Re: weird scans from port 80

From: Tim Haynes (
Date: 01/19/03

From: Tim Haynes <>
Date: Sun, 19 Jan 2003 22:05:58 +0000

Kasper Dupont <> writes:

> Steve Webster wrote:
>> Kasper Dupont wrote:
>> > From RFC 793 page 36:
>> >
>> > As a general rule, reset (RST) must be sent whenever a segment arrives
>> > which apparently is not intended for the current connection.
>> >
>> I'm not going to let a "general" rule determine how I respond to
>> unauthorised attempts to access my servers.
> What part of the word must is difficult to understand?

I think the part that doesn't look like "MUST" is easily missed.

In your rather illogical and unhelpful rant here, you totally miss few
important facts: we are talking *firewalling* here, so "general rule"s may
very well be said not to apply. Not to mention, the reason for using DROP
instead of REJECT is that you will know exactly what the other box is doing
by checking the intervals between packets, whereas with reject -you don't
know whether your rejection foiled them or they were just emitting a single
packet to scan you.

It is a basic matter of common sense that
a) the context-lacking rfc snippet you quote is non-authoritative here;
b) it fails to take individual circumstances and considerations into
c) an attempt to regulate others' firewalling policies stinks;
d) a measure such as this that actively mandates shooting yourself in the
balls as a respsonse to a ddos attept is utterly brainless beaurocracy for
the sake of it.

Away with your trollish tripe! Make a useful attempt to answer the OP's
question or hold your peace.


   21:51:49  up 31 days,  6:39,  1 user,  load average: 0.08, 0.05, 0.01 |Another day,     |Another kernel recompile