Community discussions

 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

MOAB mother of all blacklists

Fri Aug 03, 2018 10:26 pm

I am launching a Blacklist service for MikroTik Routers called MOAB.-- the service costs US $60 per year and payable via PayPal.

I am offering 20 users from the MikroTik community a chance to try out this service free of charge up to September 30, 2018

If you want to be part of this free trial period please contact me via email at mozerd@itexpertoncall.com -- the prerequisites.

You can learn about MOAB here
Last edited by mozerd on Mon Aug 06, 2018 7:01 pm, edited 2 times in total.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sat Aug 04, 2018 2:32 am

Pokornik, I am not able to respond to your request because your address has been identified as a spammer by sorbs.net
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sat Aug 04, 2018 11:39 pm

FYI, so far 8 users have subscribed to the Free Trial period that expires on September 30 2018, so only 12 spots still available.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sun Aug 05, 2018 4:45 pm

 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Mon Aug 06, 2018 7:05 pm

As of today August 6, 2018 12 users have signed up for the free trial period that expires on September 30, 2018

So I have 8 remaing slots open.

If you have any Questions I will be happy to answer in THIS thread.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 2:09 am

A number of users have contacted me via email and requested that I make the prerequisites a little clearer to under stand. I now have done that so please check the link again. and thanks to ALL for the feedback. Updated Prerequisites
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 6:04 am

Sorry but I can't help myself not to ask couple of questions:
1) Can you clear up a little bit how does user/owner of router handle security - i.e. limiting your RSC to not create new users, open ports etc? Downloading 3rd party RSC can cause unpredictable and serious issues as it can completely rule the device.
If it is really just blacklist, you can distribute it as txt/csv list of addresses. Everyone can easily create script to download and implement the list on scheduled basis. That way, every user knows exactly what the script does and there is guarantee that it will not do anything else because it is not capable of anything else.

2) I can see that you offer for example hAP ac^2 as "capable router firewall appliance". What performance impact can be expected on such device after you add those 600 million IPs into? are there some test results based on clearly defined scenario which can be replicated by everyone so we can confirm those numbers?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23597
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 10:04 am

If it is really just blacklist, you can distribute it as txt/csv list of addresses
Then they can post it on the web, so that others don't need to pay.

But yeah, I think there should be some other way to distribute config. TR-069? Fetch?
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 10:30 am

A blocklist for MikroTik should be distributed using DNS address lists.
There are two limitations that limit that method:

- when the blocklist contains subnets, there is no efficient method to transfer them.
solution: MikroTik should lookup TXT records besides A records, and when they are valid textual subnet notation, load them.
like: IN TXT 192.168.0.0/24

- the number of DNS entries returned is limited too much. I think the limit is in the built-in DNS resolver which has a limit on reply size.
(the actual number of addresses varies depending on the length of the DNS name used to query them)

I hope MikroTik addresses these limitations so it will be easier to manage address lists on many routers.
 
inframe
just joined
Posts: 10
Joined: Tue May 13, 2014 10:20 am

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 10:33 am

The idea of a update list of blackholes is interesting!
Can I use updatable lists through an external BGP routing server?
 
inframe
just joined
Posts: 10
Joined: Tue May 13, 2014 10:20 am

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 10:41 am

The inverse principle! Works quite reliably!
https://habr.com/post/354282/
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 10:44 am

The idea of a update list of blackholes is interesting!
Can I use updatable lists through an external BGP routing server?
It is possible, but it is quite impractical because you need another step to transfer the information from the
routing table maintained by BGP to a place where you can actually use it, i.e. an address list.
Maybe another useful feature suggestion: an address-list item that refers to a routing-table name, and that
automatically gets loaded by all addresses that appear in that routing table.

