Closed BlackHoleMonster closed 1 month ago
Hello! ips list updated every 5 min
<-- Do these IPs aggreate in /blackhole-today
? Or it is separated database?
Hi, packetdump generates the ip blacklist from other servers (tcpdump), so no not the same as blackhole-*
they are generated differently, and bot have different servers
@stamparm plz, take a look, seems reasonable.
what's the methodology? there is zero information on how that list is generated.
also, what's the retention time for individual IPs? it is not clear what that list represents nor for how long those entries stay inside after the last offense
Hi :) as being said the list is generated from tcpdump (those servers listen on every port for incoming IPS)
added new today (24 hour) list (so only today ips that attacked are included, updated every 5 min.)
https://packetdump.s-e-r-v-e-r.pw/ips-today
this list have all ips attacked and will not be removed from list (its due to the history you can browse there https://packetdump.s-e-r-v-e-r.pw/ip/ or also there https://packetdump.s-e-r-v-e-r.pw/ip.x?ip=1.2.3.4)
https://packetdump.s-e-r-v-e-r.pw/ips
i don't see whether this is TCP and UDP or only TCP capture. also, i can't comprehend what's the nature of such list? like, capturing "attackers" or "scanners" or anything
p.s. I've just seen UDP now captured at the main page. just food for thought. anybody can spoof a UDP packet with an arbitrary source address and fill your list with "fake" attackers. anyhow, currently I see more problems than benefits TBH
i dont want to be bad or so it your project after all, but you saying that anyone can spoof IP (its not so easy is it?), so basically EVERY ip blacklist is unusable as it get spoofed ips right? so the point of blacklist ips is what then ? :)
also you can spoof TCP too not only UDP so?
UDP spoofing is extremely easy. TCP spoofing (passing the whole TCP negotiation) is not easy. UDP spoofing is actually how the all DNS/SNMP/... reflection work.
now, blacklists that we use tend to have some logic behind. like, at least to pass through the TCP connection or anything. capturing UDP packets or TCP syn packets is not reliable for any kind of blacklisting
Hello, if you want we made new attacker ips list updated every 5 min. based on tcpdump.
There is also web interface so you can live view who is attacking - https://packetdump.s-e-r-v-e-r.pw/
Thanks!