Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
RE: gracefull rst
ramin at cannon
Aug 5, 2001, 8:13 AM
Post #1 of 2 (465 views)
Permalink
> Reply-To: <muaddib@mailandnews.com>
> From: "Pol Muaddib" <muaddib@mailandnews.com>
> To: "Radel" <netfilter@radel.yi.org>, <netfilter@lists.samba.org>
> Subject: RE: gracefull rst.
> Date: Sun, 5 Aug 2001 12:19:12 +0200
>
> You are right, maybe it was a bad analogy. i personally use -j
> REJECT --reject-with tcp-reset .
> In regard for a software with redirect, I Don't want a software and i don't
> need to redirect a simple program i could make in perl. In regard to the
> ddos attacks, if a 13 year old script kiddie wants he could attack my server
> using a udp packet storm, from a few sub7server infected cable modems, and
> thats that. No firewall is gonna stop it. If you think otherwise, just ask
> steve gibson http://grc.com/dos/grcdos.htm
> Anyway, i was asking this question for legitimate reasons (i think).
> First, i want to appologize if i misled you.
> My line of thinking was, if there was any module developed for iptables that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

1) This is application specific. Not all the application protocols are ascii
like 21, 25, 80, ... there are some binary applications like 53. You are
not going to tell me that netfilter should know all the protocols to come
up with the right "go away", are you?

2) Actually sending a RST is exactly "go away -> close" but in a firm way.

3) grc.com 's story is more a link saturation story than anything else. Your
way of polite closing the door will contribute to that link sturation.

4) What do you think rate limiting that you're talking about does; it simply
ignores those packets.

5) I don't see any benefit in doing the firewalling the way you described.
What is the "straightforwardness" and "security" about this gracefulness?

Ramin

> It is true that it could saturate the cpu, but so does other services. it is
> just more straightforward and secure to put it as feature on the firewall.
> besides, you could always do connection limit to stop the saturation.
> iptables ip contracking and packet fragments reassembling is indeed a needed
> feature, but iptables is vulnerable to cpu saturation because of it, so a
> legit port with a short message is not a real problem :).
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *
RE: gracefull rst [ In reply to ]
muaddib at mailandnews
Aug 5, 2001, 11:11 AM
Post #2 of 2 (452 views)
Permalink
read my last email.
but here,
>1) This is application specific. Not all the application protocols are
ascii
like 21, 25, 80, ... there are some binary applications like 53. You are
not going to tell me that netfilter should know all the protocols to come
up with the right "go away", are you?
1) true. it was not for all existing services , just simple ones and your
own.
>2) Actually sending a RST is exactly "go away -> close" but in a firm way.
2) RST is for a problem, or denying a connection. i am talking about sending
a message
instead of writing a perl script, so RST can't help you since you need
to open a connection to
send a message.
>3) grc.com 's story is more a link saturation story than anything else.
Your
way of polite closing the door will contribute to that link sturation.
3) grc.com story is a problem of hogging the badwidth using UDP and ICMP, so
adding a tcp connection
will not be the same. besides, apache ftp, etc.. does that better :).
anyway, as i wrote in my next email
the introduction of XP will make all this discussion irrelevant, all
ports will be vulnerable, using syn attacks
that weren't possible under 95,98 and spoofing that again were not
possible under 95,98. I am betting that
many commercial sites will grind to a big halt a year after the release
of XP.
>4) What do you think rate limiting that you're talking about does; it
simply
ignores those packets.
4) yes it does. since the ident port need to serve only you, how many
connection do u think should be made :).
>5) I don't see any benefit in doing the firewalling the way you described.
What is the "straightforwardness" and "security" about this gracefulness?
5) the security about it, is that proffesionals will code it, instead of
people running processes as root, which
they usually do.

but as i said earlier, it was blown out of proportion since it was only a
simple rfc question. but as emails go...

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Ramin Alidousti
Sent: Sunday, August 05, 2001 5:13 PM
To: netfilter@lists.samba.org
Subject: RE: gracefull rst


> Reply-To: <muaddib@mailandnews.com>
> From: "Pol Muaddib" <muaddib@mailandnews.com>
> To: "Radel" <netfilter@radel.yi.org>, <netfilter@lists.samba.org>
> Subject: RE: gracefull rst.
> Date: Sun, 5 Aug 2001 12:19:12 +0200
>
> You are right, maybe it was a bad analogy. i personally use -j
> REJECT --reject-with tcp-reset .
> In regard for a software with redirect, I Don't want a software and i
don't
> need to redirect a simple program i could make in perl. In regard to the
> ddos attacks, if a 13 year old script kiddie wants he could attack my
server
> using a udp packet storm, from a few sub7server infected cable modems, and
> thats that. No firewall is gonna stop it. If you think otherwise, just ask
> steve gibson http://grc.com/dos/grcdos.htm
> Anyway, i was asking this question for legitimate reasons (i think).
> First, i want to appologize if i misled you.
> My line of thinking was, if there was any module developed for iptables
that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

1) This is application specific. Not all the application protocols are ascii
like 21, 25, 80, ... there are some binary applications like 53. You are
not going to tell me that netfilter should know all the protocols to come
up with the right "go away", are you?

2) Actually sending a RST is exactly "go away -> close" but in a firm way.

3) grc.com 's story is more a link saturation story than anything else. Your
way of polite closing the door will contribute to that link sturation.

4) What do you think rate limiting that you're talking about does; it simply
ignores those packets.

5) I don't see any benefit in doing the firewalling the way you described.
What is the "straightforwardness" and "security" about this gracefulness?

Ramin

> It is true that it could saturate the cpu, but so does other services. it
is
> just more straightforward and secure to put it as feature on the firewall.
> besides, you could always do connection limit to stop the saturation.
> iptables ip contracking and packet fragments reassembling is indeed a
needed
> feature, but iptables is vulnerable to cpu saturation because of it, so a
> legit port with a short message is not a real problem :).
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal