Repeated Blacklisting / IP reputation

Justin Shore justin at
Tue Sep 8 19:57:17 UTC 2009

Wayne E. Bouchard wrote:
> Best practices for the public or subscription RBLs should be to place
> a TTL on the entry of no more than, say, 90 days or thereabouts. Best
> practices for manual entry should be to either keep a list of what and
> when or periodically to simply blow the whole list away and start anew
> to get rid of stale entries. Of course, that is probably an unreal
> expectation.

I've had to implement something similar for my RTBH trigger router. 
After manually-adding nearly 20,000 static routes of hosts that scanned 
for open proxies or attacked SSH daemons on my network I had to trim the 
block list considerably because many of my older PEs couldn't handle 
that many routes without problems.  I already named each static with a 
reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up 
prepending a date to that string as well:  20090908-SSH-Scan.  That way 
I can parse the config later on and create config to negate everything 
that's older than 3-4 months.  If one of those old IPs is still trying 
to get to me after 4 months then it will get readded the next time I 
process my logs entries.  If they aren't trying to hit me then they'll 
no longer be consuming space in my RIB.


More information about the NANOG mailing list