nanog mailing list archives
Re: Automatic abuse reports
From: William Herrin <bill () herrin us>
Date: Tue, 12 Nov 2013 23:03:31 -0500
On Tue, Nov 12, 2013 at 9:07 PM, Sam Moats <sam () circlenet us> wrote:
That said the original poster was focused on a DOS event,to do that you really don't need the full handshake.
Point. Though not all DDOSes are created equal. The simple packet flood is, as likely as not, from forged addresses. But I've also seen DDOSes which make repeated HTTP GET requests. That's tough to do without control of the source address.
Now it would be trivial to setup syslog and sshd to give only the sessions that complete the handshake, however I'm also not sure how responsive some of the abuse contacts may be. I'll keep my restrictive network settings for the time being.
That's the main problem: you can generate the report but if it's about some doofus in Dubai what are the odds of it doing any good? Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Automatic abuse reports Jonas Björklund (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports Daniël W . Crompton (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Brandon Galbraith (Nov 12)
- Re: Automatic abuse reports joel jaeggli (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- <Possible follow-ups>
- Re: Automatic abuse reports Hal Murray (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 13)
- Re: Automatic abuse reports Paul Bennett (Nov 13)
- Re: Automatic abuse reports Sam Moats (Nov 13)
- Re: Automatic abuse reports Jimmy Hess (Nov 13)
- Re: Automatic abuse reports Sam Moats (Nov 13)