On Thu, May 09, 2002 at 06:54:23PM +0200, Tony Earnshaw wrote: > > OK. As long as you don't let anybody in, it's OK. Now, the diff > > between DROP and REJECT (either with ICMP or whatever) is that: > > > > 1) You'll be exposed for OS finger print. > > I'm exposed to it anyway, I can (and do use nmap), next:
So use stateful filtering, and drop TCP "new but not SYN" packets. It won't make it impossible, but it'll be significantly more difficult. > > 2) You'll use up your uplink bandwidth. > > Not much, no. Next: If you are getting SYN-flooded, all those RSTs you're throwing back will eat some bandwidth. > > 3) In some cases, you don't want to be polite and have the client > > break out of its waiting... > > No. Port unreachable is port unreachable, reset is reset. Next: He's not talking about the difference between an ICMP-port-unreachable reply and a TCP-reset reply, smart guy. He's talking about responding to something that came into a port that you don't wish to talk on, and deciding whether you want to keep saying "no, I don't want to talk to you, go away" (REJECT) versus dropping the packets on the floor, pretending like nothing happened (DROP). And Joe's remark about ICMP-port-unreachable being non-RFC compliant was correct, even if it wasn't specifically in answer to your question. > > 4) I've seen cases in the past that the spoofed syns had caused > > major traffic on the uplink: syn, reset, icmp(network unreach) > > are the minimum packet exchange, all on your uplink. > > Convincing. But the b*gg*r knows I'm there anyway. Not if you don't answer. If someone knocks on your door, and you don't answer it, do they know you're there? No. > How could he spoof syns? Apart from syn floods from others? What would > he be doing with syns on UDP ports? What about my syn flood rule? ICMP network unreachable would be the response to a RST you'd try to throw back in response to that spoofed SYN - if the spoofed source IP doesn't really exist anyplace, that's what you'll be getting back, if you get anything at all. UDP doesn't have any concept of SYN, because it's a connectionless datagram-oriented protocol. Once you're root (or the equivalent), spoofing SYN packets is pretty easy (esp. if your attacker's upstream routers are lax about what they allow through). > Come off it Ramin, you can do better. I've seen your real venom, "bit > buckets" and such for people who you don't like. Sorry, but you need to more clearly phrase your questions. Don't blame people who are trying to help for your wording - that's your own problem. -- Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet [EMAIL PROTECTED] | District (dsdk12.net) | #linuxOS on OPN
