nanog mailing list archives
Re: automatic rtbh trigger using flow data
From: Aaron Gould <aaron1 () gvtc com>
Date: Thu, 30 Aug 2018 18:47:52 -0500
I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really thought it possible to filter based on sources, if so I'd like to see the list too Even so, this would not stop the attacks from hitting my front door, my side of my Internet uplink...when paying for a 30 gigs CIR and paying double for megabits per second over that, up to the ceiling of 100 gig every bit that hits my front door over 30 gig would cost me extra, remotely triggering based on my victim IP address inside my network would be my solution to saving money But stopping the attack even on my side of my Internet up like would at least stop it from proliferating throughout my internal network which is also costing me when it affects cell towers, etc. Aaron On Aug 30, 2018, at 6:43 PM, Michel Py <michel.py () tsisemi com> wrote:
Joe Maimon wrote : I use a bunch of scripts plus a supervisory sqlite3 database process all injecting into quaggaI have the sqlite part planned, today I'm using a flat file :-( I know :-(Also aimed at attacker sources. I feed it with honeypots and live servers, hooked into fail2ban and using independent host scripts. Not very sophisticated, the remotes use ssh executed commands to add/delete. I also setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse connectivity.I would like to have your feed. How many attacker prefixes do you currently have ?Using flow data, that sounds like an interesting direction to take this into, so thank you!The one thing we can share here is the attacker prefixes. The victim prefixes are unique to each of us but I expect our attacker prefixes to be very close. Michel. TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...
Current thread:
- automatic rtbh trigger using flow data Aaron Gould (Aug 30)
- Re: automatic rtbh trigger using flow data Vicente De Luca (Aug 30)
- RE: automatic rtbh trigger using flow data Ryan Hamel (Aug 30)
- RE: automatic rtbh trigger using flow data Aaron Gould (Aug 30)
- RE: automatic rtbh trigger using flow data Michel Py (Aug 30)
- RE: automatic rtbh trigger using flow data Aaron Gould (Aug 30)
- RE: automatic rtbh trigger using flow data Ryan Hamel (Aug 30)
- RE: automatic rtbh trigger using flow data Michel Py (Aug 30)
- Re: automatic rtbh trigger using flow data Joe Maimon (Aug 30)
- RE: automatic rtbh trigger using flow data Michel Py (Aug 30)
- Re: automatic rtbh trigger using flow data Aaron Gould (Aug 30)
- Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 30)
- Re: automatic rtbh trigger using flow data Hugo Slabbert (Aug 31)
- Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 31)
- RE: automatic rtbh trigger using flow data Aaron Gould (Aug 30)
- RE: automatic rtbh trigger using flow data Michel Py (Aug 30)
- Re: automatic rtbh trigger using flow data H I Baysal (Aug 31)
- RE: automatic rtbh trigger using flow data Ryan Hamel (Aug 31)
- Re: automatic rtbh trigger using flow data H I Baysal (Aug 31)
- Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 31)
- RE: automatic rtbh trigger using flow data Michel Py (Aug 31)
- RE: automatic rtbh trigger using flow data Lotia, Pratik M (Aug 31)