Re: [9fans] Cleaning up the IP tables

[erik quanstrom <quanstro@quanstro.net>]

On Sat Jun 26 14:04:50 EDT 2010, mirtchovski@gmail.com wrote:
> Further to what Erik said, the closed connections don't accumulate
> over time, they're the result of a single attack or a portscan.
> subsecuent attacks only reuse them without increasing their number.
> you'll notice that most of the connections were made from the same IP.
>
> On 9grid there are 500+ connections in the "closed" state, all from
> the same IP which, it appears from the logs, ran an automated scanner
> for vulnerable websites:

i see various attacks constently.  most of them are harmless,
but a few can be pretty disruptive.  if you're not running nupas,
i think it's pretty hard to keep up with the various email attacks,
but that's largely an annoyance.  i have had to use nupas' smtpd
-k option to drop some ip addresses without even logging.
i've also found running pop3 is a bad idea.  there are a number
of pop3 attacks that are extremely aggressive.  they can take
down your machine and/or connection.  imap is a much better
option.

the only real difficulty i have right now is (caching) dns.  dns just can't
seem to deal with some of aktami's tricks.  double cname indirection
and 20 second ttls seem to give it fits.  (e.g. m.bestofmedia.com;
see incorrect fix here http://9fans.net/archive/2010/06/48)
and there appear to be a number of effective cache poisoning
algorithms in the wild.  (http://9fans.net/archive/2010/04/447)
if this is ndb/dns shooting itself in the cache or an attack is unknown.
google's ips tend to get corrupted with some frequency.  recently
i saw google look up as 127.0.0.1.

authoratitive dns, of course, works great.

- erik