On Fri, Sep 21, 2001 at 09:28:11AM -0400, Brian Curtis wrote:
> Repeating offenders of the Nimda virus (my list has been compiled from
> a 5 day data sample). I'm trying to figure out some way to lessen the
> bandwidth load that all these scans are creating.
>
> I already have a shell script ready to go containing ~2400 lines of:
>
> /sbin/ipchains -I input -s 208.3.252.37 -j DENY
> /sbin/ipchains -I input -s 208.165.50.100 -j DENY
> /sbin/ipchains -I input -s 208.242.215.200 -j DENY
> ...
>
> But, like you said, the performance hit would probably be just as bad
> as the scans themselves.
Have you looked into iptables? There is a POOL extension module in
iptables-1.2.3 that I believe allows one to create pools (i.e., dictionaries)
of IP addresses and a filter for matching against a given pool. Since
it is just a hash lookup, this ought to be a small constant-time operation,
regardless of the number of addresses.
The POOL module may be experimental; I haven't had a chance to look into
it.
Regards,
Bill Rugolsky
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
