Matt Sergeant wrote:
On 27-Nov-06, at 10:43 AM, Bryan Scott wrote:
The first thought I had was if we could make the forkserver code
perform similarly. It wouldn't be able to block just based on the SYN
packets, but it could immediately close the connection (no banner, no
error message, very un-RFC like), freeing it up for another host that
much quicker. Not something a plugin can do.
This is something a plugin can do. The 'connect' hook is called before
the banner is sent. Just lookup there, and return DENY_DISCONNECT.
The idea progressed to have some other plugin keep track of how many
times a particular host errors out, assigning higher weights to 5xx
errors vs. 4xx errors. After hitting a certain threshold, the
forkserver code begins closing connections from those hosts (I
personally don't care if I can hang up on known spam hosts).
See the plugin I wrote for the O'Reilly article.
Sweet. Much better.
-- Bryan
