From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Sat, 26 Jun 2010 21:10:30 -0400 To: 9fans@9fans.net Message-ID: <2892bd72b293542e8a2564b212f94666@kw.quanstro.net> In-Reply-To: References: <5f0faf0671d7d4270b5666c6ef62f66b@kw.quanstro.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Cleaning up the IP tables Topicbox-Message-UUID: 375f0134-ead6-11e9-9d60-3106f5b1d025 On Sat Jun 26 14:04:50 EDT 2010, mirtchovski@gmail.com wrote: > Further to what Erik said, the closed connections don't accumulate > over time, they're the result of a single attack or a portscan. > subsecuent attacks only reuse them without increasing their number. > you'll notice that most of the connections were made from the same IP. > > On 9grid there are 500+ connections in the "closed" state, all from > the same IP which, it appears from the logs, ran an automated scanner > for vulnerable websites: i see various attacks constently. most of them are harmless, but a few can be pretty disruptive. if you're not running nupas, i think it's pretty hard to keep up with the various email attacks, but that's largely an annoyance. i have had to use nupas' smtpd -k option to drop some ip addresses without even logging. i've also found running pop3 is a bad idea. there are a number of pop3 attacks that are extremely aggressive. they can take down your machine and/or connection. imap is a much better option. the only real difficulty i have right now is (caching) dns. dns just can't seem to deal with some of aktami's tricks. double cname indirection and 20 second ttls seem to give it fits. (e.g. m.bestofmedia.com; see incorrect fix here http://9fans.net/archive/2010/06/48) and there appear to be a number of effective cache poisoning algorithms in the wild. (http://9fans.net/archive/2010/04/447) if this is ndb/dns shooting itself in the cache or an attack is unknown. google's ips tend to get corrupted with some frequency. recently i saw google look up as 127.0.0.1. authoratitive dns, of course, works great. - erik