From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:19:30 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58E1316A4CE for ; Wed, 6 Apr 2005 16:19:30 +0000 (GMT) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0DC943D2D for ; Wed, 6 Apr 2005 16:19:29 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id B40DB43E2; Wed, 6 Apr 2005 18:19:28 +0200 (CEST) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78584-16; Wed, 6 Apr 2005 18:19:17 +0200 (CEST) Received: by crivens.unixoid.de (Postfix, from userid 1006) id EF27F41A3; Wed, 6 Apr 2005 18:19:16 +0200 (CEST) Received: from 212.12.51.89 (SquirrelMail authenticated user mh); by mail.reisegruppe-mollengrab.de with HTTP; Wed, 6 Apr 2005 18:19:16 +0200 (CEST) Message-ID: <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> In-Reply-To: <425406ED.5060400@withagen.nl> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> Date: Wed, 6 Apr 2005 18:19:16 +0200 (CEST) From: "Marian Hettwer" To: "Willem Jan Withagen" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at unixoid.de cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:19:30 -0000 On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: > I've build some swatch-rules that after two of these hits, I dump > the host into ifpw-deny space. > Aye. I thought about writing a script, doing the same like yours, too. Could you post this script somewhere, so that I could add some functionality or just use it ? On one hand, of course, it would make no sense to blog these attackers, as they don't mind anyway wether they're blocked or not, on the other hand, I'd like to see only two attempts, and not loads of pages, blowing up my logfiles useless. By the way, you do know, that if you block these attackers forever, you may run into a self-made DOS attack, right ? Imagine, you have 10 attacks per day (from 10 different IP addresses) and you all block them, each day, for another 10 days. You already blocked 100 IP adresses then ;) Well, perhaps your script releases the blocked IP adresses after an specific amount of time... this would be a functionality I'd like to add :) So, I'd be glad if you could either upload the script on some webserver and make it public, or if you could private mail it to me. best regards, Marian