I was just getting ready to say that... When I first started administering servers I used to get really freaked out by all of the attack traffic and spent a bunch of time blocking IP's at the router. Over time I realized that it was just playing whack-a-mole and was mainly a waste of my time. If you knock them down on one subnet, another will popup, and your overall attack traffic will be undiminished. All you've done is waste your own time and mental energy. A better approach is to make sure your network, server and applications are as tight as they can be (and validate that regularly), and quit worrying about botnets and script kiddies.
________________________________ From: Dean H. Saxe <d...@fullfrontalnerdity.com> To: discussion@acfug.org Sent: Mon, November 23, 2009 10:55:25 AM Subject: Re: [ACFUG Discuss] SQL Injection You miss the point. Attackers don't just originate from their home countries, they bounce through proxies around the world, including where your intended audience sits. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Nov 23, 2009, at 7:49 AM, Troy Jones wrote: I think that would depend on the intended scope and audience of your site or server's sites. For example, does someone in Beijing need to browse for a product that isn't available over the web or sold in any store outside the contiguous U.S.? Or would someone in Ulan Bator need to set up a pick-up laundry service in St. Louis? Of course there would be exceptions but I think it would be worth the small number of legitmate denials to do this. > ><image001.jpg> >___________________________________________________________________________________________ > >Troy Jones | Developer/Support Technician | Dynapp Inc | 1-800-830-5192 >ext. 603 | dynapp.com | facebook.com/dynapp > >From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe >Sent: Friday, November 20, 2009 10:08 PM >To: discussion@acfug.org >Subject: Re: [ACFUG Discuss] SQL Injection > >Yeah sure, you CAN, but its not the solution to the problem. On a recent >incident response we had attacks originating from asia, south america and >europe. Do you plan on blocking them all? > >-dhs > >-- >Dean H. Saxe >"A true conservationist is a person who knows that the world is not given by >his fathers, but borrowed from his children." -- John James Audubon > > > > > > >On Nov 20, 2009, at 9:16 AM, Wes Byrd wrote: > > > >You can block subnets. On a couple of domestic sites, I have even blocked all >requests from ALL OF ASIA (or close). While I know this is a drastic measureā¦ > all SQL Injection attack (and other hack attacks) attempts reduced by 98% >with that done. > >Here is a link that describes how to do this and why: >http://www.parkansky.com/china.htm > >From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe >Sent: Friday, November 20, 2009 11:59 AM >To: discussion@acfug.org >Subject: Re: [ACFUG Discuss] SQL Injection > >Blocking IPs is useless, attackers will just use another proxy to change the >apparently location of the originating attack. You can't stop the attempts, >you must instead prevent the exploitation of vulnerable code. This means >writing secure code using data validation on all input, data sanitization on >output (in this case, parameterized queries using cfqueryparam) and following >the principle of least privilege on the database access. > >-dhs > >-- >Dean H. Saxe >"A true conservationist is a person who knows that the world is not given by >his fathers, but borrowed from his children." -- John James Audubon > > > > > > > >On Nov 20, 2009, at 3:47 AM, Rudi Shumpert wrote: > > > > >Hey folks, > >I saw John's tweet earlier this week about a new wave of SQL Injection ( and >link to a great article on it >http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), > and sure enough I'm seeing a huge upswing in attempts. Over 100 failed >attempts last night alone. > >We have taken the steps to prevent damage / harm, but I was wondering what >folks are doing after they stop the attempt. What kind of message if any do >you provide ? Are people checking the logs, and blocking IP's of the worst >offenders? Or something else? > >-Rudi > > >------------------------------------------------------------- >To unsubscribe from this list, manage your profile @ >http://www.acfug.org/?fa=login.edituserform > >For more info, see http://www.acfug.org/mailinglists >Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >List hosted by FusionLink >------------------------------------------------------------- > >No virus found in this incoming message. >Checked by AVG - www.avg.com >Version: 8.5.425 / Virus Database: 270.14.78/2521 - Release Date: 11/23/09 >07:52:00 >------------------------------------------------------------- >To unsubscribe from this list, manage your profile @ >http://www.acfug.org?fa=login.edituserform > >For more info, see http://www.acfug.org/mailinglists >Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >List hosted by FusionLink >------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
