On Tue, Sep 15, 2015 at 22:36:27 +0200, butary@gmx.de wrote:
So I decided to go a controversial way - I installed an IDS/IPS + strong firewall rules. The log file contains a huge amount of rejected traffic. Most of the time, Botnet traffic and shortly rising WordPress attacks.
I'm not happy with my decision but it smoothed my ISP because they received less abuse reports.
You log traffic and block addresses with a firewall based on what the IDS/IPS consider bad? Please stop and consider running a middle relay or bridge instead of logging and breaking connections for clients.
If someone has a more elegant solution, please advice me.
Try to educate or change ISP. Exits can unfortunately not be operated from all networks.
Exit operators could try to maintain an (incomplete) list of addresses that often causes complains for traffic from exits. They could choose to block them using torrc. Might help a little with the ISP if the complains does not come repeatedly from the same source. But traffic would move to fewer exits and they would get more complains. This is probably a bad idea and not a solution. Worse than not running an exit to some destinations from that network? I do not know.
Regards, Johan