On 02/22/2011 08:29 AM, Justin Ellison wrote: > Hi all, > > This is working for now, and our shun list is at 5K IP's and growing. > However, my script has some inherent latency in it, and is not what > I'd call "production material". It was hacked together at 3am and I'm > shocked it even runs at all. Bet that'd summarise quite nicely. Unfortunately there aren't many decent tools for helping you do such as best as I've seen (if anyone knows of one I'd love to hear it) > So, with that in mind, how do people who see these type of things > frequently deal with them? Another company we deal with has > recommended we get in touch with RioRey and Radware -- I've never > dealt with either of them. In fact, I hadn't even heard of RioRey > until today. > > Also, are there any "known zombie" blacklists out there that are > fairly reputable? > > Sorry if I'm rambling, but I'm running on caffeine and cold > medications at this point. I'd love any tips/pointers anyone of you > could share. > > Justin > The people on the NANOG (North America Network Operators Group) mailing list seem to swear by Spamhaus's DROP list (Don't Route or Peer): http://www.spamhaus.org/drop/ and the Team Cymru BOGON list: http://www.team-cymru.org/Services/Bogons/ Quite often 'addresses' used in the munged address of packets used in DDoS attacks are BOGONs (e.g. unroutable addresses like 192.168.0.0/24, or non-allocated addresses).
I keep meaning to knock up a script that will automatically parse those lists for use on a BSD firewall I've got kicking around, curious to see what kind of hit rate we would get. For post-disaster reading there was a long discussion about the state of DDoS back in the beginning of December, might be interesting reading: http://www.merit.edu/mail.archives/nanog/msg15492.html At times the mailing list can bias significantly towards n, but the s/n ratio is usually very good, if you're operating a network at all I'd say it's worth subscribing to. Hope these help, Paul _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
