> The danger of including it in patch-o-matic is that many novice > sysadmins might be anti-social without knowing (or in some cases > intentionally)
I wouldn't imagine novice sysadmins end up building the iptables and kernel binaries often, but that is another matter. If we're trying to protect the world at large from netfilter users, how did the MIRROR target end up in the standard kernel? What was its purpose, if not to be "anti-social"? > My approach to this kind of problems would be a more offensive, > completely blocking such stations from using the relevant network > services, and in case of local users giving a message to the user on > the fact prompting them to correct the issue before allowing them to > use the affected network services again. And this was the method we employed. This involves adding a filter for each offending IP. On a large network with new attack nodes coming up every few seconds, its not necessarily possible to catch them all quickly. Whereas the worm does self-select to connect to otherwise invalid IP ranges. With TCP SYN-ACK replies coming from an unused quarter of the IP address space, the attack nodes get stuck quite quickly with no specific attention from me. -- Aaron