Blacklist battle. AbuseIpDb vs. Firehol.

The previous time I ran this experiment I compared the effectiveness of abuseIpDb‘s top 10k blacklist to blacklists provided by SANS. Combined, they were able to block 51.8% of sources trying to send unwanted traffic. AbuseIpDb was the clear winner, being able to block 41.1% of sources trying to send unwanted traffic.

In this iteration, I compared the abuseIpDb blacklist to another free blacklist, firehol.

The results

Again, I let the machine ‘listen’ for exactly 24 hours and here are the results:

The total number of undesired packets received:

# cat r3kt.log | grep "Entry" | wc -l
8121

A total of 8121 undesired packets in 24 hours equate to roughly 5.6 packets per minute or one every 10.6 seconds.

The top 20 ports scanned for:

# cat r3kt.log | grep "Entry" | egrep -o 'DPT=\S*' | sort | uniq -c | sort -r | head -n 20 | cat -n
     1      331 DPT=23
     2      289 DPT=22
     3      200 DPT=6379
     4      187 DPT=5555
     5      164 DPT=8088
     6      122 DPT=1433
     7      117 DPT=80
     8       83 DPT=5060
     9       81 DPT=8080
    10       79 DPT=2375
    11       73 DPT=443
    12       64 DPT=2376
    13       62 DPT=123
    14       55 DPT=3389
    15       54 DPT=445
    16       44 DPT=53
    17       32 DPT=389
    18       28 DPT=10443
    19       27 DPT=161
    20       23 DPT=8081

Telnet (23), SSH (22) and Redis (6379) once again were the top ports scanned for.

The top 20 IPS generating unwanted traffic

# cat cat r3kt.log | grep "Entry" | egrep -o 'SRC=\S*' | sort | uniq -c | sort -r | head -n 20 | cat -n
     1      323 SRC=104.152.52.28
     2      126 SRC=162.142.125.157
     3      115 SRC=162.142.125.150
     4      112 SRC=162.142.125.153
     5      111 SRC=162.142.125.151
     6      110 SRC=162.142.125.156
     7      109 SRC=162.142.125.159
     8      109 SRC=162.142.125.155
     9      108 SRC=162.142.125.148
    10      105 SRC=162.142.125.149
    11      104 SRC=162.142.125.145
    12      101 SRC=162.142.125.147
    13      101 SRC=162.142.125.146
    14      100 SRC=162.142.125.152
    15       98 SRC=162.142.125.144
    16       97 SRC=162.142.125.154
    17       94 SRC=162.142.125.158
    18       86 SRC=106.111.169.50
    19       80 SRC=49.83.206.139
    20       62 SRC=185.153.196.70

Again, the scanners from the Cencys subnet generated the overwhelming majority of unwanted traffic. One IP that did a popular port scan took the #1 position.

# whois 162.142.125.0
...
NetRange: 162.142.125.0 - 162.142.125.255
...
Organization: Censys, Inc. (CENSY)
...

Since it is clear that some sources generate a lot more traffic than others, it is best to look at the data from a “per source address” rather than a “per connection attempt” perspective.

The total amount of sources that sent undesired traffic:

# cat r3kt.log | egrep -o 'SRC=\S*' | sort | uniq | wc -l
2101

Amount of sources not caught by the firewall:

# cat r3kt.log | grep 'Exit' | egrep -o 'SRC=\S*' | sort | uniq | wc -l
669

Amount of sources caught by all the blacklists combined:

# cat r3kt.log | grep 'abuseIpDb\|firehol' | egrep -o 'SRC=\S*' | sort | uniq | wc -l
1432

1432 Out of a total of 2101 is an effective block rate of 68.2%, that is an improvement of 16.4% when compared to the effective block rate of 51.8% with the abuseIpDb/SANS combination.

Amount of sources caught by each blacklist individually:

# cat r3kt.log | grep 'abuseIpDb' | egrep -o 'SRC=\S*' | sort | uniq | wc -l
832

# cat r3kt.log | grep 'firehol' | egrep -o 'SRC=\S*' | sort | uniq | wc -l
1367

• The abuseIpDb blacklist managed to block 39.6% of unwanted traffic, that is a decrease of 1.5% when compated to the previous round
• From all the sources detected by the abuseIpDb blacklist only 65 were not detected by the SANS blacklist.
• The clear winner in this case was the firehol blacklist that managed to block 65.1% of unwanted traffic. Well done!