OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)

To: debian-isp@lists.debian.org
Subject: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
From: Pulu 'Anau <pulu@afe.to>
Date: Sat, 10 Apr 2004 11:45:38 +1300
Message-id: <[🔎] 1081550738.40772792c49d1@cafe.afe.to>

To kind of get back to the ISP world a little bit, has anyone used this in the
way that's being recommended?  (Using the OS Fingerprint Netfilter patch to
block Windows machines sending to port 25).

We're currently getting slammed by Windows viruses and have thought about doing
exactly that, but it seemed to us that there are enough people using Exchange or
Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this
would block legitimate mail almost instantly.

We've just been blocking hosts manually after the first virus.  I'm thinking
about writing a little script to:

1.  Get the offending IP address from amavis's logfile
2.  Check against a whitelist (like our own backup mx's)
3.  Do something like tcpping to the IP to see if it is a valid mx host
4.  If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours

Other than the 72 hour checks it's pretty straightforward and seems (at least to
me) very unlikely to stop legitimate mail, while cutting those guys who send
40-50 viruses a day down to 1 every three.  

Does anyone see any problems with the above?  The major issue is bandwidth, some
of our customers host their mail servers on 32K links with 200+ users.

Sorry, it's not really about the spam issue discussed before, but it's strange
the synchronicity (os fingerprinting anyway) between my work and this list
sometimes.

Pulu

----
Afe.to ANTS
POB 1478
Nuku'alofa, Tonga
Ph: Country code 676 - 27946 or 878-1332
http://www.afe.to
http://svcs.affero.net/rm.php?r=pulu

Quoting Russell Coker <russell@coker.com.au>:

> On Fri, 9 Apr 2004 21:32, Arnt Karlsen <arnt@c2i.net> wrote:
> > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message
> > > http://www.netfilter.org/patch-o-matic/pom-base.html
> > >
> > > See the section on "osf" in the above URL for a better solution.
> > > Simply block Windows machines from accessing your port 25.
> >
> > ..if only all isp's did it...
> 
> Not all ISPs need to do it.  Only your ISP and the ISPs that host mailing 
> lists that you subscribe to.
> 
> If you are interested in this then the best thing you can do is to build 
> yourself a kernel with osf and try it out.  If it works well create a Debian
> 
> kernel-patch package for it so that other Debian users can conveniently use
> 
> it.  The more accessible you make this to Debian people the closer it comes
> 
> to being installed on Debian list servers...
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 

-------------------------------------------------
This mail sent from Tonga's Premiere Internet Cafe
Visit us online at http://www.cafe.afe.to 
discussions @ http://www.nomoa.com/index.php
generic info @  http://www.tongatapu.net.to

Reply to:

Follow-Ups:
- Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Dave Watkins <debianisp@snorks.dyndns.org>
- Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Russell Coker <russell@coker.com.au>
- Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
  - From: Arnt Karlsen <arnt@c2i.net>

Prev by Date: which scsi raid adapter?
Next by Date: Re: which scsi raid adapter?
Previous by thread: Re: which scsi raid adapter?
Next by thread: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Index(es):
- Date
- Thread