[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: Help: network abuse
From:       Tim Woodall <debianuser () woodall ! me ! uk>
Date:       2023-12-23 9:29:25
Message-ID: alpine.DEB.2.21.2312230849430.14395 () dirac ! home ! woodall ! me ! uk
[Download RAW message or body]

On Thu, 21 Dec 2023, David Christensen wrote:

>
> Perhaps you could set up a DMZ, move services into the DMZ,  and provide a 
> VPN connection to the DMZ for your Internet users.  Then you could close all 
> of the incoming WAN ports except VPN.
>
>
> It might be possible to put the VPN endpoint into a VPS, create an SSH tunnel 
> out from the httpd server to the VPS, and close all of the WAN incoming 
> ports.
>

If the OP is worried about the bandwidth usage then none of that will
help. The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]

There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops without logging before anything else.

2. Talk to their ISP and get it blocked there - that's the only surefire
way to stop it eating their quota if that's the problem.

3. Try and make them give up - that's why I suggested sending a RST.


[1] I have a set of rules that blacklist IPs that send too many SYN
packets that are not responded to with SYN+ACK.

[2] This did look weird. I'm not sure how only some connections get a
SYN+ACK back - I wonder if their webserver is rate-limited and these are
"genuine" connection attempts that are failing - although the SPT=80
DPT=80 looks suspiciously like something crafted to get through naive
stateless firewall rules that rely on outgoing (allowed) connections to
have DPT=80 to the internet and SPT=80 from the internet.

[prev in list] [next in list] [prev in thread] [next in thread]