← Back to context

Comment by trashb

8 days ago

Great visualization!

I currently accept and then close/drop the connection "unclean" (no FIN or RST packet). I do this in hopes that the offender will waste some resources (time) thinking it is still connected while I spend minimal resources.

My reasoning is that if enough servers implement such measures it will become very costly for the offenders to scan.

Perhaps I can also add some logging to build a IP blacklist as described below.

2 comments

trashb

Reply
kpcyrd  8 days ago

Nice, are you using something like this?

    iptables -I OUTPUT -p tcp --sport 22 --tcp-flags RST RST -j DROP
    iptables -I OUTPUT -p tcp --sport 22 --tcp-flags FIN FIN -j DROP

Unfortunately this is still trivial to work around with a read timeout.

  • trashb  8 days ago

    No I think I wrote something in C (it was written a while ago) accepting the and then discarding the connection in such a way the RST/FIN was never send, making sure to clean the socket server side.

    I guess a timeout will need to be adjusted/implemented on the bot's end I remember fixing a similar bug at work and it was quite involved. At any rate the very least the connection was made and discarded.

    I guess the iptables solution would also work well and you would have a correctly working serverside.