Jan. 3, 2022
11:12 a.m.
On Mon, 3 Jan 2022 at 15:44, Mike Hammett <voiceops at ics-il.net> wrote:
*nods* being UDP, it could be easy to spoof someone else to get them blocked. When I automated honeypot -> ACL, I shut myself out of Google's authoritative DNS servers, assuming because of spoofing. There could have been more than I didn't even realize.
What's the gain of spoofing/poisoning if you are going to do "allow lists" for all your important IPs and only block on your important ports (SIP etc) with Fail2ban? I suppose, "just because I can".
Gotta protect against that kind of stuff.