Re: fail2ban increase loadaverage to 18
On Sun, 19 Aug 2012, Seth Mattinen wrote:
> Exclude your own networks and trusted sources.
Indeed. Seth is correct, that's the 1st rule of any such active
defences: don't let it become friendly fire.
And if you want it to scale, try to use ip sets. AFAIK, it should take
just one iptables rule, and you add whoever you want blocked to the ip
set refered by the iptables rule, and give the entry added to the set a
TTL so that the kernel will remove it after a while. I haven't tested
this yet, though.
That said, why did you not null-route the rackspace ASNs that are at the
attack's origin on your border routers as soon as you noticed the scale
of the attack? Do it.
And why didn't you enlist your transit provider's help? They should not
have any difficulty getting in touch with the rackspace NOC, and they
should be able to null-route the attack traffic for you, since it is not
even a large DDoS (where the origin is all over the world, and thus very
hard to null-route).
And also, from APNIC:
9725 Datapoint Drive, Suite 100
San Antonio, TX 78229
Call (and email) the NOC. Be polite, concise, use clear english, and
list the IPs attacking your servers and the exact manner of the attack.
There's a good chance this will actually get things done.
You may also bring the issue to rackspace in a very public way by
twitting @rackspacenoc #rackspace #attack.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot