NAVIGATION
CATEGORIES
REFERRENCE
LINKS
RBL for bots?
5 answers - 372 bytes -
Has anyone created an RBL, much like (possibly) the BGN list which
includes the IP addresses of hosts which seem to be "infected" and are
attempting to brute-force SSH/HTTP, etc?
It would be fairly easy to setup a dozen or more honeypots and examine
the logs in order to create an initial list.
Anyone know of anything like this?
-DrewNo.1 | | 1083 bytes |
| 
Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
Has anyone created an RBL, much like (possibly) the BGN list which
includes the IP addresses of hosts which seem to be "infected" and are
attempting to brute-force SSH/HTTP, etc?
It would be fairly easy to setup a dozen or more honeypots and examine
the logs in order to create an initial list.
A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such,
there's 2 questions:
1) How important is it that you not false-positive an IP that's listed because
some *previous* owner of the address was pwned?
2) How important is it that you even accept connections from *anywhere* in
that DHCP block?
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
So it really *is* a question of why those aren't suitable for use in your
application)
PGP SIGNATURE
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
xerdRXfh6Qs6VvsDmLzdeK4=
=5HAi
PGP SIGNATURENo.2 | | 712 bytes |
| Thu, 15 Feb 2007, Drew Weaver wrote:
Has anyone created an RBL, much like (possibly) the BGN list which
includes the IP addresses of hosts which seem to be "infected" and are
attempting to brute-force SSH/HTTP, etc?
Bots are rarely single purpose engines. If they have been detected doing
bad things, they will probably appear in multiple RBLs for multiple
reasons. If something is in multiple RBLs, even if it hasn't done the
particular badness you are looking for, its probably just a matter of
time.
Perhaps not surprising, some of the porn site vendors appear to have
the most sophisticated systems for detecting brute force/password sharing
attacks.No.3 | | 1226 bytes |
| Valdis.Kletnieks (AT) vt (DOT) edu wrote:
Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
>Has anyone created an RBL, much like (possibly) the BGN list which
>includes the IP addresses of hosts which seem to be "infected" and are
>attempting to brute-force SSH/HTTP, etc?
>It would be fairly easy to setup a dozen or more honeypots and examine
>the logs in order to create an initial list.
A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such,
there's 2 questions:
1) How important is it that you not false-positive an IP that's listed because
some *previous* owner of the address was pwned?
2) How important is it that you even accept connections from *anywhere* in
that DHCP block?
That depends
Do you sell "Internet service" to you customers or something else. If
the former then they're actually paying to receive connections from
anywhere
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
So it really *is* a question of why those aren't suitable for use in your
application)No.4 | | 907 bytes |
| Thu, 15 Feb 2007 09:16:27 PST, Joel Jaeggli said:
Valdis.Kletnieks (AT) vt (DOT) edu wrote:
2) How important is it that you even accept connections from *anywhere* in
that DHCP block?
That depends
Do you sell "Internet service" to you customers or something else. If
the former then they're actually paying to receive connections from
anywhere
Then the RBL is irrelevant, as "anywhere" isn't the same as "anywhere that
isn't in an RBL". :)
(And anyhow, I'd *hope* that any use of an RBL to filter things on behalf of
a customer was spelled out in the contract, at least in the fine print that
most Joe Sixpacks never bother reading, specifically to cover that issue)
PGP SIGNATURE
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
f850/VR8Q4wS/qWYHD6YlpY=
=DyX
PGP SIGNATURENo.5 | | 692 bytes |
| Drew Weaver wrote:
Has anyone created an RBL, much like (possibly) the BGN list
which includes the IP addresses of hosts which seem to be "infected"
and are attempting to brute-force SSH/HTTP, etc?
It would be fairly easy to setup a dozen or more honeypots and examine
the logs in order to create an initial list.
Anyone know of anything like this?
web.dnsbl.sorbs.net has hosts that do this as well as korgo infected
machines, and a whole host of other types of vulnerabilities, trojans
and bots.
Do be careful about how you use the data, we don't distinguish between
the types for very good reason.
Regards,
Mat
QUESTION ON "Networking"
- NB51MP6 Backups hanging after Sol10 patch
- Hey bro, found this site
- undefined reference to `adler32'
- ACTION_EXPIRED_DATED Stats
- Move spam to spam folder
- replication stalled (in 2.3.8)
- spamd Cannot create lock files
- $Tag->shipping and adder problem
- disk resize in VxVM 3.5
- 2621 with no flash
- 1.1.4 - TTLS - missing attributes
- Stange mis-balancing with DMP
- DBERROR: skiplist recovery mailboxes.db 0090 - suddenly all isfailing!
- dump estimate (sendsize) on 2.5.1p3 not working
- dkim plugins warnings
- How can I configure spamassassin to filter spam jpgs?
- Red Hat vs. Slackware
- what does the 'new' --allowupdates option to sa-update do?
- New stock spam (2/14/07)
- pine 4.62 doesn't re-login for sent-mail folder ifconnection lost