Gentoo Archives: gentoo-security

From: Daniel Privratsky <dsokrates@××××××.cz>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 19:11:37
Message-Id: 3FFDA83C.7060407@seznam.cz
In Reply to: Re: [gentoo-security] firewall suggestions? by Alexander Schreiber
Alexander Schreiber wrote:
> On Thu, Jan 08, 2004 at 06:57:28PM +0100, Daniel Privratsky wrote: > >>Wrong. >> >>1) If you don't receive "destination unreachable" packet, you know >>nothing about the target host yet. This is not perfect-network world. >>There can be other fw/router anywhere in the way, killing this type of >>icmp traffic. >> >>2) It slows scans a lot. > > > Only for people too stupid for doing port scans (a rare defect even > among script kiddies).
Hmmm, a little schisophrenic situation. Are we talking about mass scan seeking for live systems in some IP space or directed attack to your specific system? For the first scenario it is some useful protection. No response still means system down, attacker will hardly waste time for detail investigation. For the second scenario, it's useful too. Time out waiting will slow him down.
> > >>You can of course do scannig in parallel, but >>don't be surprised, when you find yourself killed with no mercy by IDS, >>after matching SYN threshold. 1000+ syns/sec form IP adress to monitored >>system is sure ban. > > > Cool. Your IDS just banned the IPs of your customers mail-, web- and > proxy-servers. Spoofing IP adresses just to mess with such automatic > systems is easy.
Nonsense. Such active-response IDS is primary site protection. It detects incoming SYNs, not outgoing. Regards Dan
> > Regards, > Alex.
-- gentoo-security@g.o mailing list