Re: Need BOGIES list
You might start with blacklists. There's a lot of them out there. http://ahbl.org is one of them. Geoff White [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/06/2005 02:49 PM To nanog@merit.edu cc Subject Need BOGIES list Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? I'm using pf under OpenBSD 3.7 as a firewall box. E-mailing me off line is fine geoffw
Re: Need BOGIES list
On Wed, 6 Jul 2005, Geoff White wrote: Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? I'm using pf under OpenBSD 3.7 as a firewall box. data from blackholes.us may be useful. As luck would have it, I can't load their web page at the moment. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Need BOGIES list
On 7/6/05, Geoff White [EMAIL PROTECTED] wrote: Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? I'm using pf under OpenBSD 3.7 as a firewall box. E-mailing me off line is fine geoffw DShield is a good one. http://www.dshield.org/block_list_info.php -- Mark Owen
Re: Need BOGIES list
On Wed, 6 Jul 2005, Geoff White wrote: Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? I'm using pf under OpenBSD 3.7 as a firewall box. IP blocks allocated to organizations in various countries (updated daily): http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/ Configuring firewall (openbsd way on the buttom, replace bogon example with appropriate other list you want): http://www.completewhois.com/bogons/using_bogon_lists.htm#firewall_examples CIDR - firewall scripts for some systems (not needed for openbsd which accepts cidr ip block list directly with ph): http://www.completewhois.com/bogons/data/scripts/ P.S. Still looking for somebody to document and if necessary provide scripts on how to do it with netbsd, aix, hpux. Volunteers? (and I'll do solaris myself if I ever get around to it...) -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Need BOGIES list
I went to http://www.iana.org/assignments/ipv4-address-space and grep-ed
for APNIC (Asia-Pacific Network Information Center) to get the following
list. For the church email site that I support I block wholesale /8 IP
address ranges. I assume that for our church we will never get email
from an APNIC site.
058/8 Apr 04 APNIC (whois.apnic.net)
059/8 Apr 04 APNIC (whois.apnic.net)
060/8 Apr 03 APNIC (whois.apnic.net)
061/8 Apr 97 APNIC (whois.apnic.net)
124/8 Jan 05 APNIC (whois.apnic.net)
125/8 Jan 05 APNIC (whois.apnic.net)
126/8 Jan 05 APNIC (whois.apnic.net)
202/8 May 93 APNIC (whois.apnic.net)
203/8 May 93 APNIC (whois.apnic.net)
210/8 Jun 96 APNIC (whois.apnic.net)
211/8 Jun 96 APNIC (whois.apnic.net)
218/8 Dec 00 APNIC (whois.apnic.net)
219/8 Sep 01 APNIC (whois.apnic.net)
220/8 Dec 01 APNIC (whois.apnic.net)
221/8 Jul 02 APNIC (whois.apnic.net)
222/8 Feb 03 APNIC (whois.apnic.net)
Here is my procmail recipe if that helps:
:0 H
* ^Received:.*\[(58\.|59\.|60\.|61\.|\
124\.|125\.|126\.|\
202\.|203\.|\
210\.|211\.|\
218\.|219\.|\
220\.|221\.|222\.)
{
/dev/null
}
...Kevin O'Neil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Geoff White
Sent: Wednesday, July 06, 2005 2:50 PM
To: nanog@merit.edu
Subject: Need BOGIES list
Hello All.
I'm having trouble with Cracking Attempts and DoS attacks from a lot of
places in China :)
My client doesn't do any business in that region so they don't mind If I
block the entire sub-continent :)
Does anyone have a bad-guy list (or part of one) that I can use to get
started?
I'm using pf under OpenBSD 3.7 as a firewall box.
E-mailing me off line is fine
geoffw
RE: Need BOGIES list
I went to http://www.iana.org/assignments/ipv4-address-space and grep-ed for APNIC (Asia-Pacific Network Information Center) to get the following list. For the church email site that I support I block wholesale /8 IP address ranges. I assume that for our church we will never get email from an APNIC site. *snip* Great, if you intend to never correspond with 202/8, 203/8 and 210/8 you just nuked most of New Zealand and a lot of Australia at the same time. You might find that being a _tad_ more specific is useful. Believe it or not, theres a lot of legit business conducted between Australasia and the rest of the world... Mark. (Who has historically had a LOT of trouble convincing some providers that denying comms with New Zealand is a good way to get a whole nation up in arms, especially if you're a big name telco in the US who is dropping IP from a big name telco here...)
RE: Need BOGIES list
I went to http://www.iana.org/assignments/ipv4-address-space and grep-ed for APNIC (Asia-Pacific Network Information Center) to get the following list. For the church email site that I support I block wholesale /8 IP address ranges. I assume that for our church we will never get email from an APNIC site. *snip* Great, if you intend to never correspond with 202/8, 203/8 and 210/8 you just nuked most of New Zealand and a lot of Australia at the same time. You might find that being a _tad_ more specific is useful. Believe it or not, theres a lot of legit business conducted between Australasia and the rest of the world... Mark. Sorry for replying again, but a quick google revealed this: http://www.okean.com/asianspamblocks.html (note the paragraph reccomending not blocking greater than /16 at a time) And more specifically: http://www.okean.com/china.html This is probably what you're after, if you wish to block only China. Mark.
