That being said....
I still block Afrinic and will continue to do so. Too many past issues
with Nigeria. It may be whackamole, but it's effective enough that i
no longer have to deal with brute force attacks nearly as often.
I consider it low hanging fruit to knock off some of the subnets that
are known to be nasty. Takes 10 minutes and then RONCO - "Set it and
Forget it!"
_____________________
Derrick Peavy
[email protected]
404-786-5036
“Innovation distinguishes between a leader and a follower.” -Steve Jobs
_____________________
On Nov 23, 2009, at 11:01 AM, shawn gorrell wrote:
I was just getting ready to say that...
When I first started administering servers I used to get really
freaked out by all of the attack traffic and spent a bunch of time
blocking IP's at the router. Over time I realized that it was just
playing whack-a-mole and was mainly a waste of my time. If you knock
them down on one subnet, another will popup, and your overall attack
traffic will be undiminished. All you've done is waste your own time
and mental energy. A better approach is to make sure your network,
server and applications are as tight as they can be (and validate
that regularly), and quit worrying about botnets and script kiddies.
From: Dean H. Saxe <[email protected]>
To: [email protected]
Sent: Mon, November 23, 2009 10:55:25 AM
Subject: Re: [ACFUG Discuss] SQL Injection
You miss the point. Attackers don't just originate from their home
countries, they bounce through proxies around the world, including
where your intended audience sits.
-dhs
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children." -- John
James Audubon
On Nov 23, 2009, at 7:49 AM, Troy Jones wrote:
I think that would depend on the intended scope and audience of
your site or server's sites. For example, does someone in Beijing
need to browse for a product that isn't available over the web or
sold in any store outside the contiguous U.S.? Or would someone in
Ulan Bator need to set up a pick-up laundry service in St. Louis?
Of course there would be exceptions but I think it would be worth
the small number of legitmate denials to do this.
<image001.jpg>
___________________________________________________________________________________________
Troy Jones | Developer/Support Technician | Dynapp Inc |
1-800-830-5192 ext. 603 | dynapp.com | facebook.com/dynapp
From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
Saxe
Sent: Friday, November 20, 2009 10:08 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] SQL Injection
Yeah sure, you CAN, but its not the solution to the problem. On a
recent incident response we had attacks originating from asia,
south america and europe. Do you plan on blocking them all?
-dhs
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children." -- John
James Audubon
On Nov 20, 2009, at 9:16 AM, Wes Byrd wrote:
You can block subnets. On a couple of domestic sites, I have even
blocked all requests from ALL OF ASIA (or close). While I know
this is a drastic measure… all SQL Injection attack (and other
hack attacks) attempts reduced by 98% with that done.
Here is a link that describes how to do this and why:
http://www.parkansky.com/china.htm
From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
Saxe
Sent: Friday, November 20, 2009 11:59 AM
To: [email protected]
Subject: Re: [ACFUG Discuss] SQL Injection
Blocking IPs is useless, attackers will just use another proxy to
change the apparently location of the originating attack. You
can't stop the attempts, you must instead prevent the exploitation
of vulnerable code. This means writing secure code using data
validation on all input, data sanitization on output (in this case,
parameterized queries using cfqueryparam) and following the
principle of least privilege on the database access.
-dhs
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children." -- John
James Audubon
On Nov 20, 2009, at 3:47 AM, Rudi Shumpert wrote:
Hey folks,
I saw John's tweet earlier this week about a new wave of SQL
Injection ( and link to a great article on it http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss)
, and sure enough I'm seeing a huge upswing in attempts. Over 100
failed attempts last night alone.
We have taken the steps to prevent damage / harm, but I was
wondering what folks are doing after they stop the attempt. What
kind of message if any do you provide ? Are people checking the
logs, and blocking IP's of the worst offenders? Or something else?
-Rudi
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org/?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.425 / Virus Database: 270.14.78/2521 - Release Date:
11/23/09 07:52:00
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
