PaulDotCom mailing list archives

Drop or rst?

From: nils at hemmann.de (Nils)
Date: Thu, 08 Oct 2009 14:23:31 +0200

I totally agree when you don't need to do connectivity troubleshooting
on a frequent basis.
But in our test plant environment RSTs come in handy when we
troubleshoot remote connections going through several firewalls.

Nils

Butturini, Russell wrote:


+1 for the opinions expressed so far.  Most commercial firewalls even
have a ?stealth mode? type feature that turns this sort of
functionality on for you.

------------------------------------------------------------------------

*From:* pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Ben
Greenfield
*Sent:* Wednesday, October 07, 2009 2:53 PM
*To:* PaulDotCom Security Weekly Mailing List
*Subject:* Re: [Pauldotcom] Drop or rst?

 

I agree with Brett and Ron, to an attacker / pen tester a silently
dropped packet doesn't offer much.  A reset packet is a lot more
indicative that some processing occurred. 

On Wed, Oct 7, 2009 at 2:52 PM, Brett Hoff <bhoff at itworldclass.com
<mailto:bhoff at itworldclass.com>> wrote:

I also like to drop silently.

 

I have built and monitor over 100 firewalls and almost always choose
this option.

 

Brett Hoff

RHCT, Linux +, Security+

Senior Security and Linux instructor

Senior IT Security Engineer

*GCFA* "Certified Forensics Analyst"

Antler Computer Consulting

Antler, Inc.

We do IT World Class! 

 

850-857-7707

itworldclass.com <http://itworldclass.com>

 

 

------------------------------------------------------------------------

*From:* pauldotcom-bounces at mail.pauldotcom.com
<mailto:pauldotcom-bounces at mail.pauldotcom.com>
[mailto:pauldotcom-bounces at mail.pauldotcom.com
<mailto:pauldotcom-bounces at mail.pauldotcom.com>] *On Behalf Of *Norman
Rach
*Sent:* Wednesday, October 07, 2009 11:39 AM
*To:* pauldotcom at mail.pauldotcom.com
<mailto:pauldotcom at mail.pauldotcom.com>
*Subject:* [Pauldotcom] Drop or rst?

Hi Everyone,
 
I'm currently in a discussion about our current ruleset for iptables. 
Whether to be RFC compliant and issue a RST to those
scanning/connecting to undesired ports or to drop the packet
completely.  By sending a rst back to the host aren't we letting the
srcIP know that the traffic successfully arrived to the host without
being intercepted by a network appliance (i.e. IDS/IPS, firewall, etc)?
 
As far as I can tell this seems to be more of a discussion on one's
own security posture preference.  Any feedback is appreciated.
 
Cheers!
NR

------------------------------------------------------------------------

Hotmail: Powerful Free email with security by Microsoft. Get it now.
<http://clk.atdmt.com/GBL/go/171222986/direct/01/>

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4487 (20091007) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4488 (20091007) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 

******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************
------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Drop or rst? Norman Rach (Oct 07)
- Drop or rst? Ron Gula (Oct 07)
- Drop or rst? Brett Hoff (Oct 07)
  - Drop or rst? Ben Greenfield (Oct 07)
    - Drop or rst? Butturini, Russell (Oct 07)
    - Drop or rst? Nils (Oct 08)
    - Drop or rst? Jack Daniel (Oct 08)
- <Possible follow-ups>
- Drop or rst? Norman Rach (Oct 08)
  - Drop or rst? Michael Douglas (Oct 08)
    - Drop or rst? Jody & Jennifer McCluggage (Oct 10)
    - Drop or rst? Nick Drage (Oct 15)
  - Drop or rst? Jody & Jennifer McCluggage (Oct 10)
    - Drop or rst? Don Thomas (Oct 10)
    - TheMiddler Nils (Oct 11)
    - TheMiddler Rob Fuller (Oct 11)
    - TheMiddler Nils (Oct 12)

(Thread continues...)