> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Richard Pickett > Sent: Tuesday, December 27, 2005 11:49 AM > To: 'netfilter' > Subject: RE: DROP TCP output to HTTP attackers? > > > My only comment would be that for proxy users (AOL, for > instance) you > > may end up dropping legitimate traffic. The risk/reward of that is > > something you'll have to determine for yourself. > > My logic is like this, if AOL polices it's outbound traffic > the way we police our inbound traffic AOL wouldn't ever send > us illegal packets. > > Oh, they've got these big adds on TV about how they are so > safe etc. I'm sure by now my systems have all their public > IPs blocked. > > An additional thought is friends don't let friends do AOL. If > they want to use the service they have to accept the lameness > that comes along with it. > > AOL has obviously compromised on security. Why should we > compromise on security with them? AOL is a bad example since far more legitimate ISPs use proxies and businesses will typically NAT many clients to a single address. It would be nice if ISPs had some kind of upstream filtering but the reality is that most don't and their abuse@ address is an automated blackhole. For me it boils down to risk and time: how do I mitigate the greatest risks in the least amount of time. I've considered autoblocking before, but the risks of dropping legitimate clients have always outweighed the risk mitigation of dropping IPs sending bad packets. Derick Anderson