Re: UNWANTED state - Matteo Croce

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matteo Croce <rootkit85@yahoo.it>
To: netfilter-devel@lists.netfilter.org
Subject: Re: UNWANTED state
Date: Thu, 30 Dec 2004 01:39:48 +0100	[thread overview]
Message-ID: <200412300139.49266.rootkit85@yahoo.it> (raw)
In-Reply-To: <20041229235657.GA11573@linuxace.com>

> On Thu, Dec 30, 2004 at 12:42:17AM +0100, Matteo Croce wrote:
> Perhaps you should consider using:
>
> --dport 113 -j REJECT --reject-with tcp-reset
> instead of hacking the kernel to disable icmp rejects?
>

# iptables -I INPUT 1 -p tcp --dport 4567 -j REJECT --reject-with tcp-reset
# hping3 127.0.0.1 -p 4567 -S
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=255 DF id=0 sport=4567 flags=RA seq=0 win=0 rtt=0

--reject-with tcp-reset sends RST/ACK that are dropped by my firewall

> Why do you care if people get an icmp unreachable when
> the service is down?  You aren't making the box more secure IMO by not
> allowing the icmp error outbound.

Tryng to reduce at minimum unneeded traffic is a sort of protection against 
DOS.
Let's say i have a 4096/400 ADSL.
Someone with a ~512kbit upload can send me an large amount of data on a closed 
port with something like 'hping3 <IP> -S -p <PORT> --flood', and my 400kbit 
upload
will be unable to send 512Kbit of RST/ACKs.
If i drop unwanted data, the attacker needs an upload of ~4200Kbit
to dos my box, since he need to fill my download instead of my upload.

And having such a target will avoid open/close ports as needed, since only 
used ports are available.

-- 
  .""`.     Matteo Croce <rootkit85@yahoo.it>
 : :"  :    proud Debian admin and user
 `. `"`
   `-  Debian - when you have better things to do than fix a system

next prev parent reply	other threads:[~2004-12-30  0:39 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-29 23:42 UNWANTED state Matteo Croce
2004-12-29 23:56 ` Phil Oester
2004-12-30  0:39   ` Matteo Croce [this message]
2004-12-31  5:56     ` Willy Tarreau
2004-12-31 13:15       ` Matteo Croce
  -- strict thread matches above, loose matches on Subject: below --
2004-12-29 22:58 Matteo Croce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200412300139.49266.rootkit85@yahoo.it \
    --to=rootkit85@yahoo.it \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.