[94968] in North American Network Operators' Group
Re: RBL for bots?
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Feb 15 20:17:23 2007
Date: Thu, 15 Feb 2007 19:02:12 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: Valdis.Kletnieks@vt.edu
Cc: Drew Weaver <drew.weaver@thenap.com>, nanog@merit.edu
In-Reply-To: <200702151634.l1FGY5TA022976@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
On Thu, 15 Feb 2007 Valdis.Kletnieks@vt.edu wrote:
> On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
>
> > Has anyone created an RBL, much like (possibly) the BOGON list which
> > includes the IP addresses of hosts which seem to be "infected" and are
> > attempting to brute-force SSH/HTTP, etc?
No BL for bots other than SMTP zombies quite yet.
There is one for SSH brute forcing, although home-made.. J. Will repond on
his own...
> > It would be fairly easy to setup a dozen or more honeypots and examine
> > the logs in order to create an initial list.
>
> A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such,
> there's 2 questions:
Quite right, which is why ...
> 1) How important is it that you not false-positive an IP that's listed because
> some *previous* owner of the address was pwned?
As in, dynamic ranges BL.
> 2) How important is it that you even accept connections from *anywhere* in
> that DHCP block?
Or maybe the cool concept of white-listing known senders? :)
> (Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
> So it really *is* a question of why those aren't suitable for use in your
> application...)
Many of them are SMTP-based only. IP reputation is very limited still.
Now, all that said, back on "most are broadband users" - no longer
true. Many bots (especially in spam) are now web servers.
Gadi.
