I want to block the IP addresses assigned by ISPs to general households.
-
Hello, is it possible to register a list of IP addresses assigned to general households by ISPs, which are being used as stepping stones by hackers, and block them using tools like PFBlocker, which can block countries?
Recently, I have installed ntopng on PFSense for monitoring, and I have noticed some IP addresses belonging to providers in Korea and Africa (confirmed using whois, such as *.telecom) which appear somewhat suspicious to me.
-
@Yet_learningPFSense You could block by region using pfBlocker to create aliases, I doubt you'll find meaningful lists for ISPs by country, you'd get it by ASN numbers but the number of ASN numbers you'd have to put in a block list would be huge.
Just to check exactly what you're after, you want to block your clients talking to Korea and Africa ISP assigned IP addresses?
-
@NogBadTheBad Thank you. What I have in mind is not about accessing the IP address directly from here, where the home PC acts as a proxy and functions as a C&C (Command and Control) without being detected, continuing to operate.
I believe that services like Skype, which involve direct connections for data and voice exchange, would no longer be usable, but I currently think that it can be done using a smartphone. Although convenience would be compromised...
-
@Yet_learningPFSense If I understand right and you want to block domestic ISPs IPs, there is the Spamhaus PBL. I do not know how or if you can obtain this as a downloadadble text file of CIDR blocks. But if so, and I suspect it is available in that format somehow, you could add the url to a pfBlocker deny/alias.
-
@darcey Thank you. Yes, I need a list of IP addresses that have been zombified. However, registering the IP addresses of every household worldwide would overwhelm PFSense. It seems more realistic to register real-time updated addresses of botnet zombies.
I will try loading the website you provided. Thank you very much.
-
@Yet_learningPFSense I imagine, if available, it will be a list of fairly large CIDR blocks rather than individual IPs. Problem is, having done a quick search, I could not find a text file to download. If such a thing exists, I am sure someone here will know.
The data is hosted by spamhaus and the ISPs themselves update their relevant data. It forms part of the spamhaus DNSBL.
I am not sure where you might find a comprehensive list of compromised domestic IPs and wouldn't most of those be dynamically assigned and prone to change? -
@darcey I came up with the idea of periodically retrieving the dynamic DNSBL list from Spamhaus on the pfBlocker side, but it seems difficult since there doesn't seem to be a file format that can be loaded into pfBlocker, such as a TXT file.
Even hackers are likely to operate zombie botnets carefully and economically to avoid being detected as C&C servers, so it seems that only those instances that are detected and exposed by ISPs will become apparent. Thank you for providing the website, it was very informative.
-
@Yet_learningPFSense said in I want to block the IP addresses assigned by ISPs to general households.:
there doesn't seem to be a file format that can be loaded into pfBlocker, such as a TXT file.
That it seems is the problem. If it existed, it would be a fairly extensive and reliable list of domestic assigned IPs. May be it is, as @NogBadTheBad suggests, too unwieldly.
May be you need to look at IDS/IPS.
-
@darcey That's right. I don't think I'll have much reason to access websites from countries like Africa, so it seems the best approach would be to block such sites on a country-by-country basis and rely on IDS/IPS for the rest.
-
@Yet_learningPFSense said in I want to block the IP addresses assigned by ISPs to general households.:
I have noticed some IP addresses belonging to providers in Korea and Africa (confirmed using whois, such as *.telecom) which appear somewhat suspicious to me.
Where did you notice them? The net is a noisy place - you will see noise from all over the planet hitting your wan IP.. So? They are dropped by default.
If you have some port forwards open, just allow the IPs you want to allow. For example, my plex server the only thing that can talk to it are IPs from the US, and currently Morocco (since have family currently living there).. And the list of known IPs that plex uses to validate your server is available to the public.. And the known IPs that monitor if my plex is working, and notifies me if its down.
Simple enough to do in pfblocker - because you can create lists based upon country (geoip data) or other Ips you want to allow - uptime robot and statuscake for example doing the monitoring provide lists of IPs they use.
Or did you notice your devices connecting outbound to these weird IPs? in other countries?
