[VoiceOps] Twitter Blacklist feed

Michael Hirschbichler sipp at hirschbichler.biz
Thu Jan 10 13:33:57 EST 2013 

Hi all,

thanks for this blacklist-idea.

We (institute of telecommunication, VUT) worked a few years ago on a 
similar topic.
We solved the IP blocking by using the DNS Blacklist approach like the 
antispam-blacklist services (e.g., 
http://www.dnsbl.manitu.net/?language=en).
The technical realisation was suprisingly simple: There is a mysql 
backend for the BIND DNS server (http://mysql-bind.sourceforge.net/) . 
Our honeypot approach took the source IP and the IP in the conact header 
(if not from a private subnet) and added it to this BIND backend DB 
(together with a timestamp). The timestamp is updated every time a entry 
is renewed.
Triggered by a cron-job, we started a cleanup-script which removed all 
entries with a timestamp older than two days.

Creating DNSBL-lookup modules for openser/opensip/... and asterisk were 
also simple.

HTH :) br
Michael



Am 09.01.2013 21:23, schrieb Simon Woodhead:
> Hi
>
> This is nice.
>
> We publish similar data for honeypot attacks which might be useful to
> someone:
> http://mirror.simwood.com/honeypot/
>
> There's a major caveat with any data like this though when automating
> and that is the potential to spoof addresses or use well known addresses
> on their behalf. There's one simple attack for example that attempts to
> dictionary attack admin pages uses Google crawlers.
>
> cheers
> Simon
>
>
> On 9 January 2013 19:08, J. Oquendo <sil at infiltrated.net
> <mailto:sil at infiltrated.net>> wrote:
>
>
>     So I rebuilt/redesigned/re-deployed a script to add bad
>     hosts to a blacklist. Script is monitoring my SBCs, hosted
>     PBXs, etc., aggregated, sorted, then reported. Tried to
>     remove duplicate addresses. Also, because I deal with
>     forensics and malware, I did a similar script for bad sites
>     that are serving out malware.
>
>     For VoIP attacks, one can make a script to check for VoIP
>     based attackers and block them on the fly. E.g,:
>
>     links -dump twitter.com/efensive|awk
>     <http://twitter.com/efensive|awk> '/VoIP/'
>
>     To make say an automated ipfilter rule:
>
>     links -dump twitter.com/efensive <http://twitter.com/efensive> |\
>     awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\
>     sh
>
>     Same goes for any other style rule (ASA, PIX, ScreenOS on
>     the command line) You get the point. Enjoy. (Cross posted to
>     Voice Ops)
>
>     --
>     =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>     J. Oquendo
>     SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
>     "Where ignorance is our master, there is no possibility of
>     real peace" - Dalai Lama
>
>     42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
>     http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
>     _______________________________________________
>     VoiceOps mailing list
>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>     https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
>
> --
> --
>
> "Here’s to the crazy ones. The misfits. The rebels. The troublemakers.
> The round pegs in the square holes. The ones who see things differently.
> They’re not fond of rules. And they have no respect for the status
> quo.You can quote them, disagree with them, glorify or vilify them.
> About the only thing you can’t do is ignore them. Because they change
> things. They push the human race forward. And while some may see them as
> the crazy ones, we see genius. Because the people who are crazy enough
> to think they can change the world, are the ones who do."
>
> Steve Jobs, Think Different
> <http://www.youtube.com/watch?feature=player_embedded&v=8rwsuXHA7RA>
>
> ***
>
> Simon Woodhead FCSI
> Managing Director
> <http://www.simwood.com>
> Simwood eSMS Limited
> Wholesale Telecommunications
>
> w: http://www.simwood.com
> t: @simwoodesms <https://twitter.com/#!/simwoodesms>
>
> direct line: +44 (0) 29 2120 2121
> direct fax: +44 (0) 29 2120 2021
>
> reception: +44 (0) 29 2120 2120
> main fax: +44 (0) 29 2120 2020
>
> --
> ***** Email confidentiality notice *****
>
> This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
>
>
> Simwood eSMS Limited is a limited company registered in England and Wales. Registered number: 03379831. Registered office: c/o HW Chartered Accountants, Keepers Lane, The Wergs, Wolverhampton, WV6 8UA. Trading address: Falcon Drive, Cardiff Bay, Cardiff, CF10 4RU.
>
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>

More information about the VoiceOps mailing list