[Firehol-devs] blocklists

Tsaousis, Costa costa at tsaousis.gr
Mon May 25 01:25:00 CEST 2015 

Hi again,

update-ipsets.sh is now able to compare the blocklists with each other.
Check the comparison results at the bottom of
https://github.com/ktsaou/blocklist-ipsets

Costa


On Sat, May 23, 2015 at 7:08 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
>
> update-ipsets.sh is now able to download, parse and update (while the
> firewall is running), the free MaxMind Geolite2 Country Database.
>
> I have also included it in the https://github.com/ktsaou/blocklist-ipsets repo.
>
> Direct link to geolite2 ipsets here:
> https://github.com/ktsaou/blocklist-ipsets/tree/master/geolite2_country
>
> Costa
>
>
> On Sun, May 17, 2015 at 11:16 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> Hi all,
>>
>> Recently I faced quite a challenge: 37.500 IPs from all over the world
>> were attacking my servers for 2 weeks. It was a challenge because all
>> the requests these IPs did were legitimate. They were not trying to
>> damage or take control of anything. Each IP was used just a few times
>> per day, to remain unnoticed. It was very hard to pinpoint them, to
>> separate the attack from the normal traffic.
>>
>> Anyway, I managed to block them. Actually I had them blocked for 4
>> days and then, suddenly they stopped...
>>
>> What I found in the process, is that the attackers were using open
>> proxies, command and control compromised hosts, and who knows what
>> else, to synchronize the attack.
>>
>> Another interesting observation is that their IPs seem to have a large
>> overlap with anti-spam blacklists. They seem to be using the same
>> hosts for both spamming and web attacks.
>>
>> In the last few days, I tried to extend update-ipsets.sh a lot. I
>> think I have now included in it, all the freely available IP
>> blocklists. If you find any missing, please send me a note to add it.
>>
>> I have also created a new github repo at
>> https://github.com/ktsaou/blocklist-ipsets which is automatically
>> updated by my update-ipsets.sh. This repo mirrors all the blocklists I
>> found and also generates a nice table at the bottom of the page, with
>> some facts and info about each list.
>>
>> Normally, as a FireHOL v3 user you don't need to use this repo.
>> update-ipsets.sh generates all the ipsets from scratch, so it can do
>> it for you too, on your servers.
>>
>> Unfortunately, there are a lot of very useful blacklists that are only
>> available as a DNSBL, not as a data feed. DNSBL is mainly for
>> anti-spam, but as I said above, web attackers are using the exact same
>> hosts for web attacks and forum spam. I tried contacting several
>> DNSBLs for releasing their IP lists, without a positive response so
>> far.
>>
>> Anyway, I hope you will find all these useful. If you have any
>> suggestions, please let me know.
>>
>> Costa

More information about the Firehol-devs mailing list