Joe St Sauver wrote:
What's really needed is some way to take open proxy DNSBL data and instantiate a dump of that data onto a suitable appliance. It is probably too much state to burden a reasonable sized border route with, but you could imagine other devices that could probably handle it (at least for moderate speed flows), much as there are currently middle boxes which rip open packets to target peer to peer traffic.
Along those lines, I have been running an ACL-based spam blocker at ingress for a little over six months, but it has really surpassed the manageable level for many devices. To put this in perspective, we use a feed from SPEWS level 1 data, current DShield block list, and some manual black/whitelist data, shove it through a perl script, and produce a TFTPable config file which is then 'config net'ed into our edge devices. The last few days of SPEWS data varies around 14000 lines (mix of CIDR blocks and individual hosts), currently 2400 lines in our local additions, yielding a merged ACL (with ingress blocks, bogons, Dshield blocks, and anti-spam) of ~15800 lines (~603kB). With 'service compress-config' enabled, this fits into a 3640 and doesn't kill it in the process (8xT1s). It overflows TCAM on a 6509 and forces process switching in the ingress direction, but otherwise works (1xGigE, 2x100FE). On the other hand, NJABL.ORG lists 255K open relays, 170K open proxies, and a spattering of dialups and other listings. This is way beyond ACLs that I could even imagine thinking about :-) Jeff