[Spce-user] autoban or fail2ban

Andreas Granig agranig at sipwise.com
Mon May 7 16:49:25 EDT 2012


I consider the fact that a 100 is sent back to a banned IP a glitch in
v2.5, we'll review this tomorrow. The correct way would be to silently
ignore any requests.

Anyways, there are actually two ways of protection as Jon pointed out.
One is plain DoS where an IP is blocked as soon as the number of
requests exceeds a certain threshold. The other is independent of that
and checks for the number of failed authentications of subscribers
within a certain time frame, and once a threshold is exceeded, the
subscriber is blocked. This protects against DDoS brute force attacks.

On 05/07/2012 10:00 PM, Lorenzo Mangani wrote:
> sometimes sending back a false 200 OK can help stop the flooding if it
> the "unfriendly" scanner is in stateless mode, wasting your bandwidth or
> cluttering your monitoring. They'll get a useless password and your
> attack should drop.

That's indeed an interesting idea which is worth thinking about. IMHO
the usefulness depends on the attack type. If someone floods you with a
single username to guess a password, sending a fake 200-ok might make
him turn away. On the other hand it could just make the attacker happily
try the next user. Lorenzo, you're collecting attack infos using Homer
for some time now, right? What's your experience on the current state of
attack types?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20120507/65ec70f5/attachment-0001.asc>

More information about the Spce-user mailing list