top of page

Security feed service for your internet router

Helping all NETizens of good standing,
 

Fortinet, Mikrotik, iptables (ipset) and others, feed thy firewall!

Charity organisations can subscribe for free.

Email: security-desk@supportu.nz for all security feed queries. 
 

supportu-castle-wall.png

Magic honeypot

All good stories start somewhere, this one is about one man who wanted a "real results" block list for his business and his customers. 

 

Bad actors (malicious persons and services for rent) never seem to sleep but this one man wanted his sleep and to wake up the next day without thinking twice or checking emails or voice messages of zero day issues or compromises to client services.

He wanted to know if he could win, meaning he will see less and less new bad actors appearing with his honeypot service and know how busy his own country of origin was vs the rest of the world for bad actor activity.

​​​​

How does it work?

​​

Glad you asked, its actually very simple and would love it if more people did similar things to be proactive about security.

​

Basically, to be sure a bad actor is by intent just that, we host a dynamically assigned internet facing honeypot logging device.

This device is used for nothing else, no servers, no googly advertising "here I am", nothing, its a naked no thrills capture device that a normal internet user will never see.
 

There is no logical reason any one organisation or person needs to be asking this logging device to have access to the MYSQL that does not exist or have a peek for SMB file shares, nor does a email MX service exist here, there many bad actors accessing non standard service ports too like 444, 9608 etc (its a long list!).

What about bots?
The only web bots scanning a dynamically assigned connection that changes regularly and advertises nothing is a malicious service operating a data collection bot.

​

What about students scanning for education? 
A scan of any device not advertising services is still a security scan and all attacks begin at this basic level of questioning "are you there".


We log it, block it, publish it. 

​​

We have one of two answers from this logging

1. Bad actors already known to us - sweet.

2. New bad actors not known to us, log it, even sweeter!

We then publish this to our web hosts, and you pay a small monthly fee in exchange for this proven collection of internet bad actor's.

​​​​​​​

How well does it work?

​​

Well we think it does very well vs other existing list sources.

We started with the common lists, Spamhaus spambot and C&C, Firehol lists 1 to 4 and others... they were not capturing more than 25% of all new bad actors visiting our logging device. Firehol has a much larger collection logged but the hit rate was quite low against newly logged information.

As we are New Zealand based, we get different "visitors" than a item sitting in a hosted AWS data centre so our logging is localised for our environment in the Pacific region making this blocklist quite a relevant toolset for our customer firewalls. 

​

We designed the order of logging...​

1st     - Our known bad actor list

2nd+ - Other published lists

Remaining - All new information (more bad actors)

​

As time has progressed from early testing to today
Our list started from zero while other published lists caught a few early on at around 25% of all logged items, that is over 75% missed from start.

Today the logging shows 99% as already found on our naughty bad actor list and the remaining 1% logging is new information being captured.

​

That is a win.
Now you can subscribe to our feed!

Get in Touch!

03-9290239

contact@supportu.nz

T&C's

Canterbury, New Zealand

Data Two Limited t/a SUPPORTU

NZBN 9429032227307

<< I use two wheels to get around!
bottom of page