[94958] in North American Network Operators' Group
Re: RBL for bots?
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Feb 15 12:02:11 2007
Date: Thu, 15 Feb 2007 11:45:48 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Drew Weaver <drew.weaver@thenap.com>
Cc: nanog@merit.edu
In-Reply-To: <B9ECBF8D89E7684EB63FF250E8788B1942CA44@BIGLOG.thenap.com>
Errors-To: owner-nanog@merit.edu
On Thu, 15 Feb 2007, Drew Weaver wrote:
> Has anyone created an RBL, much like (possibly) the BOGON list which
> includes the IP addresses of hosts which seem to be "infected" and are
> attempting to brute-force SSH/HTTP, etc?
Bots are rarely single purpose engines. If they have been detected doing
bad things, they will probably appear in multiple RBLs for multiple
reasons. If something is in multiple RBLs, even if it hasn't done the
particular badness you are looking for, its probably just a matter of
time.
Perhaps not surprising, some of the porn site vendors appear to have
the most sophisticated systems for detecting brute force/password sharing
attacks.
