Re: Blocking offending IPs : How many are too many to handle for npf?

[Brad Spencer <brad%anduin.eldar.org@localhost>]

Mayuresh <mayuresh%acm.org@localhost> writes:

> Just tinkering with blacklistd settings.
>
> Trying to arrive at a good duration for blocking.
>
> I find that for 6 hours blocking, the blocked IPs settle around 90 to 100.
>
> Most of them just recur after block duration is over, typically they might
> be bots.
>
> Increasing the block duration would increase the count of blocked IPs.
> Would that start affecting any aspects of performance of my system or
> is there any limit beyond which npf won't accept them?
>
> i.e. what are absolute limits and what are advisable counts of
> simultaneously blocked IPs?
>
> Further, are there any ways to figure out ranges of IPs to block? I need
> ssh access from only handful of devices, but not all have static IPs. I
> think Geography may provide a clue, but not sure what's the best way to
> utilize such clue.
>
> Mayuresh

My comments are not specific to blacklistd, as I am running a home grown
system that is simular.

I keep stats on when a IP is first blocked and, in many cases, when it
was last seen.  Currently I have about 78,000 distinct IP addresses in a
ippool(5) pool driving ipf and some of these IP addresses that were seen
recently were first seen in 2006.  I suspect it depends on how brutal
you want to be to the offending IP.  I tend to keep the addresses around
for a few years before purging them from the ban database.


-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org