Paul Wouters writes: > > I.e. the recent connections table has list of IP-address who have > > tried to connect to you, but have not yet authenticated, i.e. either > > real devices in the middle of authentication, or attackers. The real > > devices in the middle of authentication will not try to reconnect, as > > they are still continuing the process. > > You would need the port number too to support multple clients behind the > same NAT router, upon which the attacker can then use multiple ports too.
No need for port number. If server is under attack just block / slow down everybody using the same IP-address (or IP-address mask). This will block real users out if they are behind the same NAT than the attacker... On the other hand then the user should fix his home windows and get rid of the botnet running there :-) > > This means attacker needs one new routable IP-address for each attack. > for each 65k attacks. Nope, one address per attack as you do not store port number (and not perhaps even full IP-address, especially in IPv6). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
