Security Basics mailing list archives
DROP vs REJECT Re: Iptables Clues and Advices.
From: "Chris Travers" <chris () travelamericas com>
Date: Thu, 10 Apr 2003 12:32:21 -0700
Hi; Relavent portions of the email are: "It seems to me that DROP would be used for creating the appearance that your IP isn't in use. If you are providing no services to the internet, then every port should DROP. However, if you have any service, even just a ssh server, someone portscanning you will know that you're there, and a REJECT would be the correct thing to do." That is all well and good if you assume that the attacker has unlimited computing resources and is always using the correct address. Of course ICMP-with-host-unreachable is a small packet and unlikely to be useful in a DDOS attack using spoofed source addresses (but the possibility exists, and would be *really* hard to guard against as one does not really want to drop all these upstream). So I think that reject creates an opportunity for DDOS. Scenario is this: Using some sort of distributed network (trojans, etc.), generates probes against firewalls which reject packets. These use forged source addresses of the target machine. A large quantity of bandwidth becomes used up upstream by these error messages. Victim has to decide whether to start drop ICMP packets which could severely interfere with legitimate traffic or allow the attack to continue. The other issue is one of attacker resources. DROP does a better job of increasing the cost to the attacker. Best Wishes, Chris Travers ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. -------------------------------------------------------------------
Current thread:
- RE: Iptables Clues and Advices., (continued)
- RE: Iptables Clues and Advices. Jason Dixon (Apr 08)
- Re: Iptables Clues and Advices. Andres j. Ogayar (Apr 09)
- RE: Iptables Clues and Advices. Steve Bremer (Apr 09)
- Re: Iptables Clues and Advices. Salvatore Poliandro (Apr 10)
- RE: Iptables Clues and Advices. Benjamin Meade (Apr 09)
- Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 09)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 10)
- Re: RE: Iptables Clues and Advices. Christian Friedl (Apr 09)
- Re: Iptables Clues and Advices. Julien Royère (Apr 09)
- Re: Iptables Clues and Advices. Jeff Harris (Apr 10)
- DROP vs REJECT Re: Iptables Clues and Advices. Chris Travers (Apr 10)
- VMware & WinXP Firegoblin Postmaster (Apr 12)
- Re: Iptables Clues and Advices. Vic Ricker (Apr 10)