[svlug] someone is hammering my webserver

Donald K. Wilson dkw at red4est.com
Mon Jan 28 13:14:32 PST 2008


Scott Hess wrote:
> My general experience is that for every case where a redirect to a
> "funny" place generates a win, there are 10 other cases where it
> generates a non-win.  It's like when a telemarketer calls.  You can
> spend five minutes messing with their heads, but compared to "no thank
> you" and a hangup, you still just wasted five minutes of your life!  I
> think simply blackholing them and moving on is really a stronger
> solution.
> 
> Suggest doing a DROP rather than a REJECT.  The DROP case should leave
> them squelched at the level of their TCP stack, with exponential
> backoff, sort of like teergrubbing, while the REJECT case might
> actually result in a higher incoming packet load because they'll move
> on to the next connection immediately.
> 
> -scott
> 
> 
> On Jan 28, 2008 10:39 AM, Bill Teeple <bill at teeple.tv> wrote:
>> Drop it using IPTABLES - just issue the IPTABLES command - drop the
>> packet for port 80 and they won't get any more responses from your site
>> and your system will be better off. (or whatever firewall you employ)
>>
>> I don't know about redirecting... my two cents.
>>
>> Bill

Hi,
As admin, I put a DROP rule at the top of the iptables INPUT chain. 
Since it seems to be a dynamic ppp user, I'm watching the /24 for 
incoming connections, in case it comes back from another address.



dkw





More information about the svlug mailing list