[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: Help: network abuse
From: Tim Woodall <debianuser () woodall ! me ! uk>
Date: 2023-12-23 9:29:25
Message-ID: alpine.DEB.2.21.2312230849430.14395 () dirac ! home ! woodall ! me ! uk
[Download RAW message or body]
On Thu, 21 Dec 2023, David Christensen wrote:
>
> Perhaps you could set up a DMZ, move services into the DMZ, and provide a
> VPN connection to the DMZ for your Internet users. Then you could close all
> of the incoming WAN ports except VPN.
>
>
> It might be possible to put the VPN endpoint into a VPS, create an SSH tunnel
> out from the httpd server to the VPS, and close all of the WAN incoming
> ports.
>
If the OP is worried about the bandwidth usage then none of that will
help. The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]
There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops without logging before anything else.
2. Talk to their ISP and get it blocked there - that's the only surefire
way to stop it eating their quota if that's the problem.
3. Try and make them give up - that's why I suggested sending a RST.
[1] I have a set of rules that blacklist IPs that send too many SYN
packets that are not responded to with SYN+ACK.
[2] This did look weird. I'm not sure how only some connections get a
SYN+ACK back - I wonder if their webserver is rate-limited and these are
"genuine" connection attempts that are failing - although the SPT=80
DPT=80 looks suspiciously like something crafted to get through naive
stateless firewall rules that rely on outgoing (allowed) connections to
have DPT=80 to the internet and SPT=80 from the internet.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic