RE: Worst Offenders/Active Attackers blacklists

["Jason J. W. Williams" <williamsjj () digitar com>]

My suggestion would be not even to try iptables. It'll take hours just
to load 10 million entries. There's no efficient mass loading interface.

-J

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf
Of
> Valdis.Kletnieks () vt edu
> Sent: Monday, January 28, 2008 4:23 PM
> To: Tomas L. Byrnes
> Cc: nanog () nanog org
> Subject: Re: Worst Offenders/Active Attackers blacklists
>
> On Sun, 27 Jan 2008 12:21:27 PST, "Tomas L. Byrnes" said:
> > I'm the CTO and founder of ThreatSTOP (www.threatstop.com), and
we're
> > currently propagating the DShield, and some other, block lists for
> use
> > in firewalls. I'm interested in gathering additional threat
> > information, and serving additional communities.
> >
> > Is there any interest in a collaborative platform where anonymized
> > candidates for blocking would be submitted by a trusted group, and
> > then propagated out to the whole group?
>
> http://www.ranum.com/security/computer_security/editorials/dumb/
>
> This illustrates dumb idea #2.  Explain to me how you intend to
> enumerate enough of the "bad" hosts out there that such a blocklist
> would help, while still having it small enough that you don't blow out
> the RAM on whatever device you're installing it on.  Have you *tested*
> whatever iptables/ipf/ACL for proper operation with 10 million
entries?
>