nanog mailing list archives

Re: Repeated Blacklisting / IP reputation

From: Justin Shore <justin () justinshore com>
Date: Tue, 08 Sep 2009 14:57:17 -0500

Wayne E. Bouchard wrote:

Best practices for the public or subscription RBLs should be to place
a TTL on the entry of no more than, say, 90 days or thereabouts. Best
practices for manual entry should be to either keep a list of what and
when or periodically to simply blow the whole list away and start anew
to get rid of stale entries. Of course, that is probably an unreal
expectation.

I've had to implement something similar for my RTBH trigger router.After manually-adding nearly 20,000 static routes of hosts that scannedfor open proxies or attacked SSH daemons on my network I had to trim theblock list considerably because many of my older PEs couldn't handlethat many routes without problems. I already named each static with areason for the block(SSH, Telnet, Proxy-scan, etc) but ended upprepending a date to that string as well: 20090908-SSH-Scan. That wayI can parse the config later on and create config to negate everythingthat's older than 3-4 months. If one of those old IPs is still tryingto get to me after 4 months then it will get readded the next time Iprocess my logs entries. If they aren't trying to hit me then they'llno longer be consuming space in my RIB.


Justin

Current thread:

Re: Repeated Blacklisting / IP reputation, (continued)
- - - Re: Repeated Blacklisting / IP reputation Joel Jaeggli (Sep 11)
    - Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 10)
    - Re: Repeated Blacklisting / IP reputation Joel Jaeggli (Sep 11)
    - Re: Repeated Blacklisting / IP reputation Leo Vegoda (Sep 10)
    - Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
    - Message not available
    - Re: Repeated Blacklisting / IP reputation Tim Chown (Sep 14)
    - Re: Repeated Blacklisting / IP reputation Valdis . Kletnieks (Sep 10)
    - Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
  - Re: Repeated Blacklisting / IP reputation Wayne E. Bouchard (Sep 08)
    - Re: Repeated Blacklisting / IP reputation Jon Lewis (Sep 08)
    - Re: Repeated Blacklisting / IP reputation Justin Shore (Sep 08)
    - Re: Repeated Blacklisting / IP reputation Rich Kulawiec (Sep 14)
    - Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) John Curran (Sep 14)
    - Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) Christopher Morrow (Sep 14)
    - Re: Hijacked Blocks Chris Marlatt (Sep 14)
    - Re: Hijacked Blocks Christopher Morrow (Sep 14)
    - RE: Hijacked Blocks Azinger, Marla (Sep 14)
    - RE: Hijacked Blocks Azinger, Marla (Sep 14)
    - RE: Repeated Blacklisting / IP reputation, replaced by registered use Michiel Klaver (Sep 15)
    - Re: Hijacked Blocks Randy Bush (Sep 14)
    - Re: Hijacked Blocks Christopher Morrow (Sep 14)

(Thread continues...)