Re: over a 1,000,000,000 individual ips to block

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Gale <michael.gale@utilitran.com>
To: netfilter@lists.netfilter.org
Subject: Re: over a 1,000,000,000 individual ips to block
Date: Mon, 28 Jun 2004 06:45:01 -0600	[thread overview]
Message-ID: <20040628064501.3bab3f3c@mgalepc.utilitran.com> (raw)
In-Reply-To: <20040624145732.25300.qmail@team.outblaze.com>

Hello,

	Why don't you block networks ??

Firewall - SYN Cookie enabling ? 

Mail servers - use RBL list - this list will contain networks of IP's that
belong to home users. So they do not need to connect directly to your mail
server.

Web servers -- rate limiting ? block networks ? Better web server ?

If you blocked networks ? The estimated max number of rules a packet might have
to match would be 254 ... plus the rest of your filtering for ports and other
needs. This could slow down network access because of all the rules to check for
each packet.

If you are not using network addresses the list would become to long.

Michael.


On Thu, 24 Jun 2004 22:57:32 +0800
"Timothy Webster" <timothyw@outblaze.com> wrote:

> I have a need to block 1 -> 2 million ips. 
> This edge firewall will be blocking dos attackers, spammers
> from hitting our proxys, and mail/web servers.
> I also need to be able to reload the 1 -> 2 million blocked 
> ips from time to time as they change. 
> But this list is not changing continuously.
> 
> Thoughts how to do this?
> What would you recommend for a hardware?
> The iptables set patch, what else?
> 
> 
> I need to come of with a plan so I can begin testing for
> deployment.
> 
> Thanks,
> 
> -Tim
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

next prev parent reply	other threads:[~2004-06-28 12:45 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-24 14:57 over a 1,000,000,000 individual ips to block Timothy Webster
2004-06-28 12:45 ` Michael Gale [this message]
2004-06-28 13:04   ` Alex Sirbu
2004-06-28 13:36     ` Feizhou
2004-06-28 13:52       ` Alex Sirbu
2004-06-28 14:14         ` Feizhou
2004-06-28 13:20   ` Feizhou
2004-06-28 16:31     ` Michael Gale
  -- strict thread matches above, loose matches on Subject: below --
2004-06-29 11:04 Timothy Webster
2004-06-29 11:43 ` Feizhou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040628064501.3bab3f3c@mgalepc.utilitran.com \
    --to=michael.gale@utilitran.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.