[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Automatic abuse reports

Subject: Automatic abuse reports
From: bill at herrin.us (William Herrin)
Date: Tue, 12 Nov 2013 23:03:31 -0500
In-reply-to: <[email protected]>
References: <Pine.LNX.4.64.1311122255060.7242@crisp> <[email protected]> <CAP-guGW+pB4XtdaY7pzaOGj-i7rvtg8Ntox0n5UfCdF15GAdbA@mail.gmail.com> <[email protected]>

On Tue, Nov 12, 2013 at 9:07 PM, Sam Moats <sam at circlenet.us> wrote:
> That said the original poster was
> focused on a DOS event,to do that you really don't need the full handshake.

Point. Though not all DDOSes are created equal. The simple packet
flood is, as likely as not, from forged addresses. But I've also seen
DDOSes which make repeated HTTP GET requests. That's tough to do
without control of the source address.

> Now it would be trivial to setup syslog and sshd to give only the sessions
> that complete the handshake, however I'm also not sure how responsive some
> of the abuse contacts may be. I'll keep my restrictive network settings for
> the time being.

That's the main problem: you can generate the report but if it's about
some doofus in Dubai what are the odds of it doing any good?

Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Follow-Ups:
- Automatic abuse reports
  - From: brandon.galbraith at gmail.com (Brandon Galbraith)

References:
- Automatic abuse reports
  - From: jonas at bjorklund.cn (Jonas Björklund)
- Automatic abuse reports
  - From: sam at circlenet.us (Sam Moats)
- Automatic abuse reports
  - From: bill at herrin.us (William Herrin)
- Automatic abuse reports
  - From: sam at circlenet.us (Sam Moats)

Prev by Date: Automatic abuse reports
Next by Date: IP transit providers @ 625 RL
Previous by thread: Automatic abuse reports
Next by thread: Automatic abuse reports
Index(es):
- Date
- Thread