Agreed, time to live in the ACL is critical as well .. this is primary to be used to stop sweeps and penetration testing .. We have SNORT deployed now but the process is still manual on the back end and of course does not respond in the time required.
From: Brian R. Watters
Sent: Tuesday, January 18, 2011 1:14 PM
To: Dorn Hetzel
Cc: nanog@nanog.org
Subject: Re: Auto ACL blockerAgreed, time to live in the ACL is critical as well .. this is primary
to be used to stop sweeps and penetration testing .. We have SNORT
deployed now but the process is still manual on the back end and of
course does not respond in the time required.
I suppose you could use tcp wrappers to be creative and launch netcat to "bend" the connection right back to the originator so they spend all their time hacking themselves.