[RPZ] RPZ Findings.

Simon Forster simon-lists at ldml.com
Fri Dec 21 10:36:16 UTC 2012 

On 20 Dec 2012, at 20:09, Augie Schwer <augie.schwer at gmail.com> wrote:

> Overall the RPZ zones have little impact on traffic.

I would argue that this is not really the role of RPZ. Largely, RPZ is about protecting users from themselves. When they click on bad links – whether in an email or from anywhere else, they don't get to be defrauded or their computers infected. This prevents a lot of pain further along.

For the customer: Their machine remains uninfected with the benefits that brings. They keep their identity. Funds don't mysteriously vanish from their accounts. Etc, etc.

For the ISP: The hell desk (sic) doesn't receive calls about network speed suddenly dropping, computers acting strangely, "weirdness" that's the ISP's "fault". The network / sys admins don't have quite so much outbound spewage to try to intercept and the abuse desk guys don't have to tidy up after a new outbound campaign evades your current defences.

Quite a lot of benefit to share around – and all for free.

> I captured three hours of traffic across three of our most popular DNS
> hosts for a total of 755,938 queries. Of those queries only 1403 queries
> generated an RPZ hit -- for a ratio of 0.18%.

So best (or worst?) case is that in a three hour period the machines of 1,403 customers were prevented from downloading Black Hole Exploit Kit 2. Wow, that's fantastic. What a result!

OK, an extreme extrapolation but insert your own likely infection / fraud percentages into that number and you've got a fair few people who are grateful for what you've done. Bummer is they don't know about it.

> The most effective RPZ zone was the rpz.spamhaus.org zone; accounting
> for 61.9% of the RPZ hits; rpz.surbl.org accounted for the remaining hits.

As a Spamhaus person, this fact makes me happy too.

> This is in an ISP environment.

In closing, bear in mind that RPZ is catching badness happening after all the other best efforts you've thrown into the equation prior to the customer getting the bad link. If RPZ were the first line of defence, percentages would be way up – but then so would everything else, including your blood pressure.

:-D

Simon Forster

  Spamhaus Research Corporation
  London, UK
  http://www.spamteq.com/
  skype: srforster
  t: +44 20 7993 8813


> -- 
> Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us
> _______________________________________________
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dnsrpz-interest

More information about the DNSfirewalls mailing list