[time] Abusive Clients, Brazilian Servers

Matt Wagner mwaggy
Sat Apr 26 04:13:54 UTC 2008


>  I have a script I run that adds bad servers to my ipfw tables (this on
> freebsd) my server that is set to gigabit is currently blocking 82 IP's.
> If they stop trying to talk to me for more than an hour it unblocks them.
I'm on a Linux box, but some experimentation with iptables finally did
the trick. I initially tried dropping connections, which almost seemed
to _increase_ the rate of queries. I suspect it's the same flawed
logic as in the Netgear / University of Wisconsin fiasco, where, when
the client doesn't get a response, it increases the query rate, rather
than backing off. A "DROP" with iptables, then, doesn't help anything.

I learned today that iptables lets you send an
"icmp-host-unreachable." Thus I blocked the guy with:

sudo iptables -A INPUT -p tcp -s 200.203.122.235 --dport 123 -J REJECT
--reject-with icmp-host-unreachable

It seemed like he went away for a while, but I'm getting them again.

In case anyone else hadn't realized it...
"sudo tcpdump -n port 123" will show you all connections on port 123.
The -n flag keeps it from resolving hostnames. (One IP was mapped to
the "name" 192.168.1.1, which left me scratching my head for a bit.)



More information about the pool mailing list