On Tuesday 02 April 2002 23:40, Aaron Hopkins wrote: > And this was the method we employed. This involves adding a filter > for each offending IP. On a large network with new attack nodes > coming up every few seconds, its not necessarily possible to catch > them all quickly.
For this purpose we have the ippool target and match.. provided you can detect the offending IP's using iptables or by some other notification. > Whereas the worm does self-select to connect to otherwise invalid > IP ranges. With TCP SYN-ACK replies coming from an unused quarter > of the IP address space, the attack nodes get stuck quite quickly > with no specific attention from me. Ack. Regards Henrik