Worst Offenders/Active Attackers blacklists

Joel Jaeggli joelja at bogus.com
Tue Jan 29 17:04:40 UTC 2008


Patrick W. Gilmore wrote:
>  
> Perhaps combine the two?  Have a stateful firewall which also checks
> DNSBLs?  I can see why that would be attractive to someone, but still
> not a good idea.  Not to mention no DNSBL operator would let any
> reasonably sized network query them for every new source address - the
> load would squash the name servers.

If you want the sort of performance you expect from your firewall now
your going to have to evaluate the source on the basis of locally
available information.

bgp based blocklist would be a more sensible approach than an dnsbl.
Then it's a question of how many blackhole prefixs you're willing to
carry in your firewall's table...

> As I mentioned, zone transfer the DNSBL and check against that might add
> a modicum of usefulness, but still has lots of bad side effects.
> 
> Then again, what do I know?  Please implement this in production and
> show me I'm wrong.  I smell a huge business opportunity if you can get
> it to work!
> 




More information about the NANOG mailing list