[Gllug] iptables with 1000s of IP addresses
Richard Jones
rich at annexia.org
Sun Dec 28 19:55:11 UTC 2008
On Sun, Dec 28, 2008 at 07:18:35PM +0000, Daniel P. Berrange wrote:
> On Sun, Dec 28, 2008 at 05:51:25PM +0000, Richard Jones wrote:
> > I've been slowly adding the IP addresses of people who (try to) add
> > comment spam to my sites to a big IP drop list. Currently each IP in
> > the list is just added to a DROP rule in the INPUT table.
> >
> > The list hit the 1000 mark recently (in fact, 1221 addresses right
> > now) and is growing at ~ 50 new addresses / day.
>
> How long do you see repeat hits from the same IP address for ?
Yeah, I've kept all the stats, including the date that IP addresses
were first added, and logs for each subsequent dropped packet. I was
hoping that a technique like Mark and Recapture
(https://secure.wikimedia.org/wikipedia/en/wiki/Mark_and_recapture)
could be used to estimate the size of the botnet. So far I haven't
actually got around to doing that analysis ...
> Assuming the spammers are using a botnet of compromised windows
> machines, then I'd expect the machines get re-installed after a
> while. So perhaps if you didn't see any hits from a IP address for
> 14 days, you could remove it from the block-list, and hopefully get
> the number of IP addresses to reach a steady-state ?
And also there's the problem that someone's grandma's compromised
Windoze PC is likely on a dynamic IP address, so periodically
reappears.
There's a huge amount of interesting stuff to be written about these
botnets, including how clever the command structure is, versus how
stupid the users (ie. spammers) who use it are. For example: the
botnet is capable of making multi-stage requests from multiple IP
addresses separated by thousands of miles, passing the cookie from one
request to the next correctly, in sub-second times. For example(2):
one spammer has been trying to post the same message for weeks, where
all the URLs are (obviously) malformed and wouldn't work, so the spam
has no purpose whatsoever.
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list