DROP vs REJECT Re: Iptables Clues and Advices.

["Chris Travers" <chris () travelamericas com>]

Hi;

Relavent portions of the email are:
"It seems to me that DROP would be used for creating the appearance that
your IP isn't in use. If you are providing no services to the internet,
then every port should DROP.

However, if you have any service, even just a ssh server, someone
portscanning you will know that you're there, and a REJECT would be
the correct thing to do."

That is all well and good if you assume that the attacker has unlimited
computing resources and is always using the correct address.  Of course
ICMP-with-host-unreachable is a small packet and unlikely to be useful in a
DDOS attack using spoofed source addresses (but the possibility exists, and
would be *really* hard to guard against as one does not really want to drop
all these upstream).  So I think that reject creates an opportunity for
DDOS.

Scenario is this:  Using some sort of distributed network (trojans, etc.),
generates probes against firewalls which reject packets.  These use forged
source addresses of the target machine.  A large quantity of bandwidth
becomes used up upstream by these error messages.  Victim has to decide
whether to start drop ICMP packets which could severely interfere with
legitimate traffic or allow the attack to continue.

The other issue is one of attacker resources.  DROP does a better job of
increasing the cost to the attacker.

Best Wishes,
Chris Travers


-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------