On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
Has anyone created an RBL, much like (possibly) the BOGON list which includes the IP addresses of hosts which seem to be "infected" and are attempting to brute-force SSH/HTTP, etc?
It would be fairly easy to setup a dozen or more honeypots and examine the logs in order to create an initial list.
A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such, there's 2 questions: 1) How important is it that you not false-positive an IP that's listed because some *previous* owner of the address was pwned? 2) How important is it that you even accept connections from *anywhere* in that DHCP block? (Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there. So it really *is* a question of why those aren't suitable for use in your application...)