nanog mailing list archives
Re: RBL for bots?
From: Joel Jaeggli <joelja () bogus com>
Date: Thu, 15 Feb 2007 09:16:27 -0800
Valdis.Kletnieks () vt edu wrote:
On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:Has anyone created an RBL, much like (possibly) the BOGON list which includes the IP addresses of hosts which seem to be "infected" and are attempting to brute-force SSH/HTTP, etc?It would be fairly easy to setup a dozen or more honeypots and examine the logs in order to create an initial list.A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such, there's 2 questions: 1) How important is it that you not false-positive an IP that's listed because some *previous* owner of the address was pwned? 2) How important is it that you even accept connections from *anywhere* in that DHCP block?
That depends... Do you sell "Internet service" to you customers or something else. If the former then they're actually paying to receive connections from anywhere...
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there. So it really *is* a question of why those aren't suitable for use in your application...)
Current thread:
- RBL for bots? Drew Weaver (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- Re: RBL for bots? Joel Jaeggli (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- Re: RBL for bots? Gadi Evron (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Peter Moody (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Rich Kulawiec (Feb 16)
- rDNS naming David Barak (Feb 20)
- Re: RBL for bots? Joel Jaeggli (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Valdis . Kletnieks (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Sean Donelan (Feb 16)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)