Re: [ANNOUNCE] Kernel Blocking Firewall

[jmerkey]

... snip

> ipset runs in kernel too, you just add/remove entries from userspace
> without having to touch all other ones. It has no problem storing one
> million addresses and doing fast lookups on them.
>
> I'm not dismissing your work, I just think it's a duplicate effort.
>
> Also, since you're speaking about botnets, you should support automatic
> expiration of those addresses, because almost all those addresses are
> dynamic and will match a bot for a small amount of time, then match a
> normal non-infected user. One of the reasons you found 500k addresses
> might very well be because each bot appears one hundred times at different
> addresses.
>
> Willy
>
>

You should go and look at the code, 1) the window of addresses cached in
memory is designed to act as an LRU windows for the addresses stored in
the database to use less memory, so no, the in-memory only ip tables is
primitive in comparison 2) the database can just keep growing ad growing
3) the code I posted also loads the database if the system reboots, so
your applications remember all those botnet addresses 4) their is the
ability to set a timer to expire and recycle the oldest addresses (while
still remembering all of them).

>From my experience with dealing with these systems, and observation of how
RBL databases work, when an infected system gets blacklisted, it stays
that way until the user goes to the websites and requests removal.  I have
found these zombie systems tend to stay that way, and no, by default you
NEVER want to unblock them for at least 6 months.

Jeff




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/