You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2008/01/01 21:47:02 UTC
Re: DDOS, Dictionary Attack... not sure what it is...
>>
>> > However, labrea may be great software ... but it is certainly not
>> > the software one wants to compete with a live machine for incoming
>> > connections.
>>
>> The way I run it, the IP addresses being tarpitted are IP addresses
>> that would be rejected anyway by zen et. al. DNSBL checks - they are
>> repeat offenders that have already been firewalled out (thus the MTA
>> never sees the traffic) and adding LaBrea simply adds a
>> trap-the-attacker response to the SYN packet rather than just
>> discarding the traffic.
>>
Hi John,
maybe I misread the laBrea docs that talk about capturing unused ip....
Could you show me configuration you use for labrea
Wolfgang Hamann
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by mouss <mo...@netoyen.net>.
alex wrote:
> why not use something like this that rejects ip blocks at the MTA level
>
> http://us.trendmicro.com/us/products/enterprise/network-reputation-services/index.html
>
> it blocks anything on the "DUL" list which is a list the isp's put out of
> which ip's shouldn't be sending mail.
>
> the reject messages look like this
>
> Mail from 1.2.3.4 blocked using Trend Micro RBL+. Please see
> http://www.mail-abuse.com/cgi-bin/lookup?ip_address=1.2.3.4
>
>
>
because many of us consider the Trend Micro list (formerly MAPS...)
unsafe. Their DUL does list static IPs, ... etc. but debating this is
off topic.
anyway, OP problem is how to reduce the costs of the zombie connections,
not how to reject them. He already rejects them at MTA level.
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by alex <al...@zoosmart.us>.
why not use something like this that rejects ip blocks at the MTA level
http://us.trendmicro.com/us/products/enterprise/network-reputation-services/index.html
it blocks anything on the "DUL" list which is a list the isp's put out of
which ip's shouldn't be sending mail.
the reject messages look like this
Mail from 1.2.3.4 blocked using Trend Micro RBL+. Please see
http://www.mail-abuse.com/cgi-bin/lookup?ip_address=1.2.3.4
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by "John D. Hardin" <jh...@impsec.org>.
On 1 Jan 2008 hamann.w@t-online.de wrote:
> maybe I misread the laBrea docs that talk about capturing unused
> ip.... Could you show me configuration you use for labrea
There are some patches you need to apply to use LaBrea this way. See
http://sourceforge.net/tracker/?group_id=70896&atid=529395
Apply these patches as well as the bugfix patches I submitted.
I jsut posted the URL for the script that launches it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
-----------------------------------------------------------------------
144 days until the Mars Phoenix lander arrives at Mars