PDA

View Full Version : Bad actors on the Web... Start blocking IP addresses...



AplusWebMaster
2011-12-19, 14:54
FYI... updated 5 Dec 2012:

Malware samples on the Web and on malicious sites have reached levels near 95 million*, with over 100,000 new malicious programs every day.
* http://www.av-test.org/en/statistics/malware/

You can use any of several methods to block some of these "Bad actors", 'not suggesting any of which are 100%, but this is a good place to start. One way (for example) would be utilizing the AdBlockPlus** browser extention (updated to v2.2.1 for FF):
** https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

... then creating/adding a "Custom filter" that can include simple IP address blocks:
> https://adblockplus.org/blog/blocking-malicious-sites-with-adblock-plus

... with good reason:
- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."
i.e.: https://zeustracker.abuse.ch/blocklist.php
"... some ZeuS hosts are just hosted on an ip address and not on a domain..."

Google - Infected sites discovered monthly
- http://2.bp.blogspot.com/-NdmiLOfBQpo/T9mVbbSqMcI/AAAAAAAACSY/p9B-jzuh1jA/s500/malware-landing.png
June 19, 2012

Google - Phishing sites discovered monthly
- http://1.bp.blogspot.com/-VrIyBqxOokI/T9mTxXnBkMI/AAAAAAAACSI/kVg1acMfNaw/s500/phishing.png
June 19, 2012

> http://googleonlinesecurity.blogspot.com.au/2012/06/safe-browsing-protecting-web-users-for.html
___

Whatever method you choose, here are a few IP address blocks that you may want to include:
1. AS:48691 Specialist: SQL injections, malicious software // IP: 194.28.112-115.*
- http://blog.dynamoo.com/2011/12/evil-network-revisited-specialist-ltd.html
12 December 2011
2. AS:43473 UKRSTAR:
- http://blog.dynamoo.com/2011/12/evil-network-ukrstar-isp-ukrstar-net.html
12 December 2011 - "... there appear to be no legitimate sites here and blocking the whole lot could save you some grief..."
91.195.10.0 - 91.195.11.255 [ 91.195.10-11.* ]
3. Blackhole Exploit kits:
- http://blog.dynamoo.com/2011/11/bredretru-domains-to-block.html
23 November 2011
195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
[195.254.134-135.*]
89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
[89.208.34.*]
95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
[95.163.64-89.*]
4. https://zeustracker.abuse.ch/blocklist.php
(Several different formats there.)

'Not suggesting that is an "all-inclusive list", but it may be a good place to get started.

* https://adblockplus.org/blog/blocking-malicious-sites-with-adblock-plus
> https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
.

AplusWebMaster
2012-12-05, 18:27
FYI...

Malware samples on the Web and on malicious sites have reached levels over 100 million*, with over 100,000 new malicious programs every day.
* http://www.av-test.org/en/statistics/malware/
Last update: 01-27-2013

You can use any of several methods to block some of these "Bad actors", 'not suggesting any of which are 100%, but this is a good place to start. One way (for example) would be utilizing the AdBlockPlus** browser extention (updated to v2.2.2 for FF):
** https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

... then creating/adding a "Custom filter" that can include simple IP address blocks:
> https://adblockplus.org/blog/blocking-malicious-sites-with-adblock-plus

... with good reason:
- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... be aware that malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."
i.e.: https://zeustracker.abuse.ch/blocklist.php
"... some ZeuS hosts are just hosted on an ip address and not on a domain..."

:sad::mad::mad: