Currently we have 3 RBLDNS-Server which have the Attacker-IPs listen from the last 48 Hours after the last Attack in some Categories:

Name / URL Description / Content
apache.bl.blocklist.de Apache, RFI, w00tw00t, SQL-Injection, Forum-Spam + http://honeystats.info/
bruteforcelogin.bl.blocklist.de All IPs, which attacks Joomla, WordPress and other Web-Logins with Brute-Force
bl.blocklist.de All IP-Addresses (all Services)
all.bl.blocklist.de All IP-Addresses (all Services)
ftp.bl.blocklist.de FTP -> only IP’s there runs FTP Brute-Force-Attacks.
imap.bl.blocklist.de imap, pop3, sasl, webmail-Logins….
mail.bl.blocklist.de mail/postfix, 5xx-Errors (Blacklist-Entrys), Relaying…
ssh.bl.blocklist.de IPs there runs SSH-Attacks.
sip.bl.blocklist.de IPs, who has try Sip/Asterisk Brute-Force-Login-Attacken.

On the usa-Server we have active the rbldns-Stats. The rbldns generate the Count of Queries, Count of Matches and the Bytes which have received and send.
The RBL-Server gets each 10 Minutes a summery of:
19 M Queries
1 M matches
The value varies on the Weekend and Attack-Runs.

Also the RBL-Servers returns in the TXT-Record the Service-Name like „ssh“ and the Unixtimestamp of last reported Attack:
Infected System (Service: apacheddos, Last-Attack: 1370990468), see http://www.blocklist.de/en/view.html?ip=$ip
In time to time, there was over 20.000 IPs in the complete List listen.


Kein Kommentar


Dein Kommentar