Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iptables drop or reject



On Wed, Aug 13, 2003 at 02:58:54PM -0400, Dan Barrett wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wednesday 13 August 2003 14:58, smallm at panix.com wrote:
> > 	I'm curious whether using drop or reject as an iptables
> > target would deal better with traffic from worms like msblast.  I 
> > thought perhaps the scans were bogging down my box at home, although 
> > it looks like rcn must have had some kind of problem which they 
> > recently fixed, which may or may not have been related to the worm.
> 
> 
> I have read that drop is a better bet in terms of defending against an attack: 
> packets sent to the box disappear down a black hole, and the attacker may not 
> be able to ascertain the state of the victim.
> In terms of cutting down network traffic with respect to msblast, drop sounds 
> like the more appropriate of the two.

If you're reasonably current on iptables, "TARPIT" is a nasty target for
bogging down port scans. It ties them up in a lengthy protocol exchange
without tying up your own system resources.

    http://cpc.freeshell.org/linux/kernel-tarpit.html

Nathan Meyers
nmeyers at javalinux.net




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org