[Dshield] firewall policy recomendations

Stephane Grobety security at admin.fulgan.com
Fri May 31 15:52:58 GMT 2002


RW> Exactly.  Zero response = zero consumed resources (i.e., a drop).  Sending a
RW> packet back = resource consumption, big or small.

You're forgetting that the TCP stack will automatically retry several
time a timedout SYN. It it retries 3 times, you'll have two more
packet traveling through the cable that is you send back a negative
answer. Also, if you're using a remote syslog, you'll be having
several more UDP packet generated. Also add the space for the log
entries and the additional CPU to handle each SYN going through the
filter.

RW> So if your main concern
RW> is resource consumption, make it a big fat zero and your concerns are
RW> resolved on the spot...

Not if you are being picky. You're probably not saving any resources
by simply dropping the packet.

RW> In addition to having the side benefit of having the
RW> other end sit there and twiddle its thumbs waiting for a timeout, one port
RW> at a time, one IP address at a time.

That, however, is perfectly true. Although today's network scanners
are heavily parallel, reducing the impact on the attacker, it does
force him to use more resources to scan your IP/port range.

Good luck,
Stephane




More information about the list mailing list