> Aaron Gould wrote : > I'm really surprised that you all are doing this based on source ip, simply > because I thought the distribution of botnet members around > the world we're so extensive that I never really thought it possible to > filter based on sources, if so I'd like to see the list too.
I emailed you. For years I ran it at home on a Cisco 1841, 100,000 BGP prefixes is nothing these days. I am not surprised that Joe pushes that to some CPEs. > Even so, this would not stop the attacks from hitting my front door, my side > of my Internet uplink...when paying for a 30 gigs CIR > and paying double for megabits per second over that, up to the ceiling of 100 > gig every bit that hits my front door over 30 gig > would cost me extra, remotely triggering based on my victim IP address inside > my network would be my solution to saving money. I agree. If you want to get a real use of source blacklisting, to save bandwidth, you probably went to rent a U in a rack at your upstream(s) to block it there. I never did it past 1GE, and I have never measured seriously the bandwidth it would save, would be curious to know. I think the two approaches are complementary to each other though. Michel. On Aug 30, 2018, at 6:43 PM, Michel Py <michel...@tsisemi.com> wrote: >> Joe Maimon wrote : >> I use a bunch of scripts plus a supervisory sqlite3 database process all >> injecting into quagga > > I have the sqlite part planned, today I'm using a flat file :-( I know :-( > >> Also aimed at attacker sources. I feed it with honeypots and live servers, >> hooked into fail2ban and using independent host scripts. Not very >> sophisticated, the remotes use ssh executed commands to add/delete. I also >> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse >> connectivity. > > I would like to have your feed. How many attacker prefixes do you currently > have ? > >> Using flow data, that sounds like an interesting direction to take this >> into, so thank you! > > The one thing we can share here is the attacker prefixes. The victim prefixes > are unique to each of us but I expect our attacker prefixes to be very close. > > Michel. > > TSI Disclaimer: This message and any files or text attached to it are > intended only for the recipients named above and contain information that may > be confidential or privileged. If you are not the intended recipient, you > must not forward, copy, use or otherwise disclose this communication or the > information contained herein. In the event you have received this message in > error, please notify the sender immediately by replying to this message, and > then delete all copies of it from your system. Thank you!...