Blocklist Management

Systems on the UHH network that are the source of massive scanning attacks are automatically blocked. This occurs within 15 to 30 minutes after the massive attack begins from that system. The exact duration depends on several parameters over which we have no control. It is also impossible to determine more precisely, even in retrospect, when the attack began. These systems are placed on the block list with the following justification:

Automatic blocking due to massive scanning activity. Severity: xxxx xxx

Here, the first number of the “Severity” indicates the intensity of the attack. Under normal operating conditions, end-user computers have an intensity of less than 50, and heavily used servers have an intensity of less than 1000. A value of 2000 or higher definitely indicates abuse; a value of 4000 or higher indicates massive abuse that is causing disruptions somewhere.

The second number is an indicator of the scan’s quality and must be considered in relation to the intensity. If the quality exceeds 90% of the intensity, it is likely not a scan but another type of abuse. If it lies between 60 and 90%, a very successful scan can be assumed. Scans below 60% are those that simply try every possible option.

Unfortunately, we cannot automatically determine exactly what is happening or what is causing it.

Note: Since, in case of doubt, the entire network “behind” a NAT (Network Address Translation) system is blocked, the operation of such NAT systems within the UHH network is discouraged.

Information on unblocking.