costa at tsaousis.gr
Sun May 17 21:16:21 BST 2015
Recently I faced quite a challenge: 37.500 IPs from all over the world
were attacking my servers for 2 weeks. It was a challenge because all
the requests these IPs did were legitimate. They were not trying to
damage or take control of anything. Each IP was used just a few times
per day, to remain unnoticed. It was very hard to pinpoint them, to
separate the attack from the normal traffic.
Anyway, I managed to block them. Actually I had them blocked for 4
days and then, suddenly they stopped...
What I found in the process, is that the attackers were using open
proxies, command and control compromised hosts, and who knows what
else, to synchronize the attack.
Another interesting observation is that their IPs seem to have a large
overlap with anti-spam blacklists. They seem to be using the same
hosts for both spamming and web attacks.
In the last few days, I tried to extend update-ipsets.sh a lot. I
think I have now included in it, all the freely available IP
blocklists. If you find any missing, please send me a note to add it.
I have also created a new github repo at
https://github.com/ktsaou/blocklist-ipsets which is automatically
updated by my update-ipsets.sh. This repo mirrors all the blocklists I
found and also generates a nice table at the bottom of the page, with
some facts and info about each list.
Normally, as a FireHOL v3 user you don't need to use this repo.
update-ipsets.sh generates all the ipsets from scratch, so it can do
it for you too, on your servers.
Unfortunately, there are a lot of very useful blacklists that are only
available as a DNSBL, not as a data feed. DNSBL is mainly for
anti-spam, but as I said above, web attackers are using the exact same
hosts for web attacks and forum spam. I tried contacting several
DNSBLs for releasing their IP lists, without a positive response so
Anyway, I hope you will find all these useful. If you have any
suggestions, please let me know.
More information about the Firehol-devs