From: erik quanstrom <quanstro@quanstro.net>
To: 9fans@9fans.net
Subject: Re: [9fans] Cleaning up the IP tables
Date: Sat, 26 Jun 2010 21:10:30 -0400 [thread overview]
Message-ID: <2892bd72b293542e8a2564b212f94666@kw.quanstro.net> (raw)
In-Reply-To: <AANLkTiljvjWzgFVMd-04di3SrHX1o_X_Z2c4IwQ9O6B8@mail.gmail.com>
On Sat Jun 26 14:04:50 EDT 2010, mirtchovski@gmail.com wrote:
> Further to what Erik said, the closed connections don't accumulate
> over time, they're the result of a single attack or a portscan.
> subsecuent attacks only reuse them without increasing their number.
> you'll notice that most of the connections were made from the same IP.
>
> On 9grid there are 500+ connections in the "closed" state, all from
> the same IP which, it appears from the logs, ran an automated scanner
> for vulnerable websites:
i see various attacks constently. most of them are harmless,
but a few can be pretty disruptive. if you're not running nupas,
i think it's pretty hard to keep up with the various email attacks,
but that's largely an annoyance. i have had to use nupas' smtpd
-k option to drop some ip addresses without even logging.
i've also found running pop3 is a bad idea. there are a number
of pop3 attacks that are extremely aggressive. they can take
down your machine and/or connection. imap is a much better
option.
the only real difficulty i have right now is (caching) dns. dns just can't
seem to deal with some of aktami's tricks. double cname indirection
and 20 second ttls seem to give it fits. (e.g. m.bestofmedia.com;
see incorrect fix here http://9fans.net/archive/2010/06/48)
and there appear to be a number of effective cache poisoning
algorithms in the wild. (http://9fans.net/archive/2010/04/447)
if this is ndb/dns shooting itself in the cache or an attack is unknown.
google's ips tend to get corrupted with some frequency. recently
i saw google look up as 127.0.0.1.
authoratitive dns, of course, works great.
- erik
next prev parent reply other threads:[~2010-06-27 1:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-26 16:20 lucio
2010-06-26 17:14 ` erik quanstrom
2010-06-26 18:03 ` andrey mirtchovski
2010-06-27 1:10 ` erik quanstrom [this message]
2010-06-28 16:36 ` Lyndon Nerenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2892bd72b293542e8a2564b212f94666@kw.quanstro.net \
--to=quanstro@quanstro.net \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).