<p>My experience is that as long as the hackers are getting any kind of response from your server, they'll keep their attack on, in a hope that they'll get into your system sooner or later. After all it is just some computers doing the work for them, no human is phycally getting tired here. This is why when you block them in your iptables, and they stop getting response from your end, i.e. no ping reply, no sip response, nothing basically, then they eventually take their attack somewhere else probably because they (or their hack attempt software) either assume that the ip they were attacking is no longer valid for the attack or the user has taken enough security measures that attacking him is not worth the effort.</p>
<p>On the contrary, my experience, if you don't block them, eventually attacks increase. Probably they let their other hacker friends know too that your server is a good candidate for hack attempt.</p>
<p>Obvoiously its only the ISPs who can truly stop such attacks by blocking them at their routers. If the hackers decide to keep bugging you, unfortunately nothing can you do to protect your bandwdith waste.</p>
<p>But I wonder if one's router doesn't respond back, e.g. it is physically off, and someone is doing such an attack, do the ISPs still consider it bandwidth usage?<br></p>
<p>Zeeshan A Zakaria</p>
<p>--<br>
Sent from my Android phone with K-9 Mail.</p>
<p><blockquote type="cite">On 2010-04-11 7:41 AM, "Gordon Henderson" <<a href="mailto:gordon%2Basterisk@drogon.net">gordon+asterisk@drogon.net</a>> wrote:<br><br><p><font color="#500050">On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote:<br>
<br>> In the end I set up OSSEC (<a href="http://www.ossec.net">http://www.ossec.net</a>) and wr...</font></p>Cheers - but it's not blocking that's the real issue, that's trivial in my<br>
router or on the PBX, it's that my monthly ADSL data cap is being used up<br>
and my ISP is not responding (actually, they might if I phone them, but<br>
it's not desperate right now as I'm unlimited at the weekend), and neither<br>
is Amazon.<br>
<br>
My currently monthly peak-time cap is 45GB - 8am to 8pm and they seem to<br>
be eating up some 7-10GB a day... So I might actually be OK and can just<br>
"weather it out", but it's still annoying.<br>
<br>
I'm tempted to just block all of Amazons EC2 and say to hell with them.<br>
Shouldn't be too hard to track them down - eg. from whois on that IP:<br>
<br>
NetRange: 72.44.32.0 - 72.44.63.255<br>
CIDR: <a href="http://72.44.32.0/19" target="_blank">72.44.32.0/19</a><br>
NetName: AMAZON-EC2-2<br>
<br>
NetRange: 75.101.128.0 - 75.101.255.255<br>
CIDR: <a href="http://75.101.128.0/17" target="_blank">75.101.128.0/17</a><br>
NetName: AMAZON-EC2-4<br>
<br>
NetRange: 67.202.0.0 - 67.202.63.255<br>
CIDR: <a href="http://67.202.0.0/18" target="_blank">67.202.0.0/18</a><br>
NetName: AMAZON-EC2-3<br>
<br>
NetRange: 174.129.0.0 - 174.129.255.255<br>
CIDR: <a href="http://174.129.0.0/16" target="_blank">174.129.0.0/16</a><br>
NetName: AMAZON-EC2-5<br>
<br>
NetRange: 204.236.128.0 - 204.236.255.255<br>
CIDR: <a href="http://204.236.128.0/17" target="_blank">204.236.128.0/17</a><br>
NetName: AMAZON-EC2-6<br>
<br>
NetRange: 184.72.0.0 - 184.73.255.255<br>
CIDR: <a href="http://184.72.0.0/15" target="_blank">184.72.0.0/15</a><br>
NetName: AMAZON-EC2-7<br>
<br>
(so much for running out of ipv4 address space when amazon has millions)<br>
<br>
And there are well knowing published lists from all chinese hosts, etc.<br>
too. Easy enough too cook up iptables to allow data from sites I connect<br>
out to, but block all incoming new connections.<br>
<font color="#888888"><br>
Gordon<br>
</font><p><font color="#500050"><br>-- <br>_____________________________________________________________________<br>-- Bandwidth and Colocati...</font></p></blockquote></p>