Another problem is that a BGP association is always 2-way so you both need to set the address of the central
server providing the information AND in the central server YOUR IP address has to be configured. That is a
problem when your IP address is not static. This could be overcome by setting up a VPN that allows a dynamic
client address (L2TP/IPsec, SSTP, OpenVPN) but that adds yet another layer of complexity.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 11:10 am

/watching

Interested to see feedback from those using this.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 11:53 am

1) Can you clear up a little bit how does user/owner of router handle security - i.e. limiting your RSC to not create new users, open ports etc? Downloading 3rd party RSC can cause unpredictable and serious issues as it can completely rule the device.

If it is really just blacklist, you can distribute it as txt/csv list of addresses. Everyone can easily create script to download and implement the list on scheduled basis. That way, every user knows exactly what the script does and there is guarantee that it will not do anything else because it is not capable of anything else.

2) I can see that you offer for example hAP ac^2 as "capable router firewall appliance". What performance impact can be expected on such device after you add those 600 million IPs into? are there some test results based on clearly defined scenario which can be replicated by everyone so we can confirm those numbers?
Thanks for the excellent questions.
1) your point is very valid. Since I am not running a criminal enterprise - the subscriber to my service will need to have explicit trust that my blacklist scripts will not violate their trust. People who subscribe to my service do not want to create or manage there blacklists.
2) Currently, I have a small number of users with hAPac2 devices [and hEX], subscribing to MOAB, who - so far - are very pleased with the performance in their environments. The hAPac2 that I install/configure clearly outlines the limitations i.e, supports up to 5 users + all needed peripherals -- while the hEX that I install/configure supports 10 users and up to 20 connected devices --- I have not done any benchmarks under load -- I much prefer that my users report back to me if there are performance issues, Perhaps some will come here and provide their endorsement -- most [if not all] are very busy with their lives

MOAB is derived ffrom FireHOL, which I make clear in my advertising -- you can check it out at here

[EDIT] I did fail to mention that I do have ONE user located in Northern Europe who supports a large number of CCR's in the field who is using MOAB [for the last 2 months] all of them supporting several thousand users . I just requested that he come here and post his experiences but -- so far -- he has declined to do so and he requested that I be vague so I cannot state exactly where he is located. He could very easily run his own blacklist mechanism and is well aware of FireHOL as many others are -- he got a significant discount based on his number of routers -- he chose to subscribe and so far he seems very pleased -- no one in his group is complaining of any performance issue attributed to MOAB.
Last edited by mozerd on Thu Aug 09, 2018 10:30 pm, edited 2 times in total.
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 12:24 pm

@normis:
Then they can post it on the web, so that others don't need to pay.
I was wondering who will come with this idea :D
Well, this is common issue for all services - to make sure that users will not share the product. In this case, it simply can't be done. If users can manage the router, then they have access to those rules and they can export it and share it. RSC can't protect it at all.
For example Snort.org have nice approach with giving some basic list of rules for free and limiting better up-to-date list for subscribed users.

Though, i still dont think it is good idea to simply block so many IP addresses. Chance of false-positive is too high and it will end up similarly to sorbs.net - easy to get in, hard to get out, legit services blocked, nobody to blame...

@mozerd:
Thanks for reply! I really appreciate it.
1) I have no doubt that your intentions are pure and you don't plan to hack your customers, however, some man-in-the-middle or even angry employee can feel different about this. We unfortunately don't live in perfect world and attacks are happening. It would be quite sad to inadvertently help attackers while you are trying to stop them, just because your script had too much access.

2) I see. If you ever get any benchmark (simple iperf test with {transmitter}--{device under test}---{receiver} layout would be great), let us know. Or - if you want - I am willing to do this and share my findings. I understand you offered free trial for local users. I am not really interested in full-blown subscription or even prolonged trial, but if it helps, I can simply dedicate one of my testing routers and try it for couple of days and then give you the trial licence back. Let me know If this sounds interesting. If yes, I will send the request via email.

