Re: Abuse Desks

[Sabri Berisha <sabri () cluecentral net>]

----- On Apr 29, 2020, at 3:15 PM, mel mel () beckman org wrote:

Hi Mel,

> A clever idea to be sure, but it seems open to abuse. What stops someone from
> forging a tcp syn from every /24 on the Internet, causing you to blackhole your
> access to everywhere?

Fair point, and I lied a bit. My code relies on inet_ntoa(client_addr.sin_addr))
after accept(), so technically it requires a bit more than just a SYN.

But the basic idea is that anyone connecting to IPs that they should not be
connecting to, will be nullrouted from the network for 30 days.

The bad guys automate scanning, I automate blocking.

In the old days (pre-9/11), scriptkiddie-me would simply send a teardrop. Luckily I 
have matured slightly since that time.

Thanks,

Sabri



> > On Apr 29, 2020, at 2:24 PM, Sabri Berisha <sabri () cluecentral net> wrote:
> >
> > ----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list () satchell net wrote:
> >
> > Hi,
> >
> > > That said, I use TCPWRAPPER to limit access to SSH to specific IP
> > > addresses.  I process my LogWatch messages manually.  I pull the fire
> > > alarm for showshoe probes, and excessive number of probes (over 30 in a
> > > 24-hour period).  No registered abuse@ address in the WHOIS?  The
> > > offending netblock goes into my edge router ACL, because I have learned
> > > that ne'er-do-wells without working abuse@ usually have other bad habits.
> >
> > I have a very simple method to deal with that: a server with no other purpose
> > than to blackhole portscanning culprits. Send so much as a tcp syn to port 22
> > and your entire /24 goes to null0 for a month. I have a few exceptions for
> > entities that I know are responsive to abuse@, but that's it.
> >
> > Highly effective.
> >
> > Thanks,
> >
> > Sabri