> Having over 150 proxies serving several million narrowband internet users,
> I can tell you that I really hate that proposal. We handle it, heuristically,
> but it's awful. And don't tell me I should disinfect the clients. That sucks.
I'm in a position not unlike yours, though perhaps on a smaller scale.
When Code Red and Nimda came around, I was severely lacking in tools to
slow down the flood of traffic, which was particularly harmful from my
broadband and leased-line customers.
If I'd had a machine available with the patch I just offered, I could've
routed a few unused/reserved /8s that were seeing heavy scan activity at
it, and eaten all of my customer's scan threads.
If your proxies had been running it, you could've done the
same thing and reduced the load on your proxies tremendously as well
as spared the outside world all of the bad packets, assuming you are
running transparent proxies and could use an destination
IP match on the proxy machine's kernel.
You can't tell me that many uses of this patch are antisocial. In fact,
in its intended use, it would've substantially reduced the amount of
antisocial packets leaving my network. This is a tool with interesting
uses that the netfilter team can make available to a much wider audience
than I, which is why it was offered.
-- Aaron