Anyway, I wish you and your business all best. Hopefully, you will encounter any security issues :)
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 12:46 pm

@mozerd:
2) I see. If you ever get any benchmark (simple iperf test with {transmitter}--{device under test}---{receiver} layout would be great), let us know. Or - if you want - I am willing to do this and share my findings. I understand you offered free trial for local users. I am not really interested in full-blown subscription or even prolonged trial, but if it helps, I can simply dedicate one of my testing routers and try it for couple of days and then give you the trial licence back. Let me know If this sounds interesting. If yes, I will send the request via email.
Yes I am interested -- please do send in your request based on the MOAB Prerequisite's -- I appreciate your participation.and look forward to the results of your testing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 1:43 pm

Though, i still dont think it is good idea to simply block so many IP addresses. Chance of false-positive is too high and it will end up similarly to sorbs.net - easy to get in, hard to get out, legit services blocked, nobody to blame...
Of course it has zero functionality. Block some people because they appear to have bad intentions, and as a result block some legitimate users and still allow a lot of people with really bad intentions into your system because they happen to be not (yet) on the list.

However, I am interested in general mechanisms to manage large address lists under RouterOS, hence my additions to the topic.
Hopefully some method will become available that works better than importing a .rsc file. Preferably a DNS based address list
"without" limits (or more reasonable limits).
 
anav
Forum Guru
Forum Guru
Posts: 1122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: MOAB mother of all blacklists

Tue Aug 07, 2018 7:15 pm

Great concept!!
Much thanks and have been using it with no issues.

When I first started out on my hex, on my own, I found some available firehol lists...... and started reading about spamhouse, dshield, malcode. country lists and other lists.
They would all pump out files to use.
Then I came accross Josh Haven..........
http://joshaven.com/resources/tricks/mi ... ress-list/
Wow, a resource that looked at some major lists (not countries though) and provided them in almost a ready to use format.

There are lots of efforts and scripts out there, so dont bash the author and try the alternatives as they may work for you.
viewtopic.php?t=104020 (dated 2016)

viewtopic.php?f=9&t=136666 (Dave is working on this one, based on an older effort and may hold some promise but does speak to the challenges of setting this up properly and it takes time and money).

In summary, if someone one wants to provide a stable, server based, blacklist for free that is tailored to ones equipment and seems to grab the best of whats available out there, then I and many others would be very grateful. (Normis, seems almost ready to volunteer, seeing as it so easy.............. )

In the meantime I will continue to use the service here that is so low cost - less than what I pay for coffee at Tim Hortons in a month. Since its not tied to a service offering that could disappear at any time (josh) and one that is more complete, and is supported by someone who is looking after many clients (responsible individual) and is not in the business of increasing their security risk (plus being Canadian lol). I am not worried about such issues. I am more concerned about a gazillion other sites to which I use for transactions and mikrotik for their next security blunder LOL.

I am also investigating another avenue, which purports to access 'closed' lists and does layer 7 programming and targets TOR nodes.
You get what you pay for though as it is also not free. Seems very good so far.
https://axiomcyber.com/shield/
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Thu Aug 09, 2018 10:33 pm

FYI update -- I still have 7 slots open for the Free Trial Period that expires September 30, 2018

If you want to participate in the free trial then PLEASE review the MOAB prerequisites link and send me an email with the information requested. If you have any questions post them here. My email address is found in the first opening post of this thread.
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 9:00 am

Hi,
I finally had chance to test the service and I must say, that performance impact on hAP ac^2 was negligible.

All tests were done with iperf in ubuntu. I used TCP connection and default window sizes (512k) and always performed 2 tests - one with "-r" param for separate RX/TX testing, second with "-d" param for duplex test where RX and TX was tested at the same time.

