North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worst Offenders/Active Attackers blacklists
Patrick W. Gilmore wrote: > > Perhaps combine the two? Have a stateful firewall which also checks > DNSBLs? I can see why that would be attractive to someone, but still > not a good idea. Not to mention no DNSBL operator would let any > reasonably sized network query them for every new source address - the > load would squash the name servers. If you want the sort of performance you expect from your firewall now your going to have to evaluate the source on the basis of locally available information. bgp based blocklist would be a more sensible approach than an dnsbl. Then it's a question of how many blackhole prefixs you're willing to carry in your firewall's table... > As I mentioned, zone transfer the DNSBL and check against that might add > a modicum of usefulness, but still has lots of bad side effects. > > Then again, what do I know? Please implement this in production and > show me I'm wrong. I smell a huge business opportunity if you can get > it to work! >
|