RBL for bots?

Joel Jaeggli joelja at bogus.com
Thu Feb 15 17:16:27 UTC 2007


Valdis.Kletnieks at vt.edu wrote:
> On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
> 
>>     Has anyone created an RBL, much like (possibly) the BOGON list which
>> includes the IP addresses of hosts which seem to be "infected" and are
>> attempting to brute-force SSH/HTTP, etc?
> 
>> It would be fairly easy to setup a dozen or more honeypots and examine
>> the logs in order to create an initial list.
> 
> A large percentage of those bots are in DHCP'ed cable/dsl blocks.  As such,
> there's 2 questions:
> 
> 1) How important is it that you not false-positive an IP that's listed because
> some *previous* owner of the address was pwned?
> 
> 2) How important is it that you even accept connections from *anywhere* in
> that DHCP block?

That depends...

Do you sell "Internet service"  to you customers or something else. If
the former then they're actually paying to receive connections from
anywhere...

> (Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there.
> So it really *is* a question of why those aren't suitable for use in your
> application...)




More information about the NANOG mailing list