[VoiceOps] Fraud fun

anorexicpoodle anorexicpoodle at gmail.com
Thu May 19 16:33:32 EDT 2011


Was probably me you're referring to. 

I do this primarily off of syslog data since my process is based off of
the acme trust demotion messages. Every time the SD demotes an endpoint
to the deny trust level it produces a syslog message, which I write into
sql. I then have a process that parses these messages, extracts the IP
addresses and generates counts of the number of times an address has
been blacklisted in given timeframes, so while at this level the SD is
actually protecting the network from the "bad" traffic, it still needs
to see X messages before the demotion policy takes effect and the
demotion is relatively short term. This short-term blacklist is where my
process picks up, and looks for larger trends scoring bad behavior
across wider time ranges, and across different SD's and using that data
to determine if a given address needs a heavier handed response at the
router, so we can preserve SD cpu cycles.

-anorexicpoodle






On Thu, 2011-05-19 at 15:59 -0400, Peter Eisengrein wrote:

> Someone (sorry, don't have the email handy) previously mentioned that they monitor the output from their acme and then blacklist IP's. Very interesting idea -- how are you determining who the "bad guys" are? From the "friendly-scanner" agent field? In what field is this? Are you doing this from the RADIUS CDRs?
> 
> Thanks,
> Pete 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110519/a098157b/attachment.html>


More information about the VoiceOps mailing list