Not sure I agree
Posted Mar 6, 2007 23:09 UTC (Tue) by bronson
In reply to: agree
Parent article: Single Packet Authorization (Linux Journal)
There's a fine line between banning hostile IPs and DOSing yourself. :)
A lot (most?) of the traffic will be arriving on dynamic or shared IP addresses. Just because one packet was hostile, that doesn't mean that all traffic from that address will be hostile. Imagine visiting your parents and not being able to log to your production server just because some script kiddie managed to get most of AOL's proxy IPs on your block list.
Also, I'm not sure that keeping a list of IPs actually buys you much. Most of the script kiddies responsible for this noise won't bother trying any other attack against you. And a determined attacker would never try something as noisy as a dictionary attack. Presumably he would already know that you're using pubkey authentication and a dictionary attack would be futile anyway.
So... Keeping a list of mostly harmless script kiddie IPs doesn't strike me as a very worthwhile endeavor...?
to post comments)