Date: Wed, 09 May 2007 18:38:04 +0200 From: Volker <volker@vwsoft.com> To: Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? Message-ID: <4641F8EC.4@vwsoft.com> In-Reply-To: <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> <4641BC51.7080804@vwsoft.com> <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/09/07 17:23, Abdullah Ibn Hamad Al-Marri wrote: [snip] >> unfortunately I'm unable to imagine if it's nice or really, really bad >> idea to block certain countries. It sounds like a chinese wall. If the >> machine in question is a web server, it might be a hardly bad idea and >> would lead into another dimension of separating the world. >> [snip] > There are Arabs and ppl speak and read Arabic in the other countries > but I have to lose them since the forum is getting 24/7 days hits by > Arabic script kiddies who think they are elite and will flood it with > fake http requests which kills the MySQL server right away. > > The problem is they have tons of bots run in m$ systems, and I have > only 2 choices. > Shut down the forum, or block other countries IPs, if you were in my > place what would you do? Abdullah, how do these attacks look like? Is it script driven MASS-posting? How frequent? You may probably use pf's ability to set per IP triggers (ie if a single IP address is opening too much tcp connections in a time frame, you may block that). If these scripts are running not too often against your web server, this is not of use for you. As I understand, these script kiddies are trying to automagically post into your forum. What about requiring graphical confirmation before the post is accepted? That way, you're letting legitimate users in from around the world but keep robots out. If you're using something like phpBB, there are (anti spam) modules for graphical confirmation. Again, the best solution (balanced between your concerns and legitimate use for all people) depends on how these attacks against your forum does look like. If there are frequent accesses from the same set of IP addresses, you may use pf. Otherwise this should be blocked by your forum software. Arabic people are really around the world. If you want to try pf's trigger functionality (see "stateful tracking options" in pf.conf(5) ), keep in mind that every http request (html pages, graphics etc.) may lead into may single tcp connections. This means, don't set the limits too short before blocking an IP address. HTH Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4641F8EC.4>