Re: Port 113 requests?

[Valdis.Kletnieks () vt edu]

On Thu, 06 Dec 2001 13:51:33 MST, "Slighter, Tim" <tslighter () itc nrcs usda gov>  said:
> you really should try and specify that the rule "drops" instead of reject so
> that the potential intruder is not provided with any information about their
> attempted connection.

On the other hand, you have to contrast "potential intruder" with "normal
operations".  The intruders are (by and large) few and far between compared
to the "normal operations" for some things.  I don't even want to *think*
about how many inbound packets our Listserv gets per day on port 113 from
Sendmails that are configured to AUTH-query their inbound connections.

If you *reject*, you send an ICMP Port Unreachable, and the other end
gives up immediately.  If you drop silently, they get to retransmit
their SYN packet again a few times first.

If it's a packet that a *lot* of things do (like AUTH - there's a large
number of Sendmail/Tcp-Wrapper/etc out there that have been set up to
do a port 113 lookup back by default), you may want to reject just so they
know they can give up and continue on whatever regularly scheduled service
was in progress.

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: