Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Wed, Aug 13, 2003 at 11:29:58PM -0400, Derek Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Aug 13, 2003 at 02:58:54PM -0400, Dan Barrett wrote: > > I have read that drop is a better bet in terms of defending against > > an attack: packets sent to the box disappear down a black hole, and > > the attacker may not be able to ascertain the state of the victim. > ... > But, that attacker doesn't really care if you're there or not, either. > They only care whether or not the service you have running on port 53 > is vulnerable. So it doesn't really matter, from that perspective, > whether you use DROP or REJECT. > > > In terms of cutting down network traffic with respect to msblast, > > drop sounds like the more appropriate of the two. > > This is almost certainly false, unless the thing ignores TCP/IP > errors. If you use REJECT, the iptables sends the originator an ICMP > port unreachable message, which tells the sender there's no point in > continuing to attempt a connection. If you use DROP, all the > originator knows is that it hasn't received any sort of > acknowledgement YET. That doesn't mean it won't... so it will likely > keep trying, until some sort of timeout is exceeded. IOW, the packets > keep coming. If you're trying to reduce network traffic, this is > almost certainly NOT what you want. I think the situation here is that many hosts with the worm are hitting the box at the same time. I have a limit on my log target so I only see one every 3 minutes, but I'm guessing there are quite a few hitting each second. Maybe I should turn off that limit and see what's really happening. I actually tried changing from REJECT to DROP after Dan's response and saw a dramatic improvement throughout the evening and today. Mind you, RCN could have started to block 135 or maybe a lot of people have actually managed to install the patch and remove it from their systems. For that matter, I don't really know if the worm had anything to do with the slowness. Guess I should change back and forth a few times and see how it goes. -- Mike Small smallm at panix.com
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |