Blocklisting Bad Apples (no not the i kind)
We regularly have readers inquire about recommendations for filtering bad IPs, networks, or in the worst case regions or entire countries. When used properly, blocklisting/watchlisting can provide enormous benefits, however using stale or inaccurate lists or employing heavy-handed tactics like filtering out continents can stifle communications and affect commerce in hard to foresee ways. Except for very specific cases like a parts distributor that only services customers in a region and therefore may not need to allow inbound access from across the globe, blocklists need to be approached with caution.
A good example of a blocklist gone bad is the still unresolved issues with APEWS and the senseless fallout their practices have caused:
http://isc.sans.org/diary.html?storyid=3189
There are a number of high-quality feeds out there providing granular (and fresh) blocking or alerting capability and there are times where such filters may prove to be highly appropriate and useful. We see IP addresses and entire netblocks never leaving the Top 10 offender lists for things like command and control, call-homes, and malware download sites.
We'd like to take this opportunity to point folks at a drop list they might not have seen before. The goal here is to highlight a few of these bad apple netblocks that many sites not already leveraging this list might find useful to use in systems which provide alerting or filtering capabilities as appropriate (your mileage may vary and the use of any "feed" should be evaluated first)
http://www.spamhaus.org/drop/drop.lasso
Now for a few gems from the list that some will recognize right away and others will see the light after a brief google or diary search:
Russian Business Network:
81.95.144.0/20  #SBL43489
(81.95.144.0 - 81.95.159.255)
Nevacon:
194.146.204.0/22  #SBL51152
(194.146.204.0 - 194.146.207.255)
Intercage:
85.255.112.0/20  #SBL36702
(85.255.112.0 - 85.255.127.255)
A good place to start is to search your proxy logs for IPs in these ranges for example and pay particular attention to query strings. Anything like a "port=12345" might be worth looking into port 12345 on that client machine for example.
[Note: There are many other dynamic blocklists out there from volunteers and companies which are excellent. The goal here was to highlight the list of fairly static bad apple netblocks and the possible benefits of not allowing traffic to or from them.]
The Handlers
 
              
Comments