[Dshield] dshield-based RBLs?

John Hardin johnh at aproposretail.com
Mon Jun 7 21:54:54 GMT 2004

On Mon, 2004-06-07 at 12:05, Johannes B. Ullrich wrote:
> > Comments?
> Well, I am always a bit ambivalent about distributing large
> block lists like this. We do have our (very small) block list.
> I could setup a blocklist as a "trial", and see how it works.

Note: I'm suggesting a DNS RBL, not a static block list. 'course, you
may not appreciate the implied burden of maintaining a DNS farm for
this... :)

> I will also have to check how to best filter such a blocklist.

Agreed. There might be several logical lists, like "NetBIOS sources",
and "worm scanners" (e.g. port 5000 sources). There might also be
minimum desthost counts for inclusion of an IP, and a requirement for
traffic to be seen within the last N days.

> For example, many valid mail servers do attempt auth lookups
> and will show up for blocked port 113 requests. Some mail
> servers are even more aggressive and will scan each host connecting
> to them for open proxies.

True, but I don't think auth requests would be valid for inclusion in an
RBL, and I don't think relay tests on an existing server would either
(though scanning for mail servers might well be a good criteria for

> Have to think about it. but overall, it looks like a lot
> of work to do it right. 

Oh, granted. But there are *so* many interesting things you can do with
a big database like you have.

> And there are enough bad RBL's already.

True. Don't forget there are some good ones, too. :)

John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  ...the Fates notice those who buy chainsaws...
                                             -- www.darwinawards.com
 37 days until Apropos Forum 2004

More information about the list mailing list