> The danger of including it in patch-o-matic is that many novice 
> sysadmins might be anti-social without knowing (or in some cases 
> intentionally)

I wouldn't imagine novice sysadmins end up building the iptables and
kernel binaries often, but that is another matter.

If we're trying to protect the world at large from netfilter
users, how did the MIRROR target end up in the standard kernel?
What was its purpose, if not to be "anti-social"?

> My approach to this kind of problems would be a more offensive, 
> completely blocking such stations from using the relevant network 
> services, and in case of local users giving a message to the user on 
> the fact prompting them to correct the issue before allowing them to 
> use the affected network services again.

And this was the method we employed.  This involves adding a filter for
each offending IP.  On a large network with new attack nodes coming
up every few seconds, its not necessarily possible to catch them all
quickly.

Whereas the worm does self-select to connect to otherwise invalid IP ranges.
With TCP SYN-ACK replies coming from an unused quarter of the
IP address space, the attack nodes get stuck quite quickly with no
specific attention from me.

                                    -- Aaron


Reply via email to