Valdis.Kletnieks@vt.edu wrote:
On Thu, 15 Feb 2007 11:30:34 EST, Drew Weaver said:
Has anyone created an RBL, much like (possibly) the BOGON list which includes the IP addresses of hosts which seem to be "infected" and are attempting to brute-force SSH/HTTP, etc?
It would be fairly easy to setup a dozen or more honeypots and examine the logs in order to create an initial list.
A large percentage of those bots are in DHCP'ed cable/dsl blocks. As such, there's 2 questions:
1) How important is it that you not false-positive an IP that's listed because some *previous* owner of the address was pwned?
2) How important is it that you even accept connections from *anywhere* in that DHCP block?
That depends... Do you sell "Internet service" to you customers or something else. If the former then they're actually paying to receive connections from anywhere...
(Note that there *are* fairly good RBL's of DHCP/dsl/cable blocks out there. So it really *is* a question of why those aren't suitable for use in your application...)