http://www.dslreports.com/forum/r19400616 en Sun, 29 Nov 2009 11:24:24 EDT Sun, 29 Nov 2009 11:24:24 EDT http://www.dslreports.com/forum/remark,19400616 mikenolan7 : Think twice before dropping traffic. I'm just a home user, but I have a pretty good-sized network I experiment with here (15 machines +/-). I run zero externally accessible services, but I'm on a cable modem and live in LA. The number of attacks is hard to believe (I average anywhere between one every 3 to 10 seconds). I used to just drop it all, but I found when I rejected everything instead, the number of attacks dropped by about 70%. I run strict rate limits on the rejections so no one can get much benefit from using my address as part of a reverse DDOS, but I haven't seen that even tried, yet (using my address anyway).

The only explanation I can come up with is that the automated attacks move on when they get a rejection, but try a few more times if nothing comes back - possibly hoping that the lack of a rejection indicates other "misconfigurations". RoadRunners arp blasters pretty much tell anyone with a clue what IP's are in use at any time.]]> http://www.dslreports.com/forum/remark,19400616 Wed, 07 Nov 2007 15:02:41 EDT http://www.dslreports.com/forum/remark,19314707 state : I started seeing something similar a few days ago, but hadn't had a chance to really dig into it - it was more of a nuisance than anything else since 404s were being returned to the requester:

"GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=C690597E4C4742D24207D2D400500D1C8CD549FEF8BD HTTP/1.0"
The logs show somewhere in the neighborhood of 40-50 entries per day from this particular IP address, sequentially walking the IPs that were assigned to the machine - each GET request with it's own unique hash.

After adding a rule to iptables I saw it send a dozen or so ping packets to see if the host was up:

... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=7 ... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=8 
And then nothing. So far. With so many script kiddies running what would appear to be "out-of-the-box" scripts against large netblocks, it sometimes makes me wonder if I should follow in the footsteps of CNN and the like and simply discard inbound ICMP requests..]]> http://www.dslreports.com/forum/remark,19314707 Tue, 23 Oct 2007 23:50:26 EDT