[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

On Mon, 2005-05-09 at 11:58, James Baldwin wrote:
> On May 9, 2005, at 11:02 AM, Jonathan Rickman wrote:
> 
> 
> > DROP is better for keeping your ruleset hidden, but REJECT is better
> > for ridding yourself of broken clients, dhcp related drag connections,
> > and other bandwidth sucking nonsense. DROP is the proper choice in
> > 99.9% of situations.
> >
> 
> I'd recommend rejecting with TCP RST and ICMP port unreachable when  
> possible. Adhering to RFC 793 does not increase your risk  
> significantly and, as you stated, can properly aid in "ridding  
> yourself of broken clients".
> 
> The risk associated with this is that a port scan can sweep your  
> ports that much quicker as you are actively replying and informing  
> the scanner that the ports are not accepting traffic rather than  
> waiting for it to timeout. Even taking this into account, I recommend  
> reseting the connections properly. An attacker who is specifically  
> targeting your system will locate the services you are offering  
> regardless of DROP. An automated attacker will not care that he's  
> increased your scanning time.
> 
> If I recall correctly, even set on low sneaky settings, nmap will  
> only scan a small number of ports concurrently. Setting DROP causes  
> these scans to take a much longer time, sometimes spanning days if  
> they scan the full range of available ports. If one were to, instead,  
> REJECT this would happen much quicker. This would allow you to  
> quickly alarm or dynamically respond to a scanning host without  
> keeping state on as many concurrent connections. For instance, you  
> could quickly dynamically update your rules and REJECT or DROP all  
> connections from a specific host which incurs too many TCP RST/ICMP  
> unreachables.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00138" href="msg00138.html">[ale] nmap and REJECT rules</a></strong>
<ul><li><em>From:</em> jbaldwin at antinode.net (James Baldwin)</li></ul></li>
<li><strong><a name="00139" href="msg00139.html">[ale] nmap and REJECT rules</a></strong>
<ul><li><em>From:</em> kaboom at oobleck.net (Chris Ricker)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00118" href="msg00118.html">[ale] nmap and REJECT rules</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00120" href="msg00120.html">[ale] nmap and REJECT rules</a></strong>
<ul><li><em>From:</em> jrickman at gmail.com (Jonathan Rickman)</li></ul></li>
<li><strong><a name="00130" href="msg00130.html">[ale] nmap and REJECT rules</a></strong>
<ul><li><em>From:</em> jbaldwin at antinode.net (James Baldwin)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00131.html">[ale] Screen Backgrounds</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00133.html">[ale] U.S. National Identity Cards All But Law</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00130.html">[ale] nmap and REJECT rules</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00138.html">[ale] nmap and REJECT rules</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00132"><strong>Date</strong></a></li>
<li><a href="threads.html#00132"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>