Re: Blocking attacks from spoofed IP addresses



On Thu, 01 Oct 2009 14:48:54 -0500, ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

On Thu, 01 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <aog8c5t75j6fnr4ksb5v81ick5cqi0j4ul@xxxxxxx>, Grant wrote:

....
Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years,
so it's not a big ask for iptables to do that.

Two thoughts - what are you "offering" to the world, and what are you
trying to defend against.

Anonymous ftp + hhtp. Defending against too much traffic :) So
there's firewall rules that disable any IP after too many hits (over
time) on offered services, single hits on ssh (just on principle, I
rarely offer ssh, and than it's to known IP or IP block).

... You speak of 38
banned blocks, which would be the "mostly open" situation, while I
accept connections from 3 blocks (blocking all else by default) which
would be the "mostly closed" situation.

Banned blocks mostly from annoying web crawlers that don't honour
the web 'robots.txt' file -- like the recently new Chinese crawler.

Or web site rippers. Once it was some script kiddies from NL playing
with a web form -- after I used their crap traffic to refine a quota
system I blocked the IP, then the IP block when the traffic changed IPs.

....
Oh, and the port-knocking may run
into those same 'blocked by the corporate firewall' rules that made
it impractical to move your server to an obscure port.

Maybe one could knock the http (or 8000 port area) port? A custom
..cgi could do anything one wanted, no?

Haven't done port knocking yet as I've not yet needed to offer
'random' access for ssh :)

Grant.
--
http://bugsplatter.id.au
.