There are some ideas that we’re thinking of that mitigate and handle the issues. But all of the ideas require code change, some of the ideas we’re actually investigating with Cloudflare directly to see if we can actually invent a feature.
ALL of the ideas require the future restriction to either Freshclam or other authorized tools that interact with those restrictions. The days of just scripting python or wget or curl or something are gone, and we have to immediately start moving to metered and careful downloads. Like I said, this INCLUDES changes we have to make ourselves, so there’s work on all sides right now. On Mar 11, 2021, at 7:20 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote: Hi there, On Thu, 11 Mar 2021, Paul Smith via clamav-users wrote: On 10/03/2021 22:29, Joel Esler (jesler) via clamav-users wrote: ... in the past 24 hours has created 22.17M file downloads /all by themselves/ from a single IP. (The main.cvd btw) ... internal release cycle or something ... or something ... NAT will innocently cause strange results. The (for want of a better word) history of the Internet is littered with parallels to the Tacoma Narrows Bridge incident, or as those of us in the engineering professions often say [****]. Large networks can seem to take on a life and character all of their own, but in the end it's all susceptible to reason. Every IP address should have a working abuse reporting address which can be found by a 'whois' query. For example for clamav.net<http://clamav.net>: $ whois `dig +short clamav.net<http://clamav.net>` | grep -i abuse OrgAbuseHandle: TALOS-ARIN OrgAbuseName: Talos Operations OrgAbusePhone: +1-727-540-3152 OrgAbuseEmail: talos....@cisco.com<mailto:talos....@cisco.com> OrgAbuseRef: https://rdap.arin.net/registry/entity/TALOS-ARIN $ It _should_ be trivial to report the abuse to the address given by the whois query and that should get the abuse stopped fairly promptly. If it doesn't, then it's not a working abuse reporting address. Large sections of the Internet address space either don't have working abuse addresses, or their operators are in league with criminals and make a token response which is ineffective, or they're just plain incompetent and do nothing that's effective. To me that all means 'not working'. If an IP doesn't have a working abuse reporting address, in my view prima facie there's a case that it should be permanently firewalled. Joel, have you tried reporting to abuse addresses at least for some of the worst offenders? Do you have a large body of low-grade offenders which make you feel you don't want to go to the office in the morning? Like many system administrators I also have that tee-shirt. Less than 5% of the mail that my mail systems see is genuine. More than 95% is in some way abusive. It's almost overwhelming, and it's impractical to deal with it all manually, so over the last few years I've developed an automatic abuse reporting system (of which clamd is an integral part) which not only sends reports to the abuse addresses from 'whois', but also uses other ways to find them, and, depending on the kind of abuse, can report to ClamAV, Sanesecurity, Securiteinfo, and for example abuse clearing houses run by various government and law enforcement agencies for what that's worth. Of course it blocks the abusive messages too - that's almost a side-effect. I tend to use TEMPFAIL rather than REJECT and/or firewall - it's configurable - so exceedingly spammy providers like Gm@il and M1cro$oft use up more of their resources but the option simply to firewall the IP is available. Unfortunately, automatic systems have sometimes had a reputation for making the problem worse, not better [****]. It's important to avoid that, which I think I've managed. Very little of what I see is what you would call malware, and even less is automatically identified as such, so only about 1% of reports go to the ClamaAV signature team at present but at least it gives automatic feedback. Perhaps the guys at Sanesecurity and Securiteinfo can chip in with an opinion? You get a sizeable fraction of the reports and any feedback that you can give me will be very valuable. It seems not easy to get. It's been a lot of work, and there's a lot left to do, but it's been worth it to be able to return serve thousands of times every day with little extra effort. Joel, I'm sure it wouldn't be hard to adapt the ideas to other systems if you'd be interested in exploring that. [***] Roughly translated, "I never thought of that". -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
