a single IP address--large Web site hosting companies will do this to save money and simplify configuration. Consequently, if an ISP black holes the IP address of a criminal site that is hosted by, lets say, Yahoo! GeoCities, they could inadvertently block hundreds, if not thousands, of legitimate sites in the process. This is not a good thing.

The second method is changing the DNS record on the service provider's name servers to map a domain to another IP address, usually 127.0.0.1--which is your local computer. Alternatively, an ISP can point to an informational Web site that they host explaining that the site has been blocked. The limit of this approach is that you can't black hole by URL, only by domain name.

A URL, or Universal Resource Locater, is the combination of the domain name, protocol, and location of the object, such as an image or Web page, on the Web server. For example if you look at the address bar on you browser, you can see all three elements. The first component http:// specifies the protocol, the second, blog.massmediasecurity.com is the domain, and the third, /2008/02/Untraceable.html is the location of this page on the web server. In simple terms, with DNS black holing you can block entire Web sites, but not specific pages contained in them.

While this is an improvement over blocking by IP address, it is not without its problems. Sometime in 2007, the MySpace page of Alicia Keys was compromised. The attackers embedded malware on the site in a way that fooled users into downloading it by inadvertently clicking on a hidden link. By using Alicia Key's fan site to host their malware, the bad guys effectively prevented any ISP from black holing the site because the service providers would have needed to block everything on MySpace just to block the one file.

All that being said, implementing black hole filters is not something that ISPs do without significant debate. Additionally, the FBI does not have direct access to core internet routers, nor would a country that has constitutional protection of free speech allow any of its agents to block access to any Web content without due process.

In the real world, the FBI would have sought a court order to have the Web site shutdown, or the a service provider would have implemented the filters on behalf of their customers . Either way, it would have been the ISPs that took the action, not the FBI. This is another thing that the writers of Untraceable got wrong.