Directly connected computers:
  • TX = 914Mbps
  • RX = 939Mbps
  • Duplex TX = 703Mbps
  • Duplex RX = 677Mbps

In following tests, TX means LAN -> NAT -> WAN , RX means WAN -> NAT -> LAN

Defconf without fasttrack:
  • TX = 574Mbps
  • RX = 579Mbps
  • Duplex TX = 388Mbps
  • Duplex RX = 376Mbps

Defconf with fasttrack:
  • TX = 923Mbps
  • RX = 933Mbps
  • Duplex TX = 777Mbps
  • Duplex RX = 620Mbps

MOAB without fasttrack:
  • TX = 523Mbps
  • RX = 509Mbps
  • Duplex TX = 264Mbps
  • Duplex RX = 331Mbps

MOAB with fasttrack:
  • TX = 928Mbps
  • RX = 937Mbps
  • Duplex TX = 786Mbps
  • Duplex RX = 586Mbps

I am aware that my computers were probably not strong enough to handle full gigabit of iperf traffic. Unfortunately, I couldn't do better.
Anyway, as you can see, hAP ac^2 handles the list really well. Especially when you have fasttrack enabled, there is literary no difference between defconf and MOAB. Without fasttrack MOAB cause approximately 50Mbit of speed reduction against defconf. This will obviously be noticeable only if your router is already bottleneck and your connection is faster than your router can handle.

Couple of other things I noticed:
  • As you can read from MOAB prerequisite page, you are supposed to manually add two "drop" rules - one in Raw table, second in Filter table
    • Raw drop rule uses list of approximately 11 thousand entries
    • Filter drop rule uses list of approximately 6 thousand entries
    • Drop rules are based on interface, instead of interface-list. However, "bogon exclusion list" rule is based on interface-list=WAN. I believe it would be better to use same approach for all rules.
  • Downloads are protected by HTTP-Auth, so your initial setting script contain username and password to access the data
  • As I was worried earlier, the list is really distributed as RSC full of commands to add entries. This might be more optimized by distributing simple text file and parsing it directly in router. It will make downloaded file smaller and also remove possible risk from downloading malicious script
  • There is some attempt to minimize downloading by firstly fetching smaller TXT files which either have some content or is empty. However, as there are no parameters submitted while downloading these "diffs" files, it simply cannot truly represent difference between already applied settings in router and current list on the server. What "diff" it really represents is pure mystery to me
    • if I manually run the downloader script again and again, my lists were downloading again and again (but they should not as I already had newest version applied)
    • I would expect the diff file to be dynamically generated based on last version downloaded by the specified username. That would obviously require some back-end with database to store info, which version was downloaded by each user last time

Finally, I would like to thank Mozerd for providing free trial so I was able to do the test.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 3:15 pm


Couple of other things I noticed:
  • Downloads are protected by HTTP-Auth, so your initial setting script contain username and password to access the data
  • As I was worried earlier, the list is really distributed as RSC full of commands to add entries. This might be more optimized by distributing simple text file and parsing it directly in router. It will make downloaded file smaller and also remove possible risk from downloading malicious script
  • There is some attempt to minimize downloading by firstly fetching smaller TXT files which either have some content or is empty. However, as there are no parameters submitted while downloading these "diffs" files, it simply cannot truly represent difference between already applied settings in router and current list on the server. What "diff" it really represents is pure mystery to me
    • if I manually run the downloader script again and again, my lists were downloading again and again (but they should not as I already had newest version applied)
    • I would expect the diff file to be dynamically generated based on last version downloaded by the specified username. That would obviously require some back-end with database to store info, which version was downloaded by each user last time
Thank you for conducting the tests and providing your comments.

MOAB Downloads are protected using HTTPS-Auth - encrypted - since I am using mode=https

For Text file processing I am not aware that the 4096 characters in size limitation has been changed --- all the lists I provide are large -- I would much prefer to use txt vs rsc but until the file sie limitation is changed I'll stick with RSC's.

The diff files currently provide a very simple method to determine if a download is needed -- if empty no download -- if it has content download.the replacement -- what I eventually will do with the diffs is if they do contain new content take that content and add/subtract to the existing list -- however its quite a bit more complex than my simple description -- I much rather take the KISS approach currently.. FYI, the diff files when they do contain content -- that content is the new IP's being added and some IP's that may need to be removed.

