Hi, Owen,
On 6/2/23 20:39, Owen DeLong wrote:
As long as they have a reasonable expiry process, it could work.
What, specifically? Banning /128s?
After all, they’re only collecting addresses to ban at the rate they’re
actually being used to send packets.
Yeah, but the whole point of banning is that the banned address is
actually used by an attacker subsequently,
In other words, if:
1. The attacker employs one address for malicious purposes
2. You ban that address
3. The attacker changes the his/her address and goes back to #1
... you´d be doing yourself a disservice by adding addresses to the
ban-list. You just pay penalties for no actual gain.
While that’s nota. Completely effective throttle, as long as your expiry
process can keep up and your TTL doesn’t exceed your ring buffer size, it
should be theoretically OK.
Memory is a limited resource. As soon as you consistently use memory
iptables-rules slot to store more and more rules/addresses youĺl get no
benefit from, the attacker is winning....
Thanks!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
