Currently we have 3 RBLDNS-Server which have the Attacker-IPs listen from the last 48 Hours after the last Attack in some Categories:
|Name / URL||Description / Content|
|apache.bl.blocklist.de||Apache, RFI, w00tw00t, SQL-Injection, Forum-Spam + http://honeystats.info/|
|bruteforcelogin.bl.blocklist.de||All IPs, which attacks Joomla, WordPress and other Web-Logins with Brute-Force|
|bl.blocklist.de||All IP-Addresses (all Services)|
|all.bl.blocklist.de||All IP-Addresses (all Services)|
|ftp.bl.blocklist.de||FTP -> only IP’s there runs FTP Brute-Force-Attacks.|
|imap.bl.blocklist.de||imap, pop3, sasl, webmail-Logins….|
|mail.bl.blocklist.de||mail/postfix, 5xx-Errors (Blacklist-Entrys), Relaying…|
|ssh.bl.blocklist.de||IPs there runs SSH-Attacks.|
|sip.bl.blocklist.de||IPs, who has try Sip/Asterisk Brute-Force-Login-Attacken.|
On the usa-Server we have active the rbldns-Stats. The rbldns generate the Count of Queries, Count of Matches and the Bytes which have received and send.
The RBL-Server gets each 10 Minutes a summery of:
19 M Queries
1 M matches
The value varies on the Weekend and Attack-Runs.
Also the RBL-Servers returns in the TXT-Record the Service-Name like „ssh“ and the Unixtimestamp of last reported Attack:
Infected System (Service: apacheddos, Last-Attack: 1370990468), see http://www.blocklist.de/en/view.html?ip=$ip
In time to time, there was over 20.000 IPs in the complete List listen.