You are correct that I currently do not use a DB approach to user control because that would add significantly to the cost and I want to keep the cost as low as possible. Abuse is monitored on a daily basis and as soon as it is spotted that account is terminated.

I noticed that the account I provided you was not accessed?
[EDIT} I just now [2018 08 13 @ 10:01 AM] did another audit and see for the first time that you have 11 account access calls . -- I assume to support your earlier comment.
Last edited by mozerd on Mon Aug 13, 2018 5:10 pm, edited 3 times in total.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 4:10 pm

Stupid question, why a RAW and Filter drop rule? Can't there be 1 rule in RAW which kills everything on the list?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 4:47 pm

Stupid question, why a RAW and Filter drop rule? Can't there be 1 rule in RAW which kills everything on the list?
That question is answered in the prerequisites link which I will reproduce here for you with a little more detail. :D

The Firewall rule for MOAB2 must be placed in IP Firewall Filter and not in RAW otherwise your VoIP service may not work plus certain websites will fail to load.

When 1 rule was used In my test bed using 20 geographically dispersed users they all reported that their VoIP stopped working and they could not access their web based VoIP control panels -- I am not going to detail the conversations I had with the VoIP providers -- all legitimate operators, .... so I changed the methodology and decided on 2 rules -- and this time VoIP + control panel worked for all test bed users.

Not including Trial Participants frim this community, so far I currently have close to 400 MT routers using MOAB and zero complaints on not being able to reach the content or service they want to reach -- I do have many reports of how many drops are taking place to their delight -- the high numbers [millions] are quite remarkable to me.
 
effndc
newbie
Posts: 37
Joined: Wed Jan 11, 2017 1:25 am

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 9:10 pm

You don't include any detail on how your blacklists are created or maintained, what the source sample is to determine which sites should be blacklisted, etc. So why exactly would someone decide to pay you $60/year for a service with no specifications of what the service is? Especially when there are several free options out there, so you need to provide some detail as to what makes your blacklist worth far more than the hardware that it runs on.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Mon Aug 13, 2018 10:40 pm

You don't include any detail on how your blacklists are created or maintained, what the source sample is to determine which sites should be blacklisted, etc. So why exactly would someone decide to pay you $60/year for a service with no specifications of what the service is? Especially when there are several free options out there, so you need to provide some detail as to what makes your blacklist worth far more than the hardware that it runs on.
@effndc
People reading my MOAB links can easily find a great deal of detail on where I get the data for MOAB.from -- I make no secret of it. So to help you out each one of my MOAB links contain the following information:
IF you're wondering how we identify over 600 million unique IP addresses of known malicious or suspicious entities that we term as the Bad Guys? MOAB is extracted on a daily basis - 3 times each day - from All Cybercrime IP Feeds by FireHOL where that amazing number is derived from. After extraction we specifically engineer the blacklist to work in MikroTik Firewall Appliances and hosted on our web server.
Some Additional info :
At the server level I use Perl to do all the hard work of putting the data into RSC formate etc. From FireHOL I downlaod and work with the following Lists:
level1.netset
level2.netset
level3.netset
webclient.netset
webserver.netset
I do not develuge which mix I use for which track --- because that is a moving target.

As to why would someone pay USD$60 per year -- because I believe that my service provides good value and does a excellent job as a superb blacklist system that traps a LOT of IP's --- I have had no reports of any false positivs up to today -- MOAB has been in operation since May of 2018 --- I oferred 20 people from this MikroTik community the opportunity to try out the service free of charge till September 30, 2018. If People here would be pleased with the Trial and wanted to continue they could by paying the price after the expiry date and I am hoping that the satisfied MicroTik users reading this BOARD would post their commentary --- as one did recently.

