≡ Menu

Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

#!/bin/bash
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
do
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
done
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:

ip route <network> <mask> null0

If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw 127.0.0.1 lo
# route add -net <IP/mask> gw 127.0.0.1 lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • Jerod Santo October 24, 2007, 5:07 pm

    The script provided for Cisco devices simply updates a text file of the banned netblocks. Are we then supposed to use the cisco-cmd script to add the null routes to our cisco configs?

  • nixCraft October 24, 2007, 6:11 pm

    Jerod,

    Yes you need to update or add those ips to null0.

  • Jerod Santo October 24, 2007, 10:05 pm

    Correct me if I’m wrong, but doesn’t adding ip route network mask null0 only affect traffic leaving my network if said router is the gateway to my LAN?

    If so, does that add much benefit?

  • nixCraft October 25, 2007, 12:25 pm

    Jerod,

    You are dropping all incoming traffic from bad guys .

  • Joe Klemmer November 9, 2007, 11:25 pm

    Are there any metrics, empirical or subjective, measurements on the hit rate of false positives? I’d love to do more to keep the spam out.

  • Gregg Lain November 30, 2007, 12:34 pm

    Nice posting – expanded on the alternate route and since shorewall is running happily on my servers – why not let that “manage” the drops:

    #!/bin/sh
    #
    # Drop all these bad IP's
    #
    TMPFILE=/tmp/`apg -a 1 -M nc -n 1 -m 26`
    touch $TMPFILE
    curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' > $TMPFILE
    for IP in `cat $TMPFILE`; do
    /sbin/shorewall drop $IP
    sleep 5
    done
    rm $TMPFILE

    The sleep statement helps the process from hogging all server resources….

    Set this to run via cron twice daily – prefer to be a little paranoid in case of mid-day updates :)

  • nixCraft November 30, 2007, 2:49 pm

    Gregg,

    thanks for sharing shorewall script.

  • Joe Klemmer December 4, 2007, 11:58 pm

    I’m getting ready to try this out. There’s one thing that’s not clear to me, though.

    This article states specifically

    you need to run on Linux based firewall / router / dedicated Linux web / mail server

    My server is doing everything and it’s brother. Is this going to affect all the other crap this box is doing (well, specifically ssh)?

  • nixCraft December 5, 2007, 1:55 am

    Joe,

    This will only block bad guyes and not ssh, until and unless your IP is one of them ;)

  • Ashi January 11, 2008, 9:24 am

    spamming is surely a threat to cyber space. most of the spammers are also hackers and they break into your pc as soon as you click on their email links. in order to fight the spam threat we need a strong spam filters for our emails which secures us from most of the spam mails. i have heard that http://www.zapak.com is one of the good e-mail service provider who gives maximum protection from most of the spam mails, now that is what we internet lovers require.

  • Me January 31, 2008, 11:01 am

    The script is problematic as a cron job.
    It will create redundant drop rules, so every day
    iptables will double its rules number.

    Just run the script a few times and see.
    1st run iptables rules count: 365
    2nd run: 592
    3rd run: 865

  • Hamish February 19, 2008, 11:17 am

    It works well as a cron job, but you need to flush the old rules first. I added the following lines to the top of this script:
    #!/bin/bash
    iptables -F
    ./regular_rules
    FILE=”/tmp/drop.lasso”
    URL=”http://www.spamhaus.org/drop/drop.lasso”

    Where regular_rules is a file containing all your standard iptables rules that you want to add the spamhaus rules to each day.

    Not sure if i should stop and start the iptables service, i don’t currently, but i guess it’s an easy addition… Thanks for the script…

  • Firas April 9, 2010, 12:23 pm

    Should we add the script in all our vps ? or just the node ?

  • Christian September 14, 2011, 2:42 pm

    This script could be a little more secure. I.e. use a random tmp and clean up handler. Also the list processing can be done in bash (not awk needed.)

    #!/bin/bash
    URL="http://www.spamhaus.org/drop/drop.lasso"
    drop=/tmp/drop.lasso.$$.$RANDOM
    trap "rm -f $drop" EXIT
    echo -n "Applying DROP list to existing firewall..."
    wget -q -O $drop $URL
    blocks=$(cat $drop | egrep -v '^;' | while read line ; do echo ${line%%;*} ; done)
    ...
    
  • Stove August 24, 2013, 12:46 pm

    I thought this script sounded like a good idea. I decided to tail my mail log ‘tail /var/log/exim_mainlog -f’ and check some of the IP addresses against the blacklist to see if they would have been blocked. I checked the next 20 IP’s that Spam Assassin flagged as spam and none of the IP’s were in the SpamHaus list. Back to the drawing board. I think that the way Spam Assassin rate limits offending IP’s is pretty effective anyway.