[135239] in North American Network Operators' Group
RE: Auto ACL blocker
daemon@ATHENA.MIT.EDU (Mark Scholten)
Tue Jan 18 18:35:41 2011
From: "Mark Scholten" <mark@streamservice.nl>
To: <nanog@nanog.org>
In-Reply-To: <201101181331.31022.lesmith@ecsis.net>
Date: Wed, 19 Jan 2011 00:35:15 +0100
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> From: Larry Smith [mailto:lesmith@ecsis.net]
> Sent: Tuesday, January 18, 2011 8:32 PM
>=20
> On Tue January 18 2011 13:12, Brian R. Watters wrote:
> > We are looking for the following solution.
> >
> > Honey pot that collects attacks against SSH/FTP and so on
> >
> > Said attacks are then sent to a master ACL on a edge Cisco router to
> block
> > all traffic from these offenders ..
> >
> > Of course we would require a master whitelist as well as to not be
> blocked
> > from our own networks.
> >
> > Any current solutions or ideas ??
>=20
> Private BGP session with Zebra or Quagga on a linux box
> adding the selected IP to a null route.
As we currently do it by putting new rules automatically in firewalls =
(iptables) it should be easy to change it a little bit I think. After =
the change it should be able to put rules in Zebra/Quagga (or something =
similar based on Linux/Unix). As long as telnet access is available it =
should also be doable to put it automatically in routers without the =
need of a setup with BGP and Zebra/Quagga.
We are currently looking for ways to increase the list with "abusive" =
systems to block.
If someone wants to work together with us on increasing the mentioned =
options feel free to contact me offlist. How we get the data currently =
(from multiple sources) or how the process currently work isn't =
something I can currently mention here (at least not the details).
Regards, Mark
