BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iptables drop or reject

Subject: iptables drop or reject
From: smallm at panix.com (smallm at panix.com)
Date: Thu, 14 Aug 2003 10:43:44 -0400
In-reply-to: <20030814032958.GM954@sophic.org>
References: <20030813185815.GA7251@huxley.cable.rcn.com> <200308131458.54996.nullpointer@pobox.com> <20030814032958.GM954@sophic.org>

On Wed, Aug 13, 2003 at 11:29:58PM -0400, Derek Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Aug 13, 2003 at 02:58:54PM -0400, Dan Barrett wrote:
> > I have read that drop is a better bet in terms of defending against
> > an attack: packets sent to the box disappear down a black hole, and
> > the attacker may not be able to ascertain the state of the victim.
> 
...
> But, that attacker doesn't really care if you're there or not, either.
> They only care whether or not the service you have running on port 53
> is vulnerable.  So it doesn't really matter, from that perspective,
> whether you use DROP or REJECT.
> 
> > In terms of cutting down network traffic with respect to msblast,
> > drop sounds like the more appropriate of the two.
> 
> This is almost certainly false, unless the thing ignores TCP/IP
> errors.  If you use REJECT, the iptables sends the originator an ICMP
> port unreachable message, which tells the sender there's no point in
> continuing to attempt a connection.  If you use DROP, all the
> originator knows is that it hasn't received any sort of
> acknowledgement YET.  That doesn't mean it won't... so it will likely
> keep trying, until some sort of timeout is exceeded.  IOW, the packets
> keep coming.  If you're trying to reduce network traffic, this is
> almost certainly NOT what you want.

I think the situation here is that many hosts with the worm are hitting 
the box at the same time.  I have a limit on my log target so I only see
one every 3 minutes, but I'm guessing there are quite a few hitting each
second.  Maybe I should turn off that limit and see what's really happening.

I actually tried changing from REJECT to DROP after Dan's response and
saw a dramatic improvement throughout the evening and today.  Mind you,
RCN could have started to block 135 or maybe a lot of people have 
actually managed to install the patch and remove it from their systems.
For that matter, I don't really know if the worm had anything to do with
the slowness.  Guess I should change back and forth a few times and see
how it goes.

-- 
Mike Small
smallm at panix.com

References:
- iptables drop or reject
  - From: smallm at panix.com (smallm at panix.com)
- iptables drop or reject
  - From: nullpointer at pobox.com (Dan Barrett)

Prev by Date: ics extension under windows
Next by Date: atoi
Previous by thread: iptables drop or reject
Next by thread: ics extension under windows
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org