[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new, not nice web bots disposal

On Wednesday 26 February 2020 16:00:35 tomas@tuxteam.de wrote:

> On Wed, Feb 26, 2020 at 09:54:09PM +0300, Reco wrote:
> > 	Hi.
> >
> > On Wed, Feb 26, 2020 at 01:50:40PM -0500, Lee wrote:
> [...]
> > > Have you considered REJECT instead of DROP?
> >
> > A neat idea for your LAN. A bad idea in this case.
> Exactly.
> > You *want* that other side to retry, wasting their time instead of
> > spamming their target. In fact, one should consider using TARPIT
> > instead of a DROP here.

My copy of iptables-extensions makes zero mention of TARPIT.

> Moreover: you don't want the other side to even know that you're
> there. The less info you give away the better.

My reasoning too. I'd much druther be a black hole that doesn't even have 
any Hawking Radiation. But I've no info that such a beast exists 
anyplace in the universe. There is info in the fact of there not being 
any response.
> In a LAN, however, REJECT is far better: you want the other side
> to know that you're there, but not talking.

I'd call this a WAN since its intended to go out on the internet.
And I am the only user inside this LAN.

In that event, and given that a /24 rule caught them, how many out of 
that /24 get the reject message?

The iptables docs aren't that talkative... No need to bang on the other 
255 customers in that block that are not offenders.  That wouldn't be at 
all neighborly. And likely would make the situation much worse.

> Cheers
> -- t

Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to: