Abuse Desks

Sabri Berisha sabri at cluecentral.net
Wed Apr 29 23:14:23 UTC 2020


----- On Apr 29, 2020, at 3:15 PM, mel mel at beckman.org wrote:

Hi Mel,

> A clever idea to be sure, but it seems open to abuse. What stops someone from
> forging a tcp syn from every /24 on the Internet, causing you to blackhole your
> access to everywhere?

Fair point, and I lied a bit. My code relies on inet_ntoa(client_addr.sin_addr))
after accept(), so technically it requires a bit more than just a SYN.

But the basic idea is that anyone connecting to IPs that they should not be
connecting to, will be nullrouted from the network for 30 days.

The bad guys automate scanning, I automate blocking.

In the old days (pre-9/11), scriptkiddie-me would simply send a teardrop. Luckily I 
have matured slightly since that time.

Thanks,

Sabri



>> On Apr 29, 2020, at 2:24 PM, Sabri Berisha <sabri at cluecentral.net> wrote:
>> 
>> ----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list at satchell.net wrote:
>> 
>> Hi,
>> 
>>> That said, I use TCPWRAPPER to limit access to SSH to specific IP
>>> addresses.  I process my LogWatch messages manually.  I pull the fire
>>> alarm for showshoe probes, and excessive number of probes (over 30 in a
>>> 24-hour period).  No registered [email protected] address in the WHOIS?  The
>>> offending netblock goes into my edge router ACL, because I have learned
>>> that ne'er-do-wells without working [email protected] usually have other bad habits.
>> 
>> I have a very simple method to deal with that: a server with no other purpose
>> than to blackhole portscanning culprits. Send so much as a tcp syn to port 22
>> and your entire /24 goes to null0 for a month. I have a few exceptions for
>> entities that I know are responsive to [email protected], but that's it.
>> 
>> Highly effective.
>> 
>> Thanks,
>> 
> > Sabri



More information about the NANOG mailing list