[102132] in North American Network Operators' Group
RE: Worst Offenders/Active Attackers blacklists
daemon@ATHENA.MIT.EDU (Jason J. W. Williams)
Mon Jan 28 18:38:37 2008
Date: Mon, 28 Jan 2008 16:33:30 -0700
In-Reply-To: <12723.1201562573@turing-police.cc.vt.edu>
From: "Jason J. W. Williams" <williamsjj@digitar.com>
To: <Valdis.Kletnieks@vt.edu>, "Tomas L. Byrnes" <tomb@byrneit.net>
Cc: <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
My suggestion would be not even to try iptables. It'll take hours just
to load 10 million entries. There's no efficient mass loading interface.
-J
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
Of
> Valdis.Kletnieks@vt.edu
> Sent: Monday, January 28, 2008 4:23 PM
> To: Tomas L. Byrnes
> Cc: nanog@nanog.org
> Subject: Re: Worst Offenders/Active Attackers blacklists
>=20
> On Sun, 27 Jan 2008 12:21:27 PST, "Tomas L. Byrnes" said:
> > I'm the CTO and founder of ThreatSTOP (www.threatstop.com), and
we're
> > currently propagating the DShield, and some other, block lists for
> use
> > in firewalls. I'm interested in gathering additional threat
> > information, and serving additional communities.
> >
> > Is there any interest in a collaborative platform where anonymized
> > candidates for blocking would be submitted by a trusted group, and
> > then propagated out to the whole group?
>=20
> http://www.ranum.com/security/computer_security/editorials/dumb/
>=20
> This illustrates dumb idea #2. Explain to me how you intend to
> enumerate enough of the "bad" hosts out there that such a blocklist
> would help, while still having it small enough that you don't blow out
> the RAM on whatever device you're installing it on. Have you *tested*
> whatever iptables/ipf/ACL for proper operation with 10 million
entries?
>=20
>=20