Currrently I still have 5 Free Trial Slots avaailable.
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: MOAB mother of all blacklists

Tue Aug 14, 2018 2:44 am

@mozerd:
I made couple of manual downloads in browser before I let the script in my device. Then my device did 3 downloads of diffs (each has two files so 6 calls total), 3 downloads of mtiptik (because said it needs update everytime) and 0 downloads of wsiptik (because diff said this one does not require update). In total it adds up to 11 calls. It is true that i did these downloads shortly before sending my response. Unfortunately I didn't have time to do the test earlier. Also, after end of test, I disconnected the device and cleared all config so there will be no more calls from my account. Feel free to disable the account or give it to some other user. I really appreciate the chance to test it.

ad parsing file: Gosh!! I didn't know about such limitation. That is ridiculous. Now I realize you really had not much choice.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Thu Aug 16, 2018 11:04 pm

For People wonderring whats coverred by MOAB as of August 16, 2018 --- following provides the deep breath of Scope

MOAB1
(a) includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw
6,453 subnets, 636,272,205 unique IPs

Included for: memory constrained MikroTik Routers
Included for: well provisioned MikroTik Routers

(b) includes: blocklist_de dshield_1d greensnow
19,142 subnets, 33,737 unique IPs

NOT Included for: memory constrained MikroTik Routers
Included for: well provisioned MikroTik Routers

(c) includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud
5,769 subnets, 5,917 unique IPs

Included for: well provisioned MikroTik Routers
Included for: memory constrained MikroTik Routers

MOAB2
(d) includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic
4,925 subnets, 34,669,212 unique IPs

Included for: well provisioned MikroTik Routers
Included for: memory constrained MikroTik Routers
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Thu Aug 23, 2018 3:19 pm

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size

An interesting note: 225 people applied for the Free Trail but 205 refused to provide the Prerequisites .....
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sun Nov 04, 2018 7:04 pm

A reminder for all MOAB users, EST is now in effect.

If you set your MikroTik router to some time server no adjustments needs to be done.

MOAB's default is based on the following
 
anav
Forum Guru
Forum Guru
Posts: 1122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: MOAB mother of all blacklists

Mon Nov 05, 2018 9:55 pm

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size
That is an amazing throughput, congrats on the progress and the continuing maturity of the product/services. Have you considered expansion into other areas of use such as Layer 7 programming?
Specifically, the areas of concern besides trolling IPs/botnets etc are
a. bitcoin mining
b. hijacks (encrypting hard drives and extorting for cash)
c. other exploits out there that the common person like me has no clue about.

(or are much of these not preventable in that a USER on a network lets a bad guy in and then its game over??)
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Tue Nov 06, 2018 1:31 pm

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size
That is an amazing throughput, congrats on the progress and the continuing maturity of the product/services. Have you considered expansion into other areas of use such as Layer 7 programming?
Specifically, the areas of concern besides trolling IPs/botnets etc are
a. bitcoin mining
b. hijacks (encrypting hard drives and extorting for cash)
c. other exploits out there that the common person like me has no clue about.

(or are much of these not preventable in that a USER on a network lets a bad guy in and then its game over??)
Hi Anav

a. bitcoin mining is included for both MOAB tracks --8,220 unique IPs -- I added bitcoin when FireHOL provided a feed that was stable and it is working quite well.
b. hijacks has been in MOAB from the start.
c. I believe that FireHOL=Level1 covers the widest rage of exploits [and attacks] out there and has been in MOAB from day 1 of this project. Currently 455 MikroTik Routers are running MOAB [over 200K users] and to-date I have not had one Router Admin complain of any issues. I have had to rearrange some Fire rule placement for some of my clients who requested that I install MOAB for them because their rule placement would have made MOAB ineffective. YES Rule Placement is VITALLY important for MOAB to work properly in the protection game. My prerequisites web page provides a Rule Order graphic that I insist on for ALL my MOAB clients.

I currently have no plans for Layer 7 filtering because my capability in that area is very weak. Once I feel I have completely understood all the implications especially on performance I will consider its inclusion.only for the VERY capable machine.

