My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Suspending Suspicious Domain Feed / Update to Researcher IP Feed

Published: 2020-06-04. Last Updated: 2020-06-04 11:57:07 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Yesterday, Peter from DNSFilter send us a message noting that many of the domains in our "Suspicious Domain" feed no longer resolved, and some of the feeds we used as input were no longer maintained. After investigating, I have to agree with him. The remaining feeds don't make a valuable service at this point. The idea of the "Suspicious Domain" list was to aggregate different lists, but with essentially only 1 or 2 lists left, that doesn't make sense and I decided to no longer maintain the feed until we find new inputs. The respective files will still be offered by they are empty to not break any existing scripts that use them (they are quite popular).

Recently, I also talked about our API feature to retrieve IP addresses used by researchers scanning the Internet. I yesterday added about 150 IPs used by security.ipip.net. See https://isc.sans.edu/api/threatcategory/research

Please keep the feedback coming. I am always interested in improving the quality of our data.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Keywords:
2 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

I have a nice fail2banish script that runs on my router that kills all of the nonsense related to port scanning for the most part.

It is a mix of iptables logging of rejected packets, dmesg output, parsing with grep, and processing with a php file for databasing the rejected IP addresses and finally adding the 24 masked ip address to an ipset list and restore file for restoring on reboot.

It has solved most of the port scanning issues, but I have to say I still see thousands of scanning attempts per day, not sure if that is related to my subnet (a high tier FiOS Backbone) or my DNS name.
I am on a fiber network in Europe, lowest speed available is 100/100 Mbit.

I get only around 25 different IPs trying to login to my cert-only SSH server.

12 are 141.98.(81|9).*
4 are 85.209.0.*

The rest only has 1-2 attempts, per IP address, and the IP addresses are widely spaced.

Diary Archives