[94957] in North American Network Operators' Group
Re: RBL for bots?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Feb 15 11:44:37 2007
To: Drew Weaver <drew.weaver@thenap.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 15 Feb 2007 11:30:34 EST."
<B9ECBF8D89E7684EB63FF250E8788B1942CA44@BIGLOG.thenap.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 15 Feb 2007 11:34:05 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1171557245_3639P
Content-Type: text/plain; charset=us-ascii
On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
> Has anyone created an RBL, much like (possibly) the BOGON list which
> includes the IP addresses of hosts which seem to be "infected" and are
> attempting to brute-force SSH/HTTP, etc?
> It would be fairly easy to setup a dozen or more honeypots and examine
> the logs in order to create an initial list.
A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such,
there's 2 questions:
1) How important is it that you not false-positive an IP that's listed because
some *previous* owner of the address was pwned?
2) How important is it that you even accept connections from *anywhere* in
that DHCP block?
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
So it really *is* a question of why those aren't suitable for use in your
application...)
--==_Exmh_1171557245_3639P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFF1It9cC3lWbTT17ARAqYdAKDDxvvdOdhLBYo8q7pTzXbGgdy4bwCfZjD0
xerdRXfh6Qs6VvsDmLzdeK4=
=5HAi
-----END PGP SIGNATURE-----
--==_Exmh_1171557245_3639P--
