| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200602211843.k1LIhbM7014041@turing-police.cc.vt.edu> Date: Tue Feb 21 18:43:45 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Compromised hosts lists On Tue, 21 Feb 2006 07:09:58 MST, James Lay said: > I completely agree for ports that I would have closed, but obviously I > could not simply deny *all* traffic for port 25 and 80 let's say, as I > want them open to the public. At which point a list of the 100 million or so compromised machines believed to be out there doesn't do you much good. (Yes, the number is likely to be that high - at one point we were seeing several hundred thousand new zombies *per day*.) If you implement the block list, your machine runs like a pig (how much kernel memory do 100M iptables rules nail down?? ;) And you *still* have to worry about evil packets arriving on ports 25 and/or 80 from machines that haven't been *flagged* as evil yet. (Note that with 100M rules, trying to do even daily syncs is non-trivial - and you're going to want to do this on an hourly basis or so if you want it to be at all useful. When the update takes over an hour, you're in trouble.....) Your only real choice here is to make sure that 25 and 80 (and other outward-facing services) are as bulletproof as possible, against all packets from whatever source, and remain vigilant. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/65416621/attachment.bin
Powered by blists - more mailing lists