Date: Wed, 5 May 2004 12:50:09 +0200 (MET DST) From: Mipam <mipam@ibb.net> To: <freebsd-security@freebsd.org> Subject: worms and fw sending rst's instead of drop Message-ID: <Pine.LNX.4.33.0405051236550.18504-100000@ux1.ibb.net>
next in thread | raw e-mail | index | archive | help
Hi, I was wondering upon how some of you think upon some issues upon block policies in firewalls. Basically you can choose a firewall to send resets back as answer upon probes etc to not allowed ports, or you can choose a firewall to drop the packets. In general i think just dropping is the better one. Consider the lastest worms like blaster and sasser. How many hits would some firewalls encounter on blocked ports from such worms on bussy networks? If a firewall has to send resets upon each hit, the firewall is very bussy sending out resets. On very bussy firewalls it may even lead to a serious degree of resource starvation? Simply dropping these probes wouldnt cause these problems because no answer is generated. Of course, another possibility is to limit the amount of resets you're sending back. Like: if i have to send more then n resets back i wont, meaning not on all packets resets are send back. But i dont think firewalls support such a feature yet? Moreover worms like blaster and sasser spread way to fast for manual intervention. An IDS would have to intervene i guess. How difficult would it be for an IDS to notice that in such a short notice so much traffic from and to certain ports (eg 445) is being generated and block the stuff because such an amount has to be an anomaly? I guess it's the only way to remedy such problems. Of course traffic shaping helps as well. Bye, Mipam.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0405051236550.18504-100000>