I really need to get things together and finish the time-limited black hole route system I keep thinking about. Digging through the logs recently I've been finding that there are patterns in there to be teased out--systems that constantly hammer me with viruses or bang on the webserver with attempts to post comments to non-functional cgi programs. (Yeah, I left mt-comments.cgi around and just marked it non-executable) While it's not a lot of traffic, it's annoying traffic, and in the case of the virus bombs it's repeated over and over.
I could just install a blackhole route for these things, but that's got two issues. FIrstly it goes away when my system reboots and, while that's not all that common, it does happen. Second, I'm not really comfortable with automatically generated black hole routes being effectively permanent, lasting either forever if they go in the config files or until reboot otherwise. For snort-generated routes that's mostly OK, but past that, well... seems a bit much.
What I want is a database where I can throw an IP address or block in with an expiration date, and have the block last until it expires, across reboots and resets, presumably with a little daemon that spins its wheels, updating the list every 10 seconds or so. (Maybe every minute, dunno) While that shouldn't be that tough, I've just not gotten around to it, and I really ought to.
Besides, then I could in good conscience write an RFC with the text "The server MAY install a null route for clients which violate this restriction. Null routes MUST be temporary, with the route lasting no more than one minute for the first violation. A warning period equal to the duration of the lifetime of the null route MAY be imposed after the routing is restored, and the nul route lifetime MAY double if another violation occurs within this warning period."
I think I could enjoy that one. Pity I desperately lack the time I need to finish even the design of the rss polling replacement system it'd be a part of.
Posted by Dan at February 18, 2004 09:49 AM | TrackBack (0)