[Dshield] firewall policy recomendations

Stephane Grobety security at admin.fulgan.com
Fri May 31 15:52:58 GMT 2002

RW> Exactly.  Zero response = zero consumed resources (i.e., a drop).  Sending a
RW> packet back = resource consumption, big or small.

You're forgetting that the TCP stack will automatically retry several
time a timedout SYN. It it retries 3 times, you'll have two more
packet traveling through the cable that is you send back a negative
answer. Also, if you're using a remote syslog, you'll be having
several more UDP packet generated. Also add the space for the log
entries and the additional CPU to handle each SYN going through the

RW> So if your main concern
RW> is resource consumption, make it a big fat zero and your concerns are
RW> resolved on the spot...

Not if you are being picky. You're probably not saving any resources
by simply dropping the packet.

RW> In addition to having the side benefit of having the
RW> other end sit there and twiddle its thumbs waiting for a timeout, one port
RW> at a time, one IP address at a time.

That, however, is perfectly true. Although today's network scanners
are heavily parallel, reducing the impact on the attacker, it does
force him to use more resources to scan your IP/port range.

Good luck,

More information about the list mailing list