[Pool] Anyone using IPTables to block aggressive clients?

Mouse mouse at Rodents-Montreal.ORG
Sat Feb 1 03:15:12 UTC 2014


> *2.7 million* blocked packets in less than 30 minutes!

I should instrument my blocking code sometime to see how much it's
blocking.  But I find that plausible; my primary defense is
ratelimiting: you can talk with my NTP server, but if you try to talk
to it too fast you will get router-blocked.  So attackers test me,
notice I answer monlist, and start using me as a bandwidth amplifier.
This works for a brief burst of packets, then the block goes up and I
turn into a pure packet sink as far as the attack is concerned.  But
the attacker doesn't notice, because the traffic I'm no longer
generating is (or rather isn't) going to the victim, not the attacker.
So I just get a minor incoming packet flood.  2.7e6 packets in half an
hour strikes me as eminently plausible.

I haven't tried to stop it because (a) occupying a sending thread
without actually doing any attacking seems to me to be about as useful
to the net at large as anything else I could do and (b) I really do not
like shutting off a useful facility just because it's being abused and
a lot of other people don't/can't prevent the abuse any other way.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list