Yes the biggest issue is when a USER gets caught on an enticement that is script driven usually embedded in an email; or brought in via memory stick and introduced internally. That is where Layer 7 plays a role at the workstation level or via a powerful UTM where Layer 7 traps are common. Layer7 traps places a significant load on the CPU.
Last edited by mozerd on Thu Nov 08, 2018 4:11 pm, edited 3 times in total.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Thu Nov 08, 2018 2:02 pm

 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sat Nov 10, 2018 1:40 pm

UPDATE

EFFECTIVE November 12, 2018 MOAB will also work on MikroTik Routers that do not incorporate USB memory storage.

So for example MikroTik Routers models like the RB4011 using NAND flash memory will now work with MOAB
or any MikroTik RouterBoard that utilize SSD storage will also be able to have MOAB work.

The PREREQUISITES web page has now been updated to reflect the above.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Thu Nov 15, 2018 1:55 pm

Based on many requests I have received via email the following is now in effect for MikroTik Community Forum participants

From today [November 15, 2018] and until December 31, 2018 MikroTik users who contact me at mozerd@itexpertoncall.com and qualify by providing the prerequisite information can use MOAB at no charge.

For those participants who find the service to their liking and want to continue for Calendar Year 2019 Subscription Payment via PayPal must be received by December 15, 2018. For those that do not provide payment on December 15, 2018 your accounts will be deleted on midnight December 31, 2018.and your MOAB subscription will no longer receive further updates from the service.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Fri Nov 23, 2018 2:49 pm

UPDATE

MOAB has grown in size

For well provisioned MikroTik Routers like the CCR's etc MOAB is now close to 3 MB

For all other MikroTik Routers much like the hEX and the hAPac2 MOAB is now 1..1 MB

The reason : a very dramatic increase in attacks coming out of Russia, China, Pakistan, Poland, Iran, and believe it or not the USA.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8140
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: MOAB mother of all blacklists

Fri Nov 23, 2018 2:55 pm

Can MOAB be used on CHRs?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Fri Nov 23, 2018 3:30 pm

Can MOAB be used on CHRs?
I have no experience with MikroTik CHR. -- I do not see why it could not be used. But if you would like to test it out I would be happy to accommodate.

The key component is how much available RAM memory is available and storage requirement like USB memory stick or SSD. Check out my prerequisites link for info and you'd like to give it a try send me an email with your details.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8140
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: MOAB mother of all blacklists

Fri Nov 23, 2018 5:08 pm

Thx, I'll send you email a bit later. I'm wondering just because there's no Serial Number in CHR, so it doesn't meet your prerequisites :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Fri Nov 23, 2018 5:36 pm

I'm wondering just because there's no Serial Number in CHR, so it doesn't meet your prerequisites :)
OK, I can create a unique serial number for your CHR instance and tie that to your IP address assuming your WAN IP is static. If you are using multiple WANs per CHR then you'll need to ID the IP's [in your email] for the CHR in use and I'll tie those to the account created. Looking forward to working with you to see how MOAB works on the CHR.
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: MOAB mother of all blacklists

Sat Nov 24, 2018 12:38 am

there is a "system-id" in
/system license
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Sat Nov 24, 2018 1:12 pm

there is a "system-id" in
/system license
Thank you vecernik87, for the CHR system-id would work for me.
 
timarbour
just joined
Posts: 2
Joined: Mon Feb 12, 2018 7:04 am

Re: MOAB mother of all blacklists

Wed Dec 05, 2018 5:44 pm

I'm interested in testing this for my home. Do you offer like a 30 day trial?
 
User avatar
mozerd
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: MOAB mother of all blacklists

Wed Dec 05, 2018 6:01 pm

I'm interested in testing this for my home. Do you offer like a 30 day trial?
Check out
viewtopic.php?f=2&t=137632#p697948
for answer to your question.

Who is online

Users browsing this forum: No registered users and 61 guests