Suspending Suspicious Domain Feed / Update to Researcher IP Feed
Last Updated: 2020-06-04 11:57:07 UTC
by Johannes Ullrich (Version: 1)
Yesterday, Peter from DNSFilter send us a message noting that many of the domains in our "Suspicious Domain" feed no longer resolved, and some of the feeds we used as input were no longer maintained. After investigating, I have to agree with him. The remaining feeds don't make a valuable service at this point. The idea of the "Suspicious Domain" list was to aggregate different lists, but with essentially only 1 or 2 lists left, that doesn't make sense and I decided to no longer maintain the feed until we find new inputs. The respective files will still be offered by they are empty to not break any existing scripts that use them (they are quite popular).
Recently, I also talked about our API feature to retrieve IP addresses used by researchers scanning the Internet. I yesterday added about 150 IPs used by security.ipip.net. See https://isc.sans.edu/api/threatcategory/research
Please keep the feedback coming. I am always interested in improving the quality of our data.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
It is a mix of iptables logging of rejected packets, dmesg output, parsing with grep, and processing with a php file for databasing the rejected IP addresses and finally adding the 24 masked ip address to an ipset list and restore file for restoring on reboot.
It has solved most of the port scanning issues, but I have to say I still see thousands of scanning attempts per day, not sure if that is related to my subnet (a high tier FiOS Backbone) or my DNS name.
Jun 7th 2020
2 years ago
I get only around 25 different IPs trying to login to my cert-only SSH server.
12 are 141.98.(81|9).*
4 are 85.209.0.*
The rest only has 1-2 attempts, per IP address, and the IP addresses are widely spaced.
Jun 8th 2020
2 years ago