Subj : Blocked IP's
To   : Daryl Stout
From : mark lewis
Date : Tue Jul 07 2015 11:20 am


06 Jul 15 11:07, you wrote to MATT BEDYNEK:

 MB>> It is like fishing.  Cast a line in the water and eventually you get
 MB>> a bite. For these dictionaries are used to crack passwords.  The only
 MB>> guessing is in username.  Believe it or not these work quite well
 MB>> when the work is distribu among hundreds of compromised zombie hosts.
 MB>> If you can change your pop ser port it is recommended to close that
 MB>> hole entirely.

 DS> With VADV32, I've blocked all email IP's, except the incoming ones
 DS> from my email server. If they repeatedly try to crash the deal here,
 DS> it ends up in the cached IP file (which then refuses the connection
 DS> entirely), or I'll put it in the blocked IP address...same result.

the thing i never liked about doing that is that it leaves the server to deal 
with the rejections instead of serving answers to requests... one can be DDoSed 
by simply having rafts and rats of blocked IPs hitting all at once for a 
sustained period... i prefer a dedicated protection system for that purpose... 
then there's the thing about dynamic IPs being in the block lists... most of 
those are from compromised machines that get cleaned up and/or get a new IP... 
when that happens, the old blocked IP is taking up room and shouldn't be in the 
list any more since it is no longer dangerous...

the system i use blocks only known attacks and for a limited random time limit 
after which the IP is removed from the block list... as long as the attacking 
IP tries to connect, the blocking limit is extended... the only way out is for 
them to move on to another system and let the blocking period elapse... that 
allows them to connect normally again and if they start another attack, they 
are blocked again... the system works very well and i do not end up with 
thousands of blocked IPs to try to manage manually... my blocking system is 
currently managing an average of 300 blocked IPs instead of thousands upon 
thousands... since it is also automated, i'm not burdened with having to 
maintain the lists of IPs... i tried that one time before implementing my 
current system and found myself spending 10 - 12 hours a day doing nothing but 
IP management and not getting anything else done at all...

)\/(ark

.... We all know you're a masticator.
---
 * Origin:  (1:3634/12.73)

.