[Dshield] Database of Known Malicious IP Address/IP Networks

EmmettO@mtp.gov EmmettO at mtp.gov
Tue Aug 6 19:28:34 GMT 2002


Hi,

I am compiling a database of known IP addresses and IP networks that 
generate SPAM and other activities such as port scanning and hacking 
attacks.  I am using the database as a filter for my network.   I was 
wondering if anyone has or knows of a centralized database that keeps a 
record of malicious IPs.

I was researching ways to stop SPAM from entering my company's network, 
and I found a few "reverse-lookup" services at will check to see if the 
sender's IP address is in a list of known open-relay servers, dial-up 
networks or known SPAM servers.   It would be nice to have a copy of their 
IP address database to use for all servers, not just SMTP mail.

Another approach that I have been thinking about is filtering inbound 
traffic based on the country where the source IP address resides.   For 
example, some of the servers that are on my network are only accessed by 
people within Canada and the US.  On occasion, someone needs to access the 
servers from Europe.    I would like to be able to completely block out 
all other countries from accessing the servers directly.   I realize that 
an open-relay proxy server could be used by an attacker to forge his IP 
address, but that can't be stopped to easily. 

I've checked with ARIN.NET, but I haven't been able to get a listing of 
all ISPs in Canada and/or the US.  If I had the listing, I would be able 
to compile a list of all the network addresses, but it would have to be 
maintained constantly as IP addresses are reassigned.

My current practice for blocking SPAM (such as the Nigerian Scam letter) 
is to trace the message to its source and then put the ISPs network block 
in my IP blacklist.   This works well for IP network addresses that are 
not in Canada and do not need to access my network in the foreseeable 
future.

A benefit of only allowing Canadian IP addresses to connect to some of my 
more sensitive servers is that any malicious activity can be traced back 
to its source within Canada.   It will be under Canadian policing 
jurisdiction, so charges can be brought against the person responsible for 
the attacks.   Where as, if my web server gets hacked and mangled by a 
hacker in the Philippines, there is not much I can do about it.


Does anyone have any opinions on this approach or any suggestions?

Emmett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020806/ac956d59/attachment.htm


More information about the list mailing list