Spamhaus DROP list

Using DROP List on OSPF capable routers

Distributing Spamhouse DROP list via OSPF using BIRD Routing Deamon to OSPF capable routers


DROP List

"DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP and EDROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks."

Source: Spamhouse

See DROP list here


Network




Uploading list

Make list up to date by running following script once a day on BIRD linux router. Route must be added with -reject options.

#!/bin/bash


droplist="http://www.spamhaus.org/drop/drop.txt"
reject="reject"

del_count=0
add_count=0

#Remove old entries


while IFS=";" read ip as
do
if [[ $ip != "" ]]
then
del_count=$((del_count + 1))
route del -net $ip $reject

fi

done

#Download newest drop list

rm drop.txt
wget $droplist


#Process new list


while IFS=";" read ip as
do
if [[ $ip != "" ]]
then

add_count=$((add_count + 1))
route add -net $ip $reject

fi

done
now=$(date +"%m-%d-%Y")

echo -e "$now: Removed: $del_count Added: $add_count " >> drop.log

BIRD config

Distribute DROP list via OSPF


protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 20; # Scan kernel routing table every 20 seconds
import all; # Default is import all
export all; # Default is export none
# kernel table 5; # Kernel table to synchronize with (default: main)
}


protocol device {
scan time 10; # Scan interfaces every 10 seconds
}


protocol ospf
{
import all;
export all;

area 0 {

networks {
192.168.1.0/24;
};


interface "eth0" {
cost 5;
type pointopoint;
hello 5; retransmit 2; wait 10; dead 20;


neighbors {
192.168.1.10;
};

};

};
};