Discuss mailing list

[Julian DeMarchi <julian AT jdcomputers.com.au>]

On 01/11/2013 05:48 AM, Simon wrote:
> On 01/10/13 19:00, Jamyn Shanley wrote:
>> > I actually think there would be some benefit to running an ossec client
>> > on the T2 nodes that reports abusive behavior to a controller, so we
>> > could block abusive traffic preemptively on the other nodes. That way if
>> > they abuse node 1, node 2 already has a dynamic filter in place when
>> > they switch nodes after they're ratelimited.
> There is also a high potential of abuse here. This functionality could
> be used as a type of DoS attack. By spoofing an attack on one Opennic
> node, the atacker could get an IP or block of IPs blocked from all
> Opennic nodes.

The idea is great. Maybe we could use a DNS zone to publish the abusive
IPs in... I know we can run a spammers.X TLD then have participating T2s
as masters for the zone. Any T2 participating can then push out added
IPs as they come and the other master servers will just IXFR the zone.

.free use to be run this way, so I have expereince in such a setup and
know it works.

--julian