From: Cache Hit (cachehitwebii.net)
Date: Fri Feb 01 2008 - 10:23:29 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 1, 2008, at 1:30 AM, Peter N. M. Hansteen wrote:

> Darrin Chandler <dwchandlerstilyagin.com> writes:
>
>> Depending on the traffic patterns of legit vs. attack the
>> following idea
>> might work... use max-src-* with values that may create false
>> positives
>> and overload into table <candidates> which will still PASS. Now use
>> different values for max-src-* on <candidate> pass rule to look for
>> longer term abuse and overload to <blocked>. Effectively this lets
>> you
>> do 2 stages of evaluation, at the price of taking a bit longer to
>> block
>> attacks. Make sense?
>
> That's what I call an excellent idea. Finding the right set of values
> is a worthy excercise for the reader, but I *like* that approach.

I agree this is an excellent idea and I thank everyone for their
suggestions. I'm
working on something along the lines of Darrin's idea right now.

-John
--
cachehitwebii.net
The sky above the port was the color of television, tuned to a dead
station.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]