nanog mailing list archives
Re: RBL for bots?
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 15 Feb 2007 19:02:12 -0600 (CST)
On Thu, 15 Feb 2007 Valdis.Kletnieks () vt edu wrote:
On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:Has anyone created an RBL, much like (possibly) the BOGON list which includes the IP addresses of hosts which seem to be "infected" and are attempting to brute-force SSH/HTTP, etc?
No BL for bots other than SMTP zombies quite yet. There is one for SSH brute forcing, although home-made.. J. Will repond on his own...
It would be fairly easy to setup a dozen or more honeypots and examine the logs in order to create an initial list.A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such, there's 2 questions:
Quite right, which is why ...
1) How important is it that you not false-positive an IP that's listed because some *previous* owner of the address was pwned?
As in, dynamic ranges BL.
2) How important is it that you even accept connections from *anywhere* in that DHCP block?
Or maybe the cool concept of white-listing known senders? :)
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there. So it really *is* a question of why those aren't suitable for use in your application...)
Many of them are SMTP-based only. IP reputation is very limited still. Now, all that said, back on "most are broadband users" - no longer true. Many bots (especially in spam) are now web servers. Gadi.
Current thread:
- RBL for bots? Drew Weaver (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- Re: RBL for bots? Joel Jaeggli (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- Re: RBL for bots? Gadi Evron (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
- botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Peter Moody (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Rich Kulawiec (Feb 16)
- rDNS naming David Barak (Feb 20)
- Re: RBL for bots? Joel Jaeggli (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Valdis . Kletnieks (Feb 15)
- Re: botnets: web servers, end-systems and Vint Cerf Sean Donelan (Feb 16)
- Re: botnets: web servers, end-systems and Vint Cerf Valdis . Kletnieks (Feb 16)
- Re: botnets: web servers, end-systems and Vint Cerf Sean Donelan (Feb 16)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)