[Dshield] Database of Known Malicious IP Address/IP Networks
EmmettO at mtp.gov
Tue Aug 6 19:28:34 GMT 2002
I am compiling a database of known IP addresses and IP networks that
generate SPAM and other activities such as port scanning and hacking
attacks. I am using the database as a filter for my network. I was
wondering if anyone has or knows of a centralized database that keeps a
record of malicious IPs.
I was researching ways to stop SPAM from entering my company's network,
and I found a few "reverse-lookup" services at will check to see if the
sender's IP address is in a list of known open-relay servers, dial-up
networks or known SPAM servers. It would be nice to have a copy of their
IP address database to use for all servers, not just SMTP mail.
Another approach that I have been thinking about is filtering inbound
traffic based on the country where the source IP address resides. For
example, some of the servers that are on my network are only accessed by
people within Canada and the US. On occasion, someone needs to access the
servers from Europe. I would like to be able to completely block out
all other countries from accessing the servers directly. I realize that
an open-relay proxy server could be used by an attacker to forge his IP
address, but that can't be stopped to easily.
I've checked with ARIN.NET, but I haven't been able to get a listing of
all ISPs in Canada and/or the US. If I had the listing, I would be able
to compile a list of all the network addresses, but it would have to be
maintained constantly as IP addresses are reassigned.
My current practice for blocking SPAM (such as the Nigerian Scam letter)
is to trace the message to its source and then put the ISPs network block
in my IP blacklist. This works well for IP network addresses that are
not in Canada and do not need to access my network in the foreseeable
A benefit of only allowing Canadian IP addresses to connect to some of my
more sensitive servers is that any malicious activity can be traced back
to its source within Canada. It will be under Canadian policing
jurisdiction, so charges can be brought against the person responsible for
the attacks. Where as, if my web server gets hacked and mangled by a
hacker in the Philippines, there is not much I can do about it.
Does anyone have any opinions on this approach or any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list