[Gllug] Lists of bad IPs?

Alistair Mann gllug at lgeezer.net
Sun Sep 14 23:04:23 UTC 2008

Richard Jones wrote:
> So ... What is the current state of databases of "bad" IPs?  I'm aware
> of DenyHosts but they seem to concentrate on port 22, and in any case
> I'm suspicious of their policies for adding IPs and you can't just
> download the list.

Which would seem to make sense -- Alice would know instantly were one 
her zombies on the list, and instruct it to forgoe attacks. When the 
zombie came off the list, the attacks could then resume. This would give 
her zombie an effective operational window the size and period of the IP 
list update cycle.  By not making the list downloadable, the zombie 
cannot help but constantly reveal its presence, and thus give it no 
operational period other than its first.

> Are there any others?  Anyone yet doing a reputation / voting system
> for bad IPs, across a wide range of suspicious activity?  What, if
> anything, are people using?

tail and -j DENY, personally. I'm not sure what I would do with a 
blackhole of IP addresses ... I can imagine worst cases though. What if, 
for instance, someone tried to access a domestic violence forum for 
support from an unwittingly infected machine? Presumably you too would 
err on the site of openness, and use some additional measure. But then, 
why not just use the additional measure on its own, when the IP address 
alone is not necessarily conclusive as to malintent? The so-called 
reCaptcha is an interesting alternative measure -- catch the cheats and 
digitise books all in one!

Alistair Mann

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list