DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.
DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.
The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.
Shell script to apply DROP
Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:
#!/bin/bash
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
do
iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
iptables -A droplist -s $ipblock -j DROP
done
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE
Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:
ip route <network> <mask> null0
If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw 127.0.0.1 lo
# route add -net <IP/mask> gw 127.0.0.1 lo
Try this and you will surprise to see how much spam and other bad stuff can be blocked.
- Email this to a friend
- Printable version
- Rss Feed
- Last Updated: Oct/24/2007
{ 12 comments… read them below or add one }
The script provided for Cisco devices simply updates a text file of the banned netblocks. Are we then supposed to use the cisco-cmd script to add the null routes to our cisco configs?
Jerod,
Yes you need to update or add those ips to null0.
Correct me if I’m wrong, but doesn’t adding
ip route network mask null0only affect traffic leaving my network if said router is the gateway to my LAN?If so, does that add much benefit?
Jerod,
You are dropping all incoming traffic from bad guys .
Are there any metrics, empirical or subjective, measurements on the hit rate of false positives? I’d love to do more to keep the spam out.
Nice posting – expanded on the alternate route and since shorewall is running happily on my servers – why not let that “manage” the drops:
#!/bin/sh#
# Drop all these bad IP's
#
TMPFILE=/tmp/`apg -a 1 -M nc -n 1 -m 26`
touch $TMPFILE
curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' > $TMPFILE
for IP in `cat $TMPFILE`; do
/sbin/shorewall drop $IP
sleep 5
done
rm $TMPFILE
The sleep statement helps the process from hogging all server resources….
Set this to run via cron twice daily – prefer to be a little paranoid in case of mid-day updates :)
Gregg,
thanks for sharing shorewall script.
I’m getting ready to try this out. There’s one thing that’s not clear to me, though.
This article states specifically
My server is doing everything and it’s brother. Is this going to affect all the other crap this box is doing (well, specifically ssh)?
Joe,
This will only block bad guyes and not ssh, until and unless your IP is one of them ;)
spamming is surely a threat to cyber space. most of the spammers are also hackers and they break into your pc as soon as you click on their email links. in order to fight the spam threat we need a strong spam filters for our emails which secures us from most of the spam mails. i have heard that http://www.zapak.com is one of the good e-mail service provider who gives maximum protection from most of the spam mails, now that is what we internet lovers require.
The script is problematic as a cron job.
It will create redundant drop rules, so every day
iptables will double its rules number.
Just run the script a few times and see.
1st run iptables rules count: 365
2nd run: 592
3rd run: 865
It works well as a cron job, but you need to flush the old rules first. I added the following lines to the top of this script:
#!/bin/bash
iptables -F
./regular_rules
FILE=”/tmp/drop.lasso”
URL=”http://www.spamhaus.org/drop/drop.lasso”
Where regular_rules is a file containing all your standard iptables rules that you want to add the spamhaus rules to each day.
Not sure if i should stop and start the iptables service, i don’t currently, but i guess it’s an easy addition… Thanks for the script…