[Dshield] firewall policy recomendations

Russell Washington russ.washington at vaultsentry.com
Fri May 31 16:19:46 GMT 2002

All good points (removing foot from mouth).

Of course, I did go to get coffee this morning, putting the cream and sugar
in the cup first, and then proceeded to skip the coffee in favor of the hot
water tap.  "Very strange coffee," I thought, before realizing that I wasn't
completely awake yet.

Thanks for the corrections. :)

-----Original Message-----
From: Stephane Grobety [mailto:security at admin.fulgan.com] 
Sent: Friday, May 31, 2002 8:53 AM
To: Russell Washington
Subject: Re[2]: [Dshield] firewall policy recomendations

RW> Exactly.  Zero response = zero consumed resources (i.e., a drop).  
RW> Sending a packet back = resource consumption, big or small.

You're forgetting that the TCP stack will automatically retry several time a
timedout SYN. It it retries 3 times, you'll have two more packet traveling
through the cable that is you send back a negative answer. Also, if you're
using a remote syslog, you'll be having several more UDP packet generated.
Also add the space for the log entries and the additional CPU to handle each
SYN going through the filter.

RW> So if your main concern
RW> is resource consumption, make it a big fat zero and your concerns 
RW> are resolved on the spot...

Not if you are being picky. You're probably not saving any resources by
simply dropping the packet.

RW> In addition to having the side benefit of having the
RW> other end sit there and twiddle its thumbs waiting for a timeout, 
RW> one port at a time, one IP address at a time.

That, however, is perfectly true. Although today's network scanners are
heavily parallel, reducing the impact on the attacker, it does force him to
use more resources to scan your IP/port range.

Good luck,

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list