North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: RBL for bots?
On Thu, 15 Feb 2007 [email protected] wrote: > On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said: > > > Has anyone created an RBL, much like (possibly) the BOGON list which > > includes the IP addresses of hosts which seem to be "infected" and are > > attempting to brute-force SSH/HTTP, etc? No BL for bots other than SMTP zombies quite yet. There is one for SSH brute forcing, although home-made.. J. Will repond on his own... > > It would be fairly easy to setup a dozen or more honeypots and examine > > the logs in order to create an initial list. > > A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such, > there's 2 questions: Quite right, which is why ... > 1) How important is it that you not false-positive an IP that's listed because > some *previous* owner of the address was pwned? As in, dynamic ranges BL. > 2) How important is it that you even accept connections from *anywhere* in > that DHCP block? Or maybe the cool concept of white-listing known senders? :) > (Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there. > So it really *is* a question of why those aren't suitable for use in your > application...) Many of them are SMTP-based only. IP reputation is very limited still. Now, all that said, back on "most are broadband users" - no longer true. Many bots (especially in spam) are now web servers. Gadi.