[ snip ] > > > > My only comment would be that for proxy users (AOL, for > instance) you > > may end up dropping legitimate traffic. The risk/reward of that is > > something you'll have to determine for yourself. > > > > Derick Anderson > > > > I must admit that I have little knowledge of these proxies. > I infer from what you say that different users might present > the same peer ip address. > Is this true? If so, perhaps I should set a time limit on the block. Yes - there may be thousands of users on the same proxy. In my limited experience it's generally broadband users (and some universities) that have public IPs tied to a single account. Most others (businesses, dial-up ISPs) will go through a proxy or at least NAT to a single public IP and many people use third-party proxies to surf anonymously. If you're going to set a time limit, it should be real short, like a few seconds. Most automated attacks take place in less than two or three seconds on a decent connection, from my experience. This would limit the timeouts experienced by legitimate users. > With regard to blocking output in response to attacks, > thereby blocking TCP FIN, are there any opinoins on this? > > Thanks for your help. > Mike. > Not sending the TCP FIN might be advantageous when coupled with your IP dropping policy since legit clients may retry several times before giving up. Otherwise your advantage is no response (more stealthy for scans) vs. the disadvantage of more open connections which will wait a long time before closing. Derick Anderson
