back to article Here's a list of proxy IPs to help block KillNet's DDoS bots

A free tool aims is helping organizations defend against KillNet distributed-denial-of-service (DDoS) bots and comes as the US government issued a warning that the Russian cybercrime gang is stepping up its network flooding attacks against hospitals and health clinics. At current count, the KillNet open proxy IP blocklist …

  1. VoiceOfTruth

    Others worth adding

    Looking through our logs, we only ever saw malicious traffic from Linode and DigitalOcean. We never saw even one legitimate connection from those two. Now we just block all traffic from them. Occasionally we find a new network range they have introduced, and that goes straight on the firewall to block.

    1. Kevin McMurtrie Silver badge

      Re: Others worth adding

      DigitalOcean has been a non-stop DDoS since December 2022 and their abuse contact is a bot that tells you you've been ignored. They're the one network that isn't recovering from whatever infection went around late last year. Even dirty hosts like GoDaddy, Tencent, OVH, and Chunghwa have done better. I'm betting their big peer NTT is OK with that because they sell intrusion protection services.

      This is what public records for one little /24 looks like: 192.241.199.0/24

      DigitalOcean has tons of /16 allocations so the scale of the attacks are enormous.

      Linode is not so bad. Maybe they're not proactive but they'll terminate hostile hosts when you report them.

    2. IGotOut Silver badge

      Re: Others worth adding

      "Occasionally we find a new network range they have introduced, and that goes straight on the firewall to block."

      Luckily I use cloudflare as a front-end, so adding ASN's saves a hell of a lot of typing

  2. vogon00

    '17746 lines'* of address:port to wade through?

    The boss will never go for the time that'll take, even with scripting..... doing '-A INPUT -s 0.0.0.0/0 -j DROP' will be so much quicker and safer, and the staff will thank me for a quiet day.

    OK, that covers IPv4........where's that IPv6 list?

    [* At time-of-clicking ]

    1. Victor Ludorum
      WTF?

      Use a script carefully

      I've just taken a look, it's now up to 17920 entries, BUT some of them are in 0.x.x.x subnet...

      And there's at least one in 10.x.x.x.

      Sanitise the list before using it.

      1. vogon00

        Re: Use a script carefully

        @Victor Ludorum:

        "Sanitise the list before using it."

        Always. I don't even trust my OWN data most of the time, let alone anyone else's inputs :-)

        Not that I'm actually going to drop 0.0.0.0/0 .... I should have put the 'joke' icon on. It looks like I've been reading too much BOFH, for too long, and I'm having "neticidal" thoughts. Not very professional of me:-)

        1. Claptrap314 Silver badge

          Re: Use a script carefully

          Around here? https://pics.onsizzle.com/user-friendly-by-illiad-logged-in-to-l337-h4x0rs-miranda-you-62908215.png

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like