Tuesday, March 6, 2012

Portscans detection and the blacklist dilemma

Portscans are terribly annoying. But what to do when a host is scanning us? Block it for a set amount of time? Just log it? Do nothing at all?
Blocking hosts opens a nice DoS attack vector. I have always used to block for no more than a minute. You are never really sure if what you are blocking is a kiddo or some poor bastard which machine's address has been spoofed. If the poor bastard happens to be a gateway, you are going to regret your nice blacklisting trickery. Ignoring them completely is out of the question.
Useful links: