nanog mailing list archives
Re: Repeated Blacklisting / IP reputation
From: Justin Shore <justin () justinshore com>
Date: Tue, 08 Sep 2009 14:57:17 -0500
Wayne E. Bouchard wrote:
Best practices for the public or subscription RBLs should be to place a TTL on the entry of no more than, say, 90 days or thereabouts. Best practices for manual entry should be to either keep a list of what and when or periodically to simply blow the whole list away and start anew to get rid of stale entries. Of course, that is probably an unreal expectation.
I've had to implement something similar for my RTBH trigger router. After manually-adding nearly 20,000 static routes of hosts that scanned for open proxies or attacked SSH daemons on my network I had to trim the block list considerably because many of my older PEs couldn't handle that many routes without problems. I already named each static with a reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up prepending a date to that string as well: 20090908-SSH-Scan. That way I can parse the config later on and create config to negate everything that's older than 3-4 months. If one of those old IPs is still trying to get to me after 4 months then it will get readded the next time I process my logs entries. If they aren't trying to hit me then they'll no longer be consuming space in my RIB.
Justin
Current thread:
- Re: Repeated Blacklisting / IP reputation, (continued)
- Re: Repeated Blacklisting / IP reputation Joel Jaeggli (Sep 11)
- Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 10)
- Re: Repeated Blacklisting / IP reputation Joel Jaeggli (Sep 11)
- Re: Repeated Blacklisting / IP reputation Leo Vegoda (Sep 10)
- Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
- Message not available
- Re: Repeated Blacklisting / IP reputation Tim Chown (Sep 14)
- Re: Repeated Blacklisting / IP reputation Valdis . Kletnieks (Sep 10)
- Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
- Re: Repeated Blacklisting / IP reputation Wayne E. Bouchard (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jon Lewis (Sep 08)
- Re: Repeated Blacklisting / IP reputation Justin Shore (Sep 08)
- Re: Repeated Blacklisting / IP reputation Rich Kulawiec (Sep 14)
- Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) John Curran (Sep 14)
- Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) Christopher Morrow (Sep 14)
- Re: Hijacked Blocks Chris Marlatt (Sep 14)
- Re: Hijacked Blocks Christopher Morrow (Sep 14)
- RE: Hijacked Blocks Azinger, Marla (Sep 14)
- RE: Hijacked Blocks Azinger, Marla (Sep 14)
- RE: Repeated Blacklisting / IP reputation, replaced by registered use Michiel Klaver (Sep 15)
- Re: Hijacked Blocks Randy Bush (Sep 14)
- Re: Hijacked Blocks Christopher Morrow (Sep 14)