Re: Telnet: route to host

• Previous message: Bill Vermillion: "Re: Telnet: route to host"
• In reply to: Simon Hobson: "Re: Telnet: route to host"
• Next in thread: Joe Dunning: "Re: Telnet: route to host"
• Reply: Joe Dunning: "Re: Telnet: route to host"
• Reply: Simon Hobson: "Re: Telnet: route to host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 04 Aug 2005 21:35:11 GMT

In article <0001HW.BF18246A02484D54F0284600@usenet.plus.net>,
Simon Hobson <simonsnews@thehobsons.codotuk> wrote:
>On Thu, 4 Aug 2005 3:48:35 +0100, Brian K. White wrote
>(in message <020801c5989e$fa86a530$6b00000a@venti>):

>> This kind of thing bugs me because it inflicts wasted time
>> damage on people like you & me who may think there really
>> is a routing problem and chase our tails trying to fix what
>> isn't broken. I think things like error messages shoudl be
>> sacrosanct. You don't spoof them. Start doing that and error
>> messages become a useless diagnostic tool, and THEN where are
>> we? Shortsighted idiot linux developers are destroying the
>> world.

>Hear hear !

>However, it's not just Linux guys ....

>When we put a firewall in at work we spent ages trying to figure
>out why we couldn't reach anything on the internet - pings failed
>altogether and traceroutes simply stopped somewhere in the ISPs
>network. A call to their support line enlightened us to the fact
>that they block pings so as to break one of the viruses, but only
>the sort used by Windoze.

>Switch to one of our Unix or Linux hosts and hey presto,
>traceroutes and pings work !

Or switch to an ISP that knows and understands networking. I've
seen some pretty stupid things done. And I've noticed more and
more ISP turn off the ability of using ping -R [Record Route] which
is awfully helpful when things don't go right, and you find packets
go out one way but want to come back another because someone
misconfigured something.

>At home, my router doesn't seem to allow them at all, so I can't
>traceroute anywhere :-(

There are plenty of routers that do. Are you sure it's not
something at your ISP?

>Anyway, back to the thread, in situations like this, I think the
>rule should simply be to drop the packets - that way it ties
>up resources on any machine being used to attck you. Ie, they
>attempt to open a connection, and instead of immediately getting
>back a "no way Jose" message, they must wait until the connection
>attempt times out. I see regular attacks on my machine, people
>out there are obviously trying brute-force attacks to try and
>connect via SSH - and it's clear they can do many attempts/second
>for some time, adding a few seconds to each will cause a 'cost'
>for the attacker. I see there's a package fail2<something> that
>automatically adds IPs to IP Tables in such situations - must
>take a look.

Actually it depends upon how they are attacking you. Every now and
thing I get notices that the kernel is limiting responses to
200 packets/second when someone tries a stong attack, perhaps with
a flood-ping. Limiting responses won't always help in that event.

I see a lot of ssh attempts at times - and they seem to go in fits
and spurts - with nothing for a week or so and then several days
with nothing. Checking the places I log them I see about 22K
attempts over the past 2 years.

As to adding IPs to your filters you may find that your filters get
so big they will start slowing down. I have not checked how many
individual IPs are in the 22K mentioned above, but they typically
come in bursts of a 100 or so, and virtually all of them are from
outside the continental US. But I'd guess there could easily be
1000 different addresses which is going to be a big table.

Bill

-- 
Bill Vermillion - bv @ wjv . com

• Previous message: Bill Vermillion: "Re: Telnet: route to host"
• In reply to: Simon Hobson: "Re: Telnet: route to host"
• Next in thread: Joe Dunning: "Re: Telnet: route to host"
• Reply: Joe Dunning: "Re: Telnet: route to host"
• Reply: Simon Hobson: "Re: Telnet: route to host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]