nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: automatic rtbh trigger using flow data

From: Michel Py <michel.py () tsisemi com>
Date: Thu, 30 Aug 2018 23:43:24 +0000
Joe Maimon wrote :
I use a bunch of scripts plus a supervisory sqlite3 database process all injecting into quagga


I have the sqlite part planned, today I'm using a flat file :-( I know :-(


Also aimed at attacker sources. I feed it with honeypots and live servers, hooked into fail2ban and using independent 
host scripts. Not very sophisticated, the remotes use ssh executed commands to add/delete. I also setup a promiscuous 
ebgp RR so I can extend my umbrella to CPE with diverse connectivity.


I would like to have your feed. How many attacker prefixes do you currently have ?


Using flow data, that sounds like an interesting direction to take this into, so thank you!


The one thing we can share here is the attacker prefixes. The victim prefixes are unique to each of us but I expect our 
attacker prefixes to be very close.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are intended only for the recipients named above and 
contain information that may be confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have 
received this message in error, please notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...
Previous By Date Next
Previous By Thread Next

Current thread: