strange MS visits
Andrew Hammond
ahammond-swQf4SbcV9C7WVzo/KQ3Mw at public.gmane.org
Thu Dec 2 22:30:52 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That's pretty nice! :)
Henry Spencer wrote:
| On Thu, 2 Dec 2004, Andrew Hammond wrote:
|
|>| big list of IP's used by the bot(s) here. time to make some new iptables
|>| rules.
|>
|>Why DROP or REJECT when you can TARPIT?
|
|
| For services where you do have a daemon that's going to answer on the
| port, you can get somewhat the same effect without any patches: pass
| *only* packets that have the SYN bit set, and discard any that don't. To
| the other end, it looks like his connection succeeded, but he can't seem
| to get any response from it. To your end, the connection hasn't *quite*
| succeeded yet, and so your system doesn't bother the daemon about it.
|
| (TCP connection setup uses a "three-way" handshake: initiator sends a
| request, responder replies with approval, initiator sends confirmation.
| Only the first two of those have the SYN bit set.)
|
| Henry Spencer
| henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
|
| --
| The Toronto Linux Users Group. Meetings: http://tlug.ss.org
| TLUG requests: Linux topics, No HTML, wrap text below 80 columns
| How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
- --
Andrew Hammond 416-673-4138 ahammond-swQf4SbcV9C7WVzo/KQ3Mw at public.gmane.org
Database Administrator, Afilias Canada Corp.
CB83 2838 4B67 D40F D086 3568 81FC E7E5 27AF 4A9A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBr5ebgfzn5SevSpoRAjmXAJ9O9AYH+CfmqPTRQDTBB0BR7xkHLwCgh7m8
fyVyfLpizei3MMvFb09ND44=
=pycP
-----END PGP SIGNATURE-----
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list