Scot L. Harris wrote:
Actually this won't reduce any bandwidth to your server. The probes still hit that address, you are just blocking those packets in iptables from begin able to get any further.
Are you saying that the single connect-and-drop that this scheme introduces is going to use the same bandwidth as a brute-force password attack on hundreds of login names?
If you could implement this further up the line then you could reduce traffic to your servers.
Sure, that would be good. <SARCASM> Do you think I can get SBC to implement custom filtering for our DSL? </SARCASM> ;)
Putting a blanket deny on traffic from specific IP ranges is effective if attacks are coming from those ranges. The problem is that hackers will typically want to use an intermediate site to launch an actual attack from. This makes it harder to trace the actual source of the attack. At least good hackers do this. Script kiddies don't know to do this.
If you read the article, you'll see that the author suggests that the traffic is probably coming from zombied personal machines in the far east occurring as a result of a lack of security knowledge and awareness in those new to the net.
I don't expect this to be perfect, just an additional step to protect my servers.
Kirk Bocek