[SOURCE] PacketDump - Githubissues

stamparm / maltrail

Malicious traffic detection system

MIT License

6.43k stars 1.07k forks source link

[SOURCE] PacketDump #19273

Closed BlackHoleMonster closed 1 month ago

BlackHoleMonster commented 1 month ago

Hello, if you want we made new attacker ips list updated every 5 min. based on tcpdump.

There is also web interface so you can live view who is attacking - https://packetdump.s-e-r-v-e-r.pw/

🚫 ALL IPs:
https://packetdump.s-e-r-v-e-r.pw/ips

Thanks!

MikhailKasimov commented 1 month ago

Hello! ips list updated every 5 min <-- Do these IPs aggreate in /blackhole-today? Or it is separated database?

BlackHoleMonster commented 1 month ago

Hi, packetdump generates the ip blacklist from other servers (tcpdump), so no not the same as blackhole-*

they are generated differently, and bot have different servers

MikhailKasimov commented 1 month ago

@stamparm plz, take a look, seems reasonable.

stamparm commented 1 month ago

what's the methodology? there is zero information on how that list is generated.

also, what's the retention time for individual IPs? it is not clear what that list represents nor for how long those entries stay inside after the last offense

BlackHoleMonster commented 1 month ago

Hi :) as being said the list is generated from tcpdump (those servers listen on every port for incoming IPS)

added new today (24 hour) list (so only today ips that attacked are included, updated every 5 min.) https://packetdump.s-e-r-v-e-r.pw/ips-today

this list have all ips attacked and will not be removed from list (its due to the history you can browse there https://packetdump.s-e-r-v-e-r.pw/ip/ or also there https://packetdump.s-e-r-v-e-r.pw/ip.x?ip=1.2.3.4) https://packetdump.s-e-r-v-e-r.pw/ips

stamparm commented 1 month ago

i don't see whether this is TCP and UDP or only TCP capture. also, i can't comprehend what's the nature of such list? like, capturing "attackers" or "scanners" or anything

p.s. I've just seen UDP now captured at the main page. just food for thought. anybody can spoof a UDP packet with an arbitrary source address and fill your list with "fake" attackers. anyhow, currently I see more problems than benefits TBH

BlackHoleMonster commented 1 month ago

i dont want to be bad or so it your project after all, but you saying that anyone can spoof IP (its not so easy is it?), so basically EVERY ip blacklist is unusable as it get spoofed ips right? so the point of blacklist ips is what then ? :)

also you can spoof TCP too not only UDP so?

stamparm commented 1 month ago

UDP spoofing is extremely easy. TCP spoofing (passing the whole TCP negotiation) is not easy. UDP spoofing is actually how the all DNS/SNMP/... reflection work.

now, blacklists that we use tend to have some logic behind. like, at least to pass through the TCP connection or anything. capturing UDP packets or TCP syn packets is not reliable for any kind of blacklisting