Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blacklisting Bad Apples (no not the i kind)

Published: 2007-08-31
Last Updated: 2007-08-31 13:18:24 UTC
by Handlers (Version: 2)
0 comment(s)

We regularly have readers inquire about recommendations for filtering bad IPs, networks, or in the worst case regions or entire  countries. When used properly, blacklisting/watchlisting can provide enormous benefits, however using stale or inaccurate lists or employing heavy-handed tactics like filtering out continents can stifle communications and affect commerce in hard to foresee ways. Except for very specific cases like a parts distributor that only services customers in a region and therefore may not need to allow inbound access from across the globe, blacklists need to be approached with caution.

A good example of a blacklist gone bad is the still unresolved issues with APEWS and the senseless fallout their practices have caused:

http://isc.sans.org/diary.html?storyid=3189

There are a number of high-quality feeds out there providing granular (and fresh) blocking or alerting capability and there are times where such filters may prove to be highly appropriate and useful. We see IP addresses and entire netblocks never leaving the Top 10 offender lists for things like command and control, call-homes, and malware download sites.

We'd like to take this opportunity to point folks at a drop list they might not have seen before. The goal here is to highlight a few of these bad apple netblocks that many sites not already leveraging this list might find useful to use in systems which provide alerting or filtering capabilities as appropriate (your mileage may vary and the use of any "feed" should be evaluated first)

http://www.spamhaus.org/drop/drop.lasso

Now for a few gems from the list that some will recognize right away and others will see the light after a brief google or diary search:

Russian Business Network:

81.95.144.0/20  #SBL43489
(81.95.144.0 - 81.95.159.255)

Nevacon:

194.146.204.0/22  #SBL51152
(194.146.204.0 - 194.146.207.255)

Intercage:

85.255.112.0/20  #SBL36702
(85.255.112.0 - 85.255.127.255)

 

A good place to start is to search your proxy logs for IPs in these ranges for example and pay particular attention to query strings. Anything like a "port=12345" might be worth looking into port 12345 on that client machine for example.

[Note: There are many other dynamic blacklists out there from volunteers and companies which are excellent. The goal here was to highlight the list of fairly static bad apple netblocks and the possible benefits of not allowing traffic to or from them.]

The Handlers

 

 

 

Keywords:
0 comment(s)
Diary Archives