RBL for bots?

• Previous message (by thread): RBL for bots?
• Next message (by thread): RBL for bots?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:

>     Has anyone created an RBL, much like (possibly) the BOGON list which
> includes the IP addresses of hosts which seem to be "infected" and are
> attempting to brute-force SSH/HTTP, etc?

> It would be fairly easy to setup a dozen or more honeypots and examine
> the logs in order to create an initial list.

A large percentage of those bots are in DHCP'ed cable/dsl blocks.  As such,
there's 2 questions:

1) How important is it that you not false-positive an IP that's listed because
some *previous* owner of the address was pwned?

2) How important is it that you even accept connections from *anywhere* in
that DHCP block?

(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
So it really *is* a question of why those aren't suitable for use in your
application...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070215/0efe8421/attachment.sig>

• Previous message (by thread): RBL for bots?
• Next message (by thread): RBL for bots?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]