On 26 Feb 2020, at 10:12, Wietse Venema wrote:
micah anderson:
Matus UHLAR - fantomas <uh...@fantomas.sk> writes:
welcome to the internet. Can be misconfigured client, spamware
somewhere,
scan, whatever. Firewalling those automatically is the only way to
limit
those messages.
I'm curious what kind of firewalling rules that people have come
up with to limit these. Are you just doing a fail2ban type reaction,
or have some particular state you are denying? I'd be happy to see
some iptables or even pf examples.
Why bother? Storage is cheap,
Managing storage is not. Unanticipated growth of logs is a common root
cause of having to do storage management tasks that require
highly-compensated labor.
and repeated logging compresses
very well.
True, but log parsing and analysis for extraction of useful information
still has to deal with the uncompressed logs and at least read and
filter every line, whether its content carries interesting data or not.
So it is only a proble, if you keep uncompressed logs
forever.
It can be an ongoing nuisance if you try to maximize resource
utilization (a common strategy in the age of easy virtualization) and
guess wrong about how many bots will do pointless broken things in the
lifetime of a system.
There's also a side-issue that I don't believe to be applicable here:
forged packet reflection attacks. I don't suspect that in this case
because there's no amplification but it certainly would work to make a
flooding attack untraceable.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
