Re: Port 113 requests?
From: Valdis.Kletnieks@vt.eduDate: 12/06/01
- Previous message: Mario van Velzen: "Thread "Port 113 requests?""
- In reply to: Slighter, Tim: "RE: Port 113 requests?"
- Next in thread: Chris Keladis: "RE: Port 113 requests?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Slighter, Tim" <tslighter@itc.nrcs.usda.gov> From: Valdis.Kletnieks@vt.edu Date: Thu, 06 Dec 2001 16:31:34 -0500
On Thu, 06 Dec 2001 13:51:33 MST, "Slighter, Tim" <tslighter@itc.nrcs.usda.gov> said:
> you really should try and specify that the rule "drops" instead of reject so
> that the potential intruder is not provided with any information about their
> attempted connection.
On the other hand, you have to contrast "potential intruder" with "normal
operations". The intruders are (by and large) few and far between compared
to the "normal operations" for some things. I don't even want to *think*
about how many inbound packets our Listserv gets per day on port 113 from
Sendmails that are configured to AUTH-query their inbound connections.
If you *reject*, you send an ICMP Port Unreachable, and the other end
gives up immediately. If you drop silently, they get to retransmit
their SYN packet again a few times first.
If it's a packet that a *lot* of things do (like AUTH - there's a large
number of Sendmail/Tcp-Wrapper/etc out there that have been set up to
do a port 113 lookup back by default), you may want to reject just so they
know they can give up and continue on whatever regularly scheduled service
was in progress.
-- Valdis Kletnieks Operating Systems Analyst Virginia Tech
- application/pgp-signature attachment: stored
- Previous message: Mario van Velzen: "Thread "Port 113 requests?""
- In reply to: Slighter, Tim: "RE: Port 113 requests?"
- Next in thread: Chris Keladis: "RE: Port 113 requests?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
