Honeypot to pfblocker feed?
-
Lets say that I DDoS mysef from a variety of stressers online.
Its a test rig and sees little traffic.
When using the stressers, then they reveal their botnet to a certain extent and the hits can be used to create a list (Honeypot) that is blocked in pfblocker.
Then you really only need an adblocker and tracker feed on top.
By doing this you have eliminated a lot of compromised hosts in one take.
-
Devices that participate in a real ddos attack, and most probably not the devices (servers) that 'serve' adds.
adds are things that some one paid to be there, and then injected into pages, most often by other, regular web servers, that include these addss to generate revenue.For me, a real ddos is a collection of my PC, you PC, etc. These are not hosting any thing for no one. ddos attacks are generated by devices known as zombies. These are mostly all the devices behind an ISP.
When you use a stress tool, I'm pretty sure you don't use a set of 'unknown' third party devices to stress-test. You're using some (because Distributed DOS) devices that do just that. They won't sell adds as these devices will wind up being blocked anyway.
If I was a add and publicity company, It would matter to me to keep my server's IP's from not being listed on the major DNSBL lists. If I also use my servers to ddos my potential public, that would be really non-productive.
Btw ;: I'm not hosting anything on my premisses for the 'public', so I can keep my WAN protection maximized : no WAN rules, no processes listening on WAN.
My web (mail, etc) servers are not behind pfSense.
They are in the open and exposed on the Internet. As it is a server, it doesn't wander around on the Internet. It just takes requests.
If visitors miss behave, according to what is found in the log files, clients get blacklisted, for a moment, or if their IP is found again, for a looong moment. That's what fail2ban is all about.Anyway .... I don't understand why identifying devices devices that ddos you, can help you by blocking your LAN clients from accessing them ? Their (the doos devices) traffic reach any device on LAN devices, so their content and intent will be unknown. LAN devices will be unaware of any ddos activity, except for the fact that the upstream connections becomes 'bad'.
-
You dont read what I write...
I ask for a honeypot to collect the IP's used in a DDoS stress test. Nothing else.
Then feed them into a pfblocker list so the compromised IP's doesnt reach servers behind pfsense in any way.
Adblock and trackers are not important here.... just a bonus on top of the honeypot list.
And then the lists could be distributed to others as a feed.