Repeated Blacklisting / IP reputation
Justin Shore
justin at justinshore.com
Tue Sep 8 19:57:17 UTC 2009
Wayne E. Bouchard wrote:
> Best practices for the public or subscription RBLs should be to place
> a TTL on the entry of no more than, say, 90 days or thereabouts. Best
> practices for manual entry should be to either keep a list of what and
> when or periodically to simply blow the whole list away and start anew
> to get rid of stale entries. Of course, that is probably an unreal
> expectation.
I've had to implement something similar for my RTBH trigger router.
After manually-adding nearly 20,000 static routes of hosts that scanned
for open proxies or attacked SSH daemons on my network I had to trim the
block list considerably because many of my older PEs couldn't handle
that many routes without problems. I already named each static with a
reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up
prepending a date to that string as well: 20090908-SSH-Scan. That way
I can parse the config later on and create config to negate everything
that's older than 3-4 months. If one of those old IPs is still trying
to get to me after 4 months then it will get readded the next time I
process my logs entries. If they aren't trying to hit me then they'll
no longer be consuming space in my RIB.
Justin
More information about the NANOG
mailing list