[Dshield] firewall policy recomendations

Johannes Ullrich jullrich at sans.org
Fri May 31 14:13:31 GMT 2002


> When you REJECT a packet, generally your kernel is sending back an
> ICMP port unreachable, which does cause your firewall system to
> consume some resources for that process, but that process should be
> completed quickly and the necessary resources returned to general
> system availability...

For UDP traffic, a 'port unreachable' will be send. For TCP,
a 'RST' TCP packet will be send.

There are some cases where you should send a RST (or ICMP port
unreachable) instead of just dropping the packet:

- port 113 AUTH requests from your mail server. Some mail servers
  (most?) attempt a futile AUTH request to verify the userid of
  the sending user. Even though hardly any systems respond to this
  these days, it is still the default configuration for many mail
  servers and just 'dropping' these request may increase the time
  it takes to send mail.

- ACK packets... they are frequently backscatter from DDOS attacks
  with spoofed sources (your IP was spoofed). Sending a RST will 
  help the machine under attack to close the connection.

- obfuscation. sending a RST for some low TTLs may confuse some
  recognizance tools. Or just hide the fact that you have a 
  firewall. 

There are lots of tricks one can play. Just 'dropping' is the
safe default thing to do. But on occasion, a RST may be better.
Chris Brenton did talk about this in the last SANS audiocast.
(There should be an archive of it at 
http://www.sans.org/webcasts/may1.php )

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection         
                                     join http://www.dshield.org




More information about the list mailing list