iptables drop or reject
nmeyers at javalinux.net
nmeyers at javalinux.net
Wed Aug 13 15:07:33 EDT 2003
On Wed, Aug 13, 2003 at 02:58:54PM -0400, Dan Barrett wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wednesday 13 August 2003 14:58, smallm at panix.com wrote:
> > I'm curious whether using drop or reject as an iptables
> > target would deal better with traffic from worms like msblast. I
> > thought perhaps the scans were bogging down my box at home, although
> > it looks like rcn must have had some kind of problem which they
> > recently fixed, which may or may not have been related to the worm.
>
>
> I have read that drop is a better bet in terms of defending against an attack:
> packets sent to the box disappear down a black hole, and the attacker may not
> be able to ascertain the state of the victim.
> In terms of cutting down network traffic with respect to msblast, drop sounds
> like the more appropriate of the two.
If you're reasonably current on iptables, "TARPIT" is a nasty target for
bogging down port scans. It ties them up in a lengthy protocol exchange
without tying up your own system resources.
http://cpc.freeshell.org/linux/kernel-tarpit.html
Nathan Meyers
nmeyers at javalinux.net
More information about the Discuss
mailing list