----- Original Message -----
From: "anorexicpoodle" <anorexicpoodle at gmail.com> To: "J. Oquendo" <sil at infiltrated.net> Cc: VoiceOps at voiceops.org Sent: Wednesday, May 18, 2011 5:01:39 PM Subject: Re: [VoiceOps] Fraud fun On Wed, 2011-05-18 at 16:52 -0400, J. Oquendo wrote:
Not blacklisting entire ASN's, feeding specific /32's into a BGP feed (usually hosted on Vyatta or Quagga in VM) though it does kinda bring up some interesting ideas about correlating the black-listed /32's to specific ASN's and Countries for alert grouping and reporting. Ill have to have a play with that.
here is where I got the original idea: http://www.team-cymru.org/Services/Bogons/bgp.html
And i just extended it to feed from other sources via scripted input and hosted the feed myself.
BGP communities & null route black holes sure are fun for that sort of thing. Make sure you whitelist core services. Things can go sideways when your attacker realizes they can send bogus SIP form your upstream SIP peer IPs and have you auto-block your providers. Auto blocking root DNS servers is a joy too! There are a couple scripts that eat up snort logs to generate quagga BGP announcements, shouldn't bee to hard to mess with the SIP rules in snort have it running on a span port. -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com P: 413-746-2760