Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Scott Taylor <scott@...>
Subject: Re: firewall suggestions?
Date: Thu, 08 Jan 2004 14:57:46 -0700
Replying in a specific manner which may have been at one point the
proper and polite way for an IP stack to behave, often turns into a
method for abuse. Spoof a bunch of syn packets to a host you know
replies with a rst, and it sends all those extra packets to a victim
machine who never sent the syn packet in the first place. So that
machine sends back "port unreachables" and further clogs up their
network. 

Add to that all the silly microsoft products that either blatantly
ignore or just never bothered to read the appropriate RFC... For my
network, I opt to spew out as few replies to unwanted traffic as
possible. I've already got too many worms out there wasting my bandwidth
trying to infect me with the sql slammer or whatever the worm of the day
is. I'd rather not waste any more of my bandwidth telling them that they
can't connect here. They probably aren't even checking for an icmp
unreachable message back from me anyway.



On Thu, 2004-01-08 at 14:11, Paul de Vrieze wrote:
> On Thursday 08 January 2004 21:55, Oliver Schad wrote:
> >     --------------[RFC 792 - INTERNET CONTROL MESSAGE PROTOCOL]---------
> >  /
> >
> > | If, in the destination host, the IP module cannot deliver the
> > | datagram  because the indicated protocol module or process port is
> > | not active, the destination host may send a destination
> > | unreachable message to the source host.
> >
> >  \
> >    ---------------------------------------------------------------
> 
> May still means that it is not required, so technically not replying is not an 
> error when looking only at this snippet.
> 
> Paul
--
Scott Taylor - <scott@...> 

"Are you all right?" -Leela 
"Ah, it's nothing a a law suit won't cure." -Bender 

    
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: firewall suggestions?
-- Stewart Honsberger
Re: firewall suggestions?
-- Frank Gruellich
References:
Re: firewall suggestions?
-- Ben Cressey
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Paul de Vrieze
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.