AW: [Dshield] firewall policy recomendations

John Hardin johnh at
Fri May 31 15:44:58 GMT 2002

On Fri, 2002-05-31 at 01:08, Graham K. Dodd wrote:
> What is the effect on the firewall / network when you tie up a probers
> attack ?
> Some of us don't even have a partial T1 and run on a minimum budget so we
> don't want to waste our resources just to annoy hackers who obviously has
> lot's of time to waste anyway..........

There's nothing you can do to prevent an attacker from soaking up all
your bandwidth. All he needs to do is flood ping you. If something like
this happens, you need to contact your ISP and have them block the
attacker on their side of your connection.

Not responding to TCP traffic may slow down a scan, if the scanning tool
is going to wait for reponses to all of the SYN packets it sent. Simply
discarding unwanted traffic will not have a negative effect on your
bandwidth, and has less impact than responding with a RST packet to
every scan.

Tarpitting attack traffic has a small effect since there will continue
to be a trickle of traffic after the initial SYN packet. LaBrea can be
tuned to limit how much bandwidth it will use in persistent captures.

John Hardin                                   <johnh at>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  In the Lion
  the Mighty Lion
  the Zebra sleeps tonight...
  Dee de-ee-ee-ee-ee de de de we um umma way!
 47 days until Apropos Forum 2002

More information about the list mailing list