Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List

by on October 24, 2007 · 15 comments· LAST UPDATED October 24, 2007

in , ,

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

#!/bin/bash
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
do
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
done
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:

ip route <network> <mask> null0

If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw 127.0.0.1 lo
# route add -net <IP/mask> gw 127.0.0.1 lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 15 comments… read them below or add one }

1 Jerod Santo October 24, 2007 at 5:07 pm

The script provided for Cisco devices simply updates a text file of the banned netblocks. Are we then supposed to use the cisco-cmd script to add the null routes to our cisco configs?

Reply

2 nixCraft October 24, 2007 at 6:11 pm

Jerod,

Yes you need to update or add those ips to null0.

Reply

3 Jerod Santo October 24, 2007 at 10:05 pm

Correct me if I’m wrong, but doesn’t adding ip route network mask null0 only affect traffic leaving my network if said router is the gateway to my LAN?

If so, does that add much benefit?

Reply

4 nixCraft October 25, 2007 at 12:25 pm

Jerod,

You are dropping all incoming traffic from bad guys .

Reply

5 Joe Klemmer November 9, 2007 at 11:25 pm

Are there any metrics, empirical or subjective, measurements on the hit rate of false positives? I’d love to do more to keep the spam out.

Reply

6 Gregg Lain November 30, 2007 at 12:34 pm

Nice posting – expanded on the alternate route and since shorewall is running happily on my servers – why not let that “manage” the drops:

#!/bin/sh
#
# Drop all these bad IP's
#
TMPFILE=/tmp/`apg -a 1 -M nc -n 1 -m 26`
touch $TMPFILE
curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' > $TMPFILE
for IP in `cat $TMPFILE`; do
/sbin/shorewall drop $IP
sleep 5
done
rm $TMPFILE

The sleep statement helps the process from hogging all server resources….

Set this to run via cron twice daily – prefer to be a little paranoid in case of mid-day updates :)

Reply

7 nixCraft November 30, 2007 at 2:49 pm

Gregg,

thanks for sharing shorewall script.

Reply

8 Joe Klemmer December 4, 2007 at 11:58 pm

I’m getting ready to try this out. There’s one thing that’s not clear to me, though.

This article states specifically

you need to run on Linux based firewall / router / dedicated Linux web / mail server

My server is doing everything and it’s brother. Is this going to affect all the other crap this box is doing (well, specifically ssh)?

Reply

9 nixCraft December 5, 2007 at 1:55 am

Joe,

This will only block bad guyes and not ssh, until and unless your IP is one of them ;)

Reply

10 Ashi January 11, 2008 at 9:24 am

spamming is surely a threat to cyber space. most of the spammers are also hackers and they break into your pc as soon as you click on their email links. in order to fight the spam threat we need a strong spam filters for our emails which secures us from most of the spam mails. i have heard that http://www.zapak.com is one of the good e-mail service provider who gives maximum protection from most of the spam mails, now that is what we internet lovers require.

Reply

11 Me January 31, 2008 at 11:01 am

The script is problematic as a cron job.
It will create redundant drop rules, so every day
iptables will double its rules number.

Just run the script a few times and see.
1st run iptables rules count: 365
2nd run: 592
3rd run: 865

Reply

12 Hamish February 19, 2008 at 11:17 am

It works well as a cron job, but you need to flush the old rules first. I added the following lines to the top of this script:
#!/bin/bash
iptables -F
./regular_rules
FILE=”/tmp/drop.lasso”
URL=”http://www.spamhaus.org/drop/drop.lasso”

Where regular_rules is a file containing all your standard iptables rules that you want to add the spamhaus rules to each day.

Not sure if i should stop and start the iptables service, i don’t currently, but i guess it’s an easy addition… Thanks for the script…

Reply

13 Firas April 9, 2010 at 12:23 pm

Should we add the script in all our vps ? or just the node ?

Reply

14 Christian September 14, 2011 at 2:42 pm

This script could be a little more secure. I.e. use a random tmp and clean up handler. Also the list processing can be done in bash (not awk needed.)

#!/bin/bash
URL="http://www.spamhaus.org/drop/drop.lasso"
drop=/tmp/drop.lasso.$$.$RANDOM
trap "rm -f $drop" EXIT
echo -n "Applying DROP list to existing firewall..."
wget -q -O $drop $URL
blocks=$(cat $drop | egrep -v '^;' | while read line ; do echo ${line%%;*} ; done)
...

Reply

15 Stove August 24, 2013 at 12:46 pm

I thought this script sounded like a good idea. I decided to tail my mail log ‘tail /var/log/exim_mainlog -f’ and check some of the IP addresses against the blacklist to see if they would have been blocked. I checked the next 20 IP’s that Spam Assassin flagged as spam and none of the IP’s were in the SpamHaus list. Back to the drawing board. I think that the way Spam Assassin rate limits offending IP’s is pretty effective anyway.

Reply

Leave a Comment

Tagged as: , , , , , , , , ,

Previous post:

Next post: