[Dshield] firewall policy recomendations
security at admin.fulgan.com
Fri May 31 15:52:58 GMT 2002
RW> Exactly. Zero response = zero consumed resources (i.e., a drop). Sending a
RW> packet back = resource consumption, big or small.
You're forgetting that the TCP stack will automatically retry several
time a timedout SYN. It it retries 3 times, you'll have two more
packet traveling through the cable that is you send back a negative
answer. Also, if you're using a remote syslog, you'll be having
several more UDP packet generated. Also add the space for the log
entries and the additional CPU to handle each SYN going through the
RW> So if your main concern
RW> is resource consumption, make it a big fat zero and your concerns are
RW> resolved on the spot...
Not if you are being picky. You're probably not saving any resources
by simply dropping the packet.
RW> In addition to having the side benefit of having the
RW> other end sit there and twiddle its thumbs waiting for a timeout, one port
RW> at a time, one IP address at a time.
That, however, is perfectly true. Although today's network scanners
are heavily parallel, reducing the impact on the attacker, it does
force him to use more resources to scan your IP/port range.
More information about the list