After several months of hemming and hawing, I’ve finally gotten my free-time project to a state that it deserves looking at by a wider community: the BadTraffic perl module is now on GitHub. It’s a Perl module that allows a group of Solaris, RHEL or Mac OS X hosts to subscribe to a database driven list of blocked hosts, as well as contribute to the list. The blocks are selectable from the command line based on tags assigned to the blocks when they are entered, and there is a whitelist feature.

The long and short of it, if you run a cluster of web servers, when one node blocks an IP address for abusive traffic, the rest of the nodes will block the address before the spammer/script kiddie/whoever tries the next node in the cluster. It also helps when you know netblocks that primarily generate illegitimate traffic, and you can block them outright and be done with it.

The strangest part of the module is that you can use BadTraffic to build Net::CIDR::Lite objects based on subnet subtraction: if you whitelist 10.0.1.0/24, and then blacklist 10.0.0.0/22, BadTraffic is smart enough to add blacklist entries for 10.0.0.0/24 and 10.0.2./23. This feature was added primarily for Solaris 8 hosts, who have no default built in firewall, so block are done with blackhole routes. As Solaris 8 really is a dead OS, and people should stop using it, the feature may disappear in BadTraffic 2.0, it’s in for the 1.x series.

More robust documentation is coming, as well as examples for setup and long term maintenance. I retain all copyright of the module and the associated scripts, for now.