[117277] in North American Network Operators' Group
Re: Repeated Blacklisting / IP reputation
daemon@ATHENA.MIT.EDU (Justin Shore)
Tue Sep 8 16:00:23 2009
Date: Tue, 08 Sep 2009 14:57:17 -0500
From: Justin Shore <justin@justinshore.com>
To: "Wayne E. Bouchard" <web@typo.org>
In-Reply-To: <20090908184444.GA68989@typo.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Wayne E. Bouchard wrote:
> Best practices for the public or subscription RBLs should be to place
> a TTL on the entry of no more than, say, 90 days or thereabouts. Best
> practices for manual entry should be to either keep a list of what and
> when or periodically to simply blow the whole list away and start anew
> to get rid of stale entries. Of course, that is probably an unreal
> expectation.
I've had to implement something similar for my RTBH trigger router.
After manually-adding nearly 20,000 static routes of hosts that scanned
for open proxies or attacked SSH daemons on my network I had to trim the
block list considerably because many of my older PEs couldn't handle
that many routes without problems. I already named each static with a
reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up
prepending a date to that string as well: 20090908-SSH-Scan. That way
I can parse the config later on and create config to negate everything
that's older than 3-4 months. If one of those old IPs is still trying
to get to me after 4 months then it will get readded the next time I
process my logs entries. If they aren't trying to hit me then they'll
no longer be consuming space in my RIB.
Justin
