PaulDotCom mailing list archives

Drop or rst?

From: bcg at struxural.com (Ben Greenfield)
Date: Wed, 7 Oct 2009 15:53:06 -0400

I agree with Brett and Ron, to an attacker / pen tester a silently dropped
packet doesn't offer much.  A reset packet is a lot more indicative that
some processing occurred.

On Wed, Oct 7, 2009 at 2:52 PM, Brett Hoff <bhoff at itworldclass.com> wrote:

I also like to drop silently.

I have built and monitor over 100 firewalls and almost always choose this
option.

Brett Hoff

RHCT, Linux +, Security+

Senior Security and Linux instructor

Senior IT Security Engineer

*GCFA* "Certified Forensics Analyst"

Antler Computer Consulting

Antler, Inc.

We do IT World Class!

850-857-7707

itworldclass.com

------------------------------
*From:* pauldotcom-bounces at mail.pauldotcom.com [mailto:
pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Norman Rach
*Sent:* Wednesday, October 07, 2009 11:39 AM
*To:* pauldotcom at mail.pauldotcom.com
*Subject:* [Pauldotcom] Drop or rst?

Hi Everyone,

I'm currently in a discussion about our current ruleset for iptables.
Whether to be RFC compliant and issue a RST to those scanning/connecting to
undesired ports or to drop the packet completely. By sending a rst back to
the host aren't we letting the srcIP know that the traffic
successfully arrived to the host without being intercepted by a network
appliance (i.e. IDS/IPS, firewall, etc)?

As far as I can tell this seems to be more of a discussion on one's own
security posture preference. Any feedback is appreciated.

Cheers!
NR

------------------------------
Hotmail: Powerful Free email with security by Microsoft. Get it now.<http://clk.atdmt.com/GBL/go/171222986/direct/01/>

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4487 (20091007) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4488 (20091007) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091007/99bf08fb/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 42666 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091007/99bf08fb/attachment.bin

Current thread:

Drop or rst? Norman Rach (Oct 07)
- Drop or rst? Ron Gula (Oct 07)
- Drop or rst? Brett Hoff (Oct 07)
  - Drop or rst? Ben Greenfield (Oct 07)
    - Drop or rst? Butturini, Russell (Oct 07)
    - Drop or rst? Nils (Oct 08)
    - Drop or rst? Jack Daniel (Oct 08)
- <Possible follow-ups>
- Drop or rst? Norman Rach (Oct 08)
  - Drop or rst? Michael Douglas (Oct 08)
    - Drop or rst? Jody & Jennifer McCluggage (Oct 10)
    - Drop or rst? Nick Drage (Oct 15)
  - Drop or rst? Jody & Jennifer McCluggage (Oct 10)
    - Drop or rst? Don Thomas (Oct 10)
    - TheMiddler Nils (Oct 11)

(Thread continues...)