Re: weird scans from port 80

From: Kasper Dupont (
Date: 01/20/03

From: Kasper Dupont <>
Date: Mon, 20 Jan 2003 09:34:32 +0100

Tim Haynes wrote:
> Kasper Dupont <> writes:
> > Steve Webster wrote:
> >>
> >> Kasper Dupont wrote:
> >> > From RFC 793 page 36:
> >> >
> >> > As a general rule, reset (RST) must be sent whenever a segment arrives
> >> > which apparently is not intended for the current connection.
> >> >
> >>
> >> I'm not going to let a "general" rule determine how I respond to
> >> unauthorised attempts to access my servers.
> >
> > What part of the word must is difficult to understand?
> I think the part that doesn't look like "MUST" is easily missed.
> In your rather illogical and unhelpful rant here, you totally miss few
> important facts: we are talking *firewalling* here, so "general rule"s may
> very well be said not to apply.

The RFCs still apply. I don't understand why some people think calling a
box a firewall gives them the right to violate the rules.

> Not to mention, the reason for using DROP
> instead of REJECT is that you will know exactly what the other box is doing
> by checking the intervals between packets, whereas with reject -you don't
> know whether your rejection foiled them or they were just emitting a single
> packet to scan you.

What do you want to know, and why? Does your curiosity justify violations
of the TCP RFC? If you want to detect a scan you should rather give the
scanner the expected answers, and not watch the packets arriving on a
single host, but rather all packets entering the network through the

> It is a basic matter of common sense that
> a) the context-lacking rfc snippet you quote is non-authoritative here;

RFCs are authoritative. And if you need more context read the RFC.

> b) it fails to take individual circumstances and considerations into
> account;

Are you the kind of person thinking that rules only applies to
everybody else except from yourself?

> c) an attempt to regulate others' firewalling policies stinks;

I'm not attempting to regulate anybodys firewall policy. I just
say they must obey the RFC. Firewalls violating the RFC stinks.

> d) a measure such as this that actively mandates shooting yourself in the
> balls as a respsonse to a ddos attept is utterly brainless beaurocracy for
> the sake of it.

If you care about DoS attacks impose a limit on the rate of

> Away with your trollish tripe! Make a useful attempt to answer the OP's
> question or hold your peace.

I have given a very thoroughly description of what I think the
problem is, and what can be done about it. In this case the
solution to the problem is to obey the RFC.

I have a problem seeing the morality in your suggestions about
violating the RFC just to see what your party is going to do
in that case.

Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use