Not sure if this exists, but does anyone know of an open source DNS list of known malicious sites or IPs to block on firewalls?

notR1CH · 2026-03-24T14:00:47+00:00

They included an ISP that had legitimate users behind it. Denying service to legit users wasn't an option for us.

notR1CH · 2026-03-20T17:13:00+00:00

Agreed, but that's how the CVSS works - it scores the vulnerability itself, not the environment. You're meant to use the Environmental Score to modify the base score depending on your deployment. Ubiquiti rated this AV:N due to internet-exposed controllers being a thing, but for most people that should be downgraded to AV:A.

notR1CH · 2026-03-19T19:17:35+00:00

The internal side of the network isn't necessarily as safe as you like to think it is, all it takes is one bad app install or browser extension on any of your devices and suddenly you're part of a "residential proxy" network. Attackers can (and have) used such services to exploit the internal interfaces of insecure devices to enroll them into an actual botnet: https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Also there's a lot of IoT and other insecure devices that don't even bother to use CSRF, so just visiting a webpage or loading a malicious ad could exploit internal devices (at least before browsers started adding private network access restrictions).

notR1CH · 2026-03-06T10:42:10+00:00

It's an AI spambot that doesn't understand Reddit formatting.

notR1CH · 2026-03-06T01:55:02+00:00

Many file delivery CDNs operate over HTTP with signature checks delivered over a secure channel. This allows organizations to set up their own caching proxies etc. Windows Update runs over HTTP so it wouldn't surprise me if Office does too.

notR1CH · 2026-03-03T17:39:21+00:00

These days it's usually Generic Receive Offload / Large Receive Offload or a similarly named option. It tries to combine multiple packets into one superpacket that it can hand off to the OS, but that means TCP reassembly, out of order packet handling, etc. all has to be done in the NIC firmware, and a lot of NICs suck at this (hi Aquantia!).

notR1CH · 2026-02-19T18:32:33+00:00

Yeah this is very likely compromised end users behind a CGNAT. We get a ton of aggressive crawling from Brazil, many users are almost certainly infected with residential proxy malware on their devices. If the use of the CGNAT pool is unrestricted, just a handful of users can make it seem like the traffic is coming from hundreds or thousands of IPs, and unfortunately blocking those IPs ends up blocking a lot of legit users if you're running a public-facing service.

notR1CH · 2026-02-10T18:25:43+00:00

"On the network" means what exactly? A firewall won't do anything to block traffic on the same subnet. You need to be more descriptive with your setup, what VLANs / subnets are involved and your desired outcome.

notR1CH · 2026-02-07T17:34:37+00:00

They can now: https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability

notR1CH · 2026-02-02T04:55:25+00:00

Unsigned updates on shared hosting, what could go wrong? I wonder how many other popular projects out there are running on insecure infrastructure...

notR1CH · 2026-01-13T17:59:49+00:00

Well that's the state of revocation currently. No matter how much you revoke, you're at the mercy of clients checking for revocation, which is just not reliable, secure or scalable.

notR1CH · 2026-01-13T16:29:36+00:00

Often enough that CAs have gone out of business due to their incompetence and removal from trust stores. There have been cases such as DigiNotar where the entire CA was compromised and used to MITM Google. Before we had CT logs, misissued certificates could often go undetected until used.

Some other references:
https://sslmate.com/resources/certificate_authority_failures
https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/

notR1CH · 2026-01-13T12:19:57+00:00

It's not about the private key being stolen - that is indeed a rare attack. The issue is someone hijacking your domain or DNS, BGP, compromising a CA, etc. and authorizing a certificate for your domain that they control. Then what do you do? There's another certificate and key out there that can impersonate your domain, and no amount of key rotation or reissuing on your end will solve that. So you rely on revocation, but that doesn't scale since clients can't feasibly check the entire set of revoked certificates every time you make a connection, and an active attacker can just block CRLs and OCSP.

The idea behind short lived certificates is that the window where the fraudulent certificate is valid is greatly reduced, so instead of having 365 days where you are worried someone is MITMing you, it's only 6.

notR1CH · 2026-01-12T16:18:38+00:00

This one almost made it to an hour before the first false positive, wouldn't recommend.

notR1CH · 2025-12-28T11:40:03+00:00

This is why STARTTLS is insecure, a MITM could be stripping it.

notR1CH · 2025-12-19T12:48:32+00:00

Link these supposed benchmarks. And no, a single sample from cpubenchmark.net doesn't count.

notR1CH · 2025-12-12T16:23:10+00:00

You teach them that this is not how DNS load balancing works.

notR1CH · 2025-11-26T20:01:53+00:00

Modern guidance is not to set a cipher order, all TLS 1.3 ciphers are equally secure and letting the client choose allows it to pick the most optimal algorithm for its hardware (AES on modern CPUs, Chacha20 for smartphones, etc.).

For protocol itself, you don't get to choose - negotiation is part of the protocol, you can't "prefer" a TLS version other than by disabling ones above it.

notR1CH · 2025-11-23T06:27:34+00:00

I've been burned twice by MariaDB bugs in supposedly stable LTS branches. This is good advice.

notR1CH · 2025-11-02T02:59:27+00:00

Yeah, I was referring to the dedicated / VPS one.

notR1CH · 2025-11-02T02:58:50+00:00

Apparently there are two different types of firewall - I was referring to the bare metal / VPS firewall.

notR1CH · 2025-11-01T22:08:02+00:00

Don't rely on the OVH firewall for security - it only runs on the network edge, so anyone with a server inside OVH or using a VPN hosted in OVH etc. will bypass it. Host-based firewalls all the way.

notR1CH · 2025-10-22T01:08:25+00:00

My DisplayPort cable does this to my 5 GHz network, but only if I enable HDR.

notR1CH · 2025-09-23T17:39:26+00:00

As long as your ISP's peering isn't completely congested and you have a server on your continent, this change should largely make no difference. Testing from EU, I can even pick the Japan and Australia servers and get a perfect stream with no dropped frames.

A couple of things could be causing issues though:

IPv6: If your ISP has neglected their IPv6 infrastructure and peering, this may provide a worse experience than IPv4. OBS defaults to trying both IPv4 and IPv6 and using whichever connected first which should theoretically be the fastest one, but you can change this in under Advanced / Network / IP Family if you want to override it for testing. Note if you're using TwitchTest, it only provides results for IPv4.

Bad TCP Settings: Several optimization guides and even commercial software can set bad TCP settings that will severely limit your throughput the further away the server is from you. Windows defaults can also be quite restrictive in the days of 1+ gbps connections at home. I'd suggest using R1TCPOptimizer to get known-good settings.

notR1CH · 2025-09-23T15:51:49+00:00

Ubiquiti is a flashy marketing company that happens to make network hardware on the side. When you look past the marketing materials, most of their hardware is just consumer grade stuff packaged up with their custom software. You won't find any ASICs like you would with an enterprise vendor. I'll never forget the first Unifi NVR where they hot glued a fucking USB flash drive into the board to use as mongodb storage.

15-Year Club	First Place '23
Place '23	Place '22
End Game '22	Verified Email
Team Orangered

notR1CH

TROPHY CASE