[Dshield] firewall policy recomendations

Russell Washington russ.washington at vaultsentry.com
Fri May 31 15:19:49 GMT 2002


Exactly.  Zero response = zero consumed resources (i.e., a drop).  Sending a
packet back = resource consumption, big or small.  So if your main concern
is resource consumption, make it a big fat zero and your concerns are
resolved on the spot... In addition to having the side benefit of having the
other end sit there and twiddle its thumbs waiting for a timeout, one port
at a time, one IP address at a time.

-----Original Message-----
From: Chad Albert [mailto:chadalbert at mchsi.com] 
Sent: Friday, May 31, 2002 6:12 AM
To: list at dshield.org
Subject: Re: [Dshield] firewall policy recomendations


By dropping the packets, you are actually generating less traffic.  This
will use less resources, especially bandwidth.  What Kevin is talking about
is that it will take a prober more time to scan you because they will have
to wait for a timeout to occur rather than getting a response back from you
that says "I'm not running anything there"


Chad


----- Original Message -----
From: "Graham K. Dodd" <g.dodd at falk-ross.de>
To: <list at dshield.org>
Sent: Friday, May 31, 2002 3:08 AM
Subject: AW: [Dshield] firewall policy recomendations


> What is the effect on the firewall / network when you tie up a probers 
> attack ?
>
> Some of us don't even have a partial T1 and run on a minimum budget so 
> we don't want to waste our resources just to annoy hackers who 
> obviously has lot's of time to waste anyway..........
>
> BTW I'm not flaming Kenneth and his policies, I want to know whether I 
> can adopt this sort of policy without affecting my companies "small, 
> but very important" network.
>
>
> thanks,
> Graham
>
>
> -----Ursprüngliche Nachricht-----
> Von: list-admin at dshield.org [mailto:list-admin at dshield.org]Im Auftrag 
> von Kenneth Porter
> Gesendet: Mittwoch, 29. Mai 2002 17:35
> An: DShield List
> Betreff: Re: [Dshield] firewall policy recomendations
>
>
> On Wed, 2002-05-29 at 07:01, Chad Albert wrote:
> > I am curious to know what most people on this list think is the best 
> > practice when blocking traffic with a firewall.  I see many 
> > firewalls
that
> > drop unwanted TCP packets, many that send a rst packet, some drop
unwanted
> > UDP, and some send ICMP type 3 (destination unreachable).
>
> Drop anything you don't expect. That'll tie up a prober waiting for 
> his SYN to be ACK'd, slowing down his scans.
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list