Re: iptables: DROP or REJECT?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 10/07/05
- Next message: Grant: "Re: iptables: DROP or REJECT?"
- Previous message: Moe Trin: "Re: iptables: DROP or REJECT?"
- In reply to: Michael Zawrotny: "Re: iptables: DROP or REJECT?"
- Next in thread: Grant: "Re: iptables: DROP or REJECT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 07 Oct 2005 15:02:34 -0500
In the Usenet newsgroup comp.os.linux.security, in article
<slrndkcsus.nsp.zawrotny@localhost.localdomain>, Michael Zawrotny wrote:
>It's not quite that simple. The tcp stack on the sender's machine may
>wait, then send another syn packet, and possibly repeat several times.
>In that case DROP may actually increase the incoming traffic.
Agreed. There is one advantage of DROP over REJECT. The remote host
can't fingerprint (identify the O/S of) a system that isn't responding.
The other minor advantage of dropping incoming (unrelated) UDP to
ports 1025-1030 or so (windoze messenger spam) is that these packets
are often using forged IP source addresses, and your ICMP Port Unreachable
is wasted bandwidth (goes to the wrong host, or is ignored because the
packets have already been delivered). For those of you in network
admin, port shifting OUTGOING UDP (almost always DNS queries) out of
the range 1025 - 1050 (or something) allows your upstream to block
INCOMING UDP to that range as almost certainly undesired crap.
>In addition to the suggestions from other posters, you can keep
>traffic down and minimize your profile by using REJECT with a "host
>unreachable" type instead of the default "port unreachable". By doing
>that it makes the sender think that either there is no machine there,
>or that it is down completely.
This has to be done on the router in front of the host being "attacked".
Otherwise you wind up with the rather st00pid situation of the "Host
Unreachable" message coming _from_ the unreachable host:
192.0.2.10 -> 198.18.10.20: Hello SSH daemon
198.18.10.20 -> 192.0.2.10: Sorry - host 198.18.10.20 does not exist.
Some of the suppliers of the windoze personal firewalls have tried to
adopt this technique, and can't understand why the same remote host keeps
trying to connect. A lot of people seem to forget that the specific code
returned in the ICMP Type 3 message means very little to the worm or trojan
that is attempting to connect, but the obvious inconsistency is easy to
spot.
>That of course is not true if you allow ping through and they use that
>to test first.
If you are going to 'DROP' or 'Host Unreachable' anything, you have to
do exactly the same for all ports, and all 139 protocols that are defined
(and the other 117 undefined) in an IP packet. And that includes 113/tcp
which might have an effect on your users who try to connect to some server
that is configured to require a response (either a REJECT or a "valid"
response) before proceeding. You _can_ configure things such that 113/tcp
"works" for specific hosts, or in specific states if needed.
Old guy
- Next message: Grant: "Re: iptables: DROP or REJECT?"
- Previous message: Moe Trin: "Re: iptables: DROP or REJECT?"
- In reply to: Michael Zawrotny: "Re: iptables: DROP or REJECT?"
- Next in thread: Grant: "Re: iptables: DROP or REJECT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
