Re: highly secure live CD distro
From: Michael Zawrotny (zawrotny_at_sb.fsu.edu)
Date: 23 Feb 2005 22:01:30 GMT
Moe Trin <firstname.lastname@example.org> wrote:
> Michael Zawrotny wrote:
> >DROPing saves the outgoing packets, but is not compliant with the
> >various RFCs, and therefore technically results in a host with
> >"broken" networking.
> It also triples the amount of wasted inbound packets. TCP/IP works
> on making an unreliable connection reliable. It does this by
> retrying to send packets that appear to have fallen through the
> cracks in the cloud.
Good point, I hadn't thought of that. On the other hand how much
unsolicited incoming traffic should a home user expect?
I don't know how the worms or exploit kits work, but I just tried
a single port (without ping) nmap run from my workstation to my
laptop (nmap -P0 -p 22 laptop) and tcpdump only reported two SYN
packets sent. So for nmap at least, it's a toss-up: one incoming and
one outgoing icmp versus two incoming.
> I've heard that some consumer grade firewalls (read windoze personal garbage)
> have suggested sending a 3/1 back as a smoke screen. This neglects the rather
> obvious fact that the source address in the ICMP packet is the original
> destination... but no one would notice that, right? ;-)
Nobody but us I guess.
> >That is why I suggested DROP for the OP. For a different situation, I
> >would have said REJECT.
> Some windoze worms try a ping (ICMP 8) first, to see if the host is up
> before they try to connect via TCP. However, this may just be one of the
> thousands of different windoze worm kits.
Right, but the question then becomes whether or not the worm skips
non-pingable hosts. If it skips them, there is no additional cost
in dropping ping packets. If you don't want to be pinged you can't
send a host-unreachable as we agreed above (unless you are upstream).
-- Michael Zawrotny Institute of Molecular Biophysics Florida State University | email: email@example.com Tallahassee, FL 32306-4380 | phone: (850) 644-0069