how to deal with port scan and brute force attack from AS 8075 ?
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Thu Mar 31 15:14:17 UTC 2016
hi nanog'ers
On 03/31/16 at 10:20am, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:
>
> > We consider port scan and brute force on ssh port as an attack, and even
...
> (For the record, our border routers drop inbound SYN on port 22 on *both*
> ipv4 and ipv6 address spaces. It's amazing how few brute force
> attempts we see on our servers... :)
i think the best way, ( imho ) to discourage random incoming ssh connections
or anything else ( tcp-based ) is to run tarpit on ALL tcp based ports ...
one obviously would allow incoming 25/tcp traffic to mail servers
and incoming 80/tcp to web servers, etc etc, but otherwise, all
other incoming tcp ports gets unconditionally tarpit'd
we used to get hundreds of thousands of garbage tcp connections per minute
which basically disappeared after running tarpits as needed
and the attackers ( port scanners ) pay a penalty for sending useless
packets to tarpit'd ports
fail2ban/etc is okay but it's too limited since i want to deny all tcp connections
and specifically only allow certain incoming traffic which is trivial to
implement with iptables + tarpits
/dev/null incoming packets is okay but it still occupied time/space/buffers
in the pipe and the attackers didn't feel any pain for sending the packets
doing ddos mitigation for your own IP# space is fairly easy to create
various policies ... doing the ddos mitigation for your customers down
the line using your routers can be tricky business and very messy if
either the customer nor isp doesn't change something ( aka more $$$ )
magic pixie dust
alvin
DDoS-Mitigator.net
More information about the NANOG
mailing list