Blocking long list of IPs in iptables?

I have a list of 11000 IPs (from a wormtrap) that have attempted to send me
worms in the past couple days. Only 2000 of these IPs are unique; I
therefore think it might be worth blocking those IP addresses until this
flood ends.

By the way I'd be happy to share this list if anybody wants it. WARNING:
some major ISPs' mail relays are likely listed.

I know with iptables I can do:
iptables -A INPUT -p tcp -s 123.123.123.123 --dport smtp -j DROP

for each IP address, but before I went ahead and did this for each of those
2000 IPs I wanted to check to see if there was a 'better way' to do this?

--
Jem Berkes
http://www.sysdesign.ca/

Jem Berkes wrote:

> I have a list of 11000 IPs (from a wormtrap) that have attempted to send
> me worms in the past couple days. Only 2000 of these IPs are unique; I
> therefore think it might be worth blocking those IP addresses until this
> flood ends.

This is silly. Most of these worms are emanating from individual machines
with temporary IPs. In five minutes, the user logs off and the IP is
reassigned to someone who might have a legitimate reason to contact you.

The alternative is to block the entire domain, but that's worse in terms of
throwing out the baby with the bathwater.

--
Paul Lutus
http://www.arachnoid.com

>> I have a list of 11000 IPs (from a wormtrap) that have attempted to
>> send me worms in the past couple days. Only 2000 of these IPs are
>> unique; I therefore think it might be worth blocking those IP
>> addresses until this flood ends.
>
> This is silly. Most of these worms are emanating from individual
> machines with temporary IPs. In five minutes, the user logs off and
> the IP is reassigned to someone who might have a legitimate reason to
> contact you.

What I meant to say was there were 11000 connections specifically intended
to send the worm (none of these were legitimate mail). But among all those
connections, only 2000 were from unique IP addresses. This means that 9000
connections (or 82%) were repeats, new worms from the same IP address.

If the user logged off within a few minutes I would not be getting such a
high percentage of repeats. The scenario I'm imagining is an infected
machine sitting there for days on end, repeatedly sending me worms. For
instance: get worm form 209.225.8.xx at 10:00... then get worms again from
same IP half an hour later, two hours later, 3 hours later, 5 hours, 8,
hours, etc. on for days.

I think that type of situation is accounting for the 82% repeats.

Jem Berkes wrote:

> I have a list of 11000 IPs (from a wormtrap) that have attempted to send
> me worms in the past couple days. Only 2000 of these IPs are unique; I
> therefore think it might be worth blocking those IP addresses until this
> flood ends.
>
> By the way I'd be happy to share this list if anybody wants it. WARNING:
> some major ISPs' mail relays are likely listed.
>
> I know with iptables I can do:
> iptables -A INPUT -p tcp -s 123.123.123.123 --dport smtp -j DROP
>
> for each IP address, but before I went ahead and did this for each of
> those 2000 IPs I wanted to check to see if there was a 'better way' to do
> this?

use 'while' loop in bash, for example:

while read $ip
do
iptable_rule $ip
done < ips_file


--
Greets
adeon

"Jem Berkes" <(E-Mail Removed)_org> wrote in message
news:Xns9400D53AED07Bjbuserspc9org@130.179.16.24.. .
> I have a list of 11000 IPs (from a wormtrap) that have attempted to send
me
> worms in the past couple days. Only 2000 of these IPs are unique; I
> therefore think it might be worth blocking those IP addresses until this
> flood ends.
>
> By the way I'd be happy to share this list if anybody wants it. WARNING:
> some major ISPs' mail relays are likely listed.
>
> I know with iptables I can do:
> iptables -A INPUT -p tcp -s 123.123.123.123 --dport smtp -j DROP
>
> for each IP address, but before I went ahead and did this for each of
those
> 2000 IPs I wanted to check to see if there was a 'better way' to do this?

Maybe the better way is to get your mail server to recognise and drop such
worm mail.







---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.521 / Virus Database: 319 - Release Date: 23/09/2003

> Maybe the better way is to get your mail server to recognise and drop
> such worm mail.

That's ok to do now, but I'm working on a contingency plan for the next
time my site gets totally swamped with traffic and I have to stop the SMTP
connections from even happening.

Here's what I've come up with:

1) grep out the IPs that are causing trouble
2) sort iplist | uniq > banlist
3) xargs -rl iptables -A INPUT -p tcp --dport smtp -j DROP -s < banlist

--
Jem Berkes
http://www.sysdesign.ca/

Jem Berkes <(E-Mail Removed)9__org> wrote in
news:Xns9405111737791jbuserspc9org@130.179.16.24:

> 3) xargs -rl iptables -A INPUT -p tcp --dport smtp -j DROP -s < banlist

I'd suggest using a sub-table so you can enable/disable the banlist with
one iptables command:

iptables -A INPUT -p tcp --dport smtp -j smtpbanlist

--
Kenneth Porter
http://www.sewingwitch.com/ken/

>> 3) xargs -rl iptables -A INPUT -p tcp --dport smtp -j DROP -s < banlist
>
> I'd suggest using a sub-table so you can enable/disable the banlist with
> one iptables command:
>
> iptables -A INPUT -p tcp --dport smtp -j smtpbanlist

That's a nice idea. I never really learned iptables properly though so I'll
have to look into how this works.

--
Jem Berkes
http://www.sysdesign.ca/

Jem Berkes <(E-Mail Removed)9__org> wrote in
news:Xns9405C495B5196jbuserspc9org@130.179.16.24:

> That's a nice idea. I never really learned iptables properly though so
> I'll have to look into how this works.

If you're a programmer, think subroutines, and think of "-j" to a subtable
as a conditional "call" statement.

--
Kenneth Porter
http://www.sewingwitch.com/ken/

Jem Berkes wrote:
> I have a list of 11000 IPs (from a wormtrap) that have attempted to send me
> worms in the past couple days. Only 2000 of these IPs are unique; I
> therefore think it might be worth blocking those IP addresses until this
> flood ends.
>
> By the way I'd be happy to share this list if anybody wants it. WARNING:
> some major ISPs' mail relays are likely listed.
>
> I know with iptables I can do:
> iptables -A INPUT -p tcp -s 123.123.123.123 --dport smtp -j DROP
>
> for each IP address, but before I went ahead and did this for each of those
> 2000 IPs I wanted to check to see if there was a 'better way' to do this?
>
Why don't you just use an access list for Sendmail?

123.123.123.123 REJECT
123.xxx.xxx.xxx REJECT
etc....