lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40547.166.70.238.44.1231488906.squirrel@webmail.wolfmountaingroup.com>
Date:	Fri, 9 Jan 2009 01:15:06 -0700 (MST)
From:	jmerkey@...fmountaingroup.com
To:	"Willy Tarreau" <w@....eu>
Cc:	jmerkey@...fmountaingroup.com, linux-kernel@...r.kernel.org
Subject: Re: [ANNOUNCE] Kernel Blocking Firewall


... snip

> ipset runs in kernel too, you just add/remove entries from userspace
> without having to touch all other ones. It has no problem storing one
> million addresses and doing fast lookups on them.
>
> I'm not dismissing your work, I just think it's a duplicate effort.
>
> Also, since you're speaking about botnets, you should support automatic
> expiration of those addresses, because almost all those addresses are
> dynamic and will match a bot for a small amount of time, then match a
> normal non-infected user. One of the reasons you found 500k addresses
> might very well be because each bot appears one hundred times at different
> addresses.
>
> Willy
>
>

You should go and look at the code, 1) the window of addresses cached in
memory is designed to act as an LRU windows for the addresses stored in
the database to use less memory, so no, the in-memory only ip tables is
primitive in comparison 2) the database can just keep growing ad growing
3) the code I posted also loads the database if the system reboots, so
your applications remember all those botnet addresses 4) their is the
ability to set a timer to expire and recycle the oldest addresses (while
still remembering all of them).

>From my experience with dealing with these systems, and observation of how
RBL databases work, when an infected system gets blacklisted, it stays
that way until the user goes to the websites and requests removal.  I have
found these zombie systems tend to stay that way, and no, by default you
NEVER want to unblock them for at least 6 months.

Jeff




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