I believe the logic goes that, given you've already been talking with
the offender, trying to disappear off the radar won't work. If you
blacklist addresses at your firewall, then it may make sense not to
respond to them at all, but if you want an offender to go away, the best
option is to say "You are no longer welcome here" with an ICMP response.7
In the best case with an ICMP reject, the attacking software will
realise that it's been rumbled and will back off. In the worst case with
a drop, the attacking software will continue attacking forever. The
reality lies somewhere in between.
Does anybody have any stats or experience to confirm/deny this claim?
Will these botnets be more respectful of "you're denied" than merely
not replying at all?
I have mixed results based on my tests at this point. Some botnets
stop altogether, and some seem to keep hammering even if they don't
get a response. But it seems to me, a system that would continue to
contact a port that's not responding, would surely do the same thing
if the port actually did respond and say, "you're not welcome."
Thoughts?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
