What really confuses me about the net neutrality issue is when telco execs say things like this.

"Now what they would like to do is use my pipes free, but I ain't going to let them do that because we have spent this capital and we have to have a return on it. So there's going to have to be some mechanism for these people who use these pipes to pay for the portion they're using. Why should they be allowed to use my pipes?

The Internet can't be free in that sense, because we and the cable companies have made an investment and for a Google or Yahoo! (YHOO ) or Vonage or anybody to expect to use these pipes [for] free is nuts!"

AT&T is a tier-1 network (specifically, AS7018), which means that it connects freely (peers) with other tier-1 networks. Tier 2 networks peer with some networks, but also purchase transit with tier 1 networks, offering money in exchange for the larger network relaying packets to other destinations. Consumers (both individual and business) often purchase bandwidth from tier 3 networks, which are connected to other networks only with transit agreements. Hence, when a company like Yahoo or Google purchases an OC-192 or what-have-you from a second or third tier network (an ISP), part of the money they pay to that ISP is used to purchase transit with larger networks like AT&T.

When Google's packets are routed over AT&T's pipes, those packets are either paid for by the transit agreements tier 2 and tier 3 networks have with AT&T, or come from another tier 1 network. If it comes from a tier 1, the companies have already agreed to peer with one another because to do so significantly extends the capabilities (and therefore the value) of their networks.

In light of this, it seems ridiculous to me that ISPs complain about companies and individuals for using their pipes "for free". It's not free! That's what transit agreements are for. Saying otherwise is asking the end user to pay twice for the same service, and I think that's unfair to networks and consumers alike.

I wrote a quick script to analyze the logs generated by SBLD. You can pull them out of syslog, or (as I'm doing), have your log checker aggregate SBLD events for you. I'm making the statistics for my site available here, as a resource for others.

If you run a server with SSHD exposed to the internet, chances are that server is being scanned for common username and password combinations. These often appear in the authorization log (/var/log/auth.log) as entries like:

Extend that for several hundred lines, and you'll have an idea of what one scan looks like.

Being somewhat opposed to the idea of people clogging my logs with useless information, I wrote a small perl script to detect these entries in the log file and block the offending source address using iptables. It detects scans within a matter of seconds, and blocks the IP quickly to stop the attack. Blocks are only enabled for a short time--as little as 30 seconds is enough to discourage most automated scanners. SBLD limits the number of simultaneous bans to reduce iptables load and it's own resource usage, and gradually decreases the alert level for hosts when no attack is taking place.

With SBLD, the scan is quickly detected and ended.

The detection method itself is a simple regex applied to the log file, so it should be fairly easy to extend the daemon to block other kinds of attacks.

SBLD is still under development, but I'd like to encourage people to try it out and/or offer improvements. I make no guarantees as to the performance, safety, or security of this software. Contact me with feedback.

Files

• sbld.pl