Abuse Desks

Mel Beckman mel at beckman.org
Wed Apr 29 22:15:16 UTC 2020


Sabri,

A clever idea to be sure, but it seems open to abuse. What stops someone from forging a tcp syn from every /24 on the Internet, causing you to blackhole your access to everywhere?

 -mel


> On Apr 29, 2020, at 2:24 PM, Sabri Berisha <sabri at cluecentral.net> wrote:
> 
> ----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list at satchell.net wrote:
> 
> Hi,
> 
>> That said, I use TCPWRAPPER to limit access to SSH to specific IP
>> addresses.  I process my LogWatch messages manually.  I pull the fire
>> alarm for showshoe probes, and excessive number of probes (over 30 in a
>> 24-hour period).  No registered [email protected] address in the WHOIS?  The
>> offending netblock goes into my edge router ACL, because I have learned
>> that ne'er-do-wells without working [email protected] usually have other bad habits.
> 
> I have a very simple method to deal with that: a server with no other purpose
> than to blackhole portscanning culprits. Send so much as a tcp syn to port 22
> and your entire /24 goes to null0 for a month. I have a few exceptions for 
> entities that I know are responsive to [email protected], but that's it.
> 
> Highly effective.
> 
> Thanks,
> 
> Sabri




More information about the NANOG mailing list