On Thu, 17 Aug 2006 11:13:32 -0400, David Cary Hart wrote: > Coincidentally, last night, at about 17:00 we suffered an intensive > DDoS via CGI. The unique client count is now over 3,000. Fortunately I > was running a tail at the time and noticed it pretty quickly which > allowed me to restore order relatively quickly. > > I brought up another instance of swatch on for the access_log which > has been watching for the DoS pattern. On hits, it passes the IP of > the attacker to a script that adds firewall rules. > > The initialization looks like: > > /usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ > --daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log > > The conf file looks like: > > watchfor /RegEx Pattern of Exploit/i > exec "/usr/local/bin/ipt-ddos $1" > > > And your point is? I'm not saying dynamic firewalls do not do their jobs. Of course they do. I'm saying that you have to be careful with them, because they can do more than intended. Let alone the fact, that by inserting a firewall rule each time someone knocks on your door, you'll end up with a mile long firewall. Do you think that list will ever be long enough? Otherwise, would you care to post the IP address of your host machine (server), and the IP address of a remote client that MUST have legitimate access to your server? So that anybody here can simulate an attack from your legit client to your server, and have your beloved swatch happily ban the client (which was "framed") for some 3 hours. The better way is to build a minimal firewall that drops EVERYTHING by default, then punch holes in it ONLY for the machines/domains that are supposed to connect to your host. (Although even this policy is not fool proof: any of the legit clients could be compromised).
