Hello J.,

JD> No, you get a double hit. You get the performance hit of the samples and
JD> you still get hit over and over again. A better approach if you do not have
JD> any web page visible to the outside, or "should not", then you could go to
JD> http://www.incidents.org and acquire "labrea", the tarpit tool that slows
JD> down the scans.

I've looked at it, but since we don't have that many fee IP addresses,
I doubt we'd make a dent.

JD> It would also be interesting to write notes to your ISP, if
JD> these are likely also on your ISP's network, requesting that infected people
JD> be locked off until they are infection free.

I've already called our upstream several times (Sprint), keep getting
the answer, "We know there's a problem and are working to fix it".
It's starting to sound like a pre-recorded message you'd get from an
answering machine.

JD> But simply placing the entries in your firewall is solving only a part of
JD> the problem. You still get hit for each trial. Another interesting solution
JD> would be to visit the dialup accounts list of IP ranges that are known
JD> dialup addresses. Build THEM into your firewall as ranges. You may still
JD> have 2400 entries. But you'd not have to add to them very often.

Unfortunately, many of our own local clients are within these network
address ranges (frame relay / fractional Ts).  That's why I haven't
started blocking entire ranges.

JD> (And since
JD> I just had this idea on the spur of the moment, is there a handy place to
JD> get this list. I feel a burst of editing coming on and a *VERY* big firewall
JD> list here. Some creative ordering on the list might help mitigate some of
JD> the load. But I doubt it....)

The list of addresses I compiled?  I'll send you a link off-list.

-- 
Best regards,
 Brian Curtis



_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list

Reply via email to