Fly swatter

Sometimes you have a good idea, implement it, and only afterwards realize that this idea has a denial-of-service attack built into it. And you ask yourself: Hmm, really a good idea? I then moved away from the old solution and thought about what I could continue to use and what I needed to redesign. The detection side remained intact. Requests matching known questionable patterns still trigger the reaction component. However, the reaction component is now built quite differently. For the first iteration, I kept the reaction component very simple1. The source IP is blocked in the firewall for 120 seconds. It’s a rule with reject with tcp reset and not drop. I remove the connection from the connection tracking via conntrack. I terminate the connection via ss. The first step prevents new connections for 120 seconds, while the other two steps actively sever the connection. A false positive no longer leads to blocking access for an entire day. The scanner should know that I don’t want it…