Re: over a 1,000,000,000 individual ips to block

[Michael Gale <michael.gale@utilitran.com>]

Hello,

	If you allow a simple IP to make a 100 smtp connections to your mail server
then you have other problems. Why you would allow any IP to make more then 10-15
connections is beyond me. Also .. if you set a error limit (example mine is 5)
when that limit is reached the smtp and tcp connection are dropped. 

There are also other SMTP server restrictions you can take place. How do you
think mail appliances that are designed to be placed on the outside of a network
to filter traffic between the outside world and exchange work ??? Do you think
they rely solely on some other firewall to handle DOS's ??? I can tell you that
they don't. 

I am not saying that you should not block abusive IP's or network's at the
firewall. But to rely only on the firewall to solve this problem. Plus using 1
million rules ... how long would your load time be ? What about changes and
administration ? 

Also what about ESTABLISHED connections ??? If you do not use a ESTABLISHED
state -j ACCEPT at the top ... then each IP would then in theory have to match 1
million rules every time it came in.

I am sure there is a better answer then to create 1 million iptable rules. 

Michael. 


On Mon, 28 Jun 2004 21:20:16 +0800
Feizhou <feizhou@linuxmail.org> wrote:

> Michael Gale wrote:
> > Hello,
> > 
> > 	Why don't you block networks ??
> > 
> > Firewall - SYN Cookie enabling ? 
> 
> What good is syn cookies against traffic that conform to tcp rules but 
> are just too abusive?
> > 
> > Mail servers - use RBL list - this list will contain networks of IP's that
> > belong to home users. So they do not need to connect directly to your mail
> > server.
> 
> RBL does nothing against spammers who open 100 connections to each of 
> your MXs and who run malware that do not understand,respect smtp 5xx. 
> Dropping the connection means they keep coming at you. For these, there 
> is nothing but a firewall that will keep them off your MXs.
> > 
> > Web servers -- rate limiting ? block networks ? Better web server ?
> > 
> > If you blocked networks ? The estimated max number of rules a packet might
> > have to match would be 254 ... plus the rest of your filtering for ports and
> > other needs. This could slow down network access because of all the rules to
> > check for each packet.
> > 
> > If you are not using network addresses the list would become to long.
> 
> I am sure CIDRs were part of the OP's mind since iptables takes both 
> individial ips and CIDRs. He probably does have a mixture of over a 
> million ips/cidrs he wants to block.
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation