[SGVLUG] security tools
Stan Schwarz
stan at iron.gps.caltech.edu
Tue Dec 4 11:22:14 PST 2007
> lazy to build my own log parser. But one thing I liked in the FAQ of
> psad is this:
>
> http://www.cipherdyne.org/psad/docs/faq.html#auto_block
>
> Looks like it has the ability to automatically block an IP address based
> on a a certain threshold of traffic.
I know that this isn't a danger for most people here, but it's
still kind of funny.
The USGS has something like this set up at the perimeter of
the network in Menlo Park. After the Alum Rock earthquake on
October 30, traffic on the web site went up by 200x. Guess
what happened?
Fortunately, the web sites are served by Akamai, so there were
a bunch of different hosts coming in to get content for the
Akamai caching servers. So no one host was requesting a huge
amount of stuff. But part of the site needs to access a database
that runs on a machine here at Caltech. The automatic network
monitor saw lots of traffic between the web servers and the
database server. So it decided that the database server was
attacking us, and it blocked it.
--
-----------------------------------------------------------------
Stan Schwarz |"Sun likely will have to embrace Linux
stan at iron.gps.caltech.edu | and eat their own children, or watch
| IBM and HP do it instead." - crn.com
- http://pasadena.wr.usgs.gov/stans -----------------------------
More information about the SGVLUG
mailing list