nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Worst Offenders/Active Attackers blacklists

From: Joel Jaeggli <joelja () bogus com>
Date: Tue, 29 Jan 2008 09:04:40 -0800

Patrick W. Gilmore wrote:

 
Perhaps combine the two?  Have a stateful firewall which also checks
DNSBLs?  I can see why that would be attractive to someone, but still
not a good idea.  Not to mention no DNSBL operator would let any
reasonably sized network query them for every new source address - the
load would squash the name servers.


If you want the sort of performance you expect from your firewall now
your going to have to evaluate the source on the basis of locally
available information.

bgp based blocklist would be a more sensible approach than an dnsbl.
Then it's a question of how many blackhole prefixs you're willing to
carry in your firewall's table...


As I mentioned, zone transfer the DNSBL and check against that might add
a modicum of usefulness, but still has lots of bad side effects.

Then again, what do I know?  Please implement this in production and
show me I'm wrong.  I smell a huge business opportunity if you can get
it to work!
Previous By Date Next
Previous By Thread Next

Current thread: