From owner-freebsd-security@FreeBSD.ORG  Wed May  5 05:01:24 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 29FB416A4CE
	for <freebsd-security@freebsd.org>;
	Wed,  5 May 2004 05:01:24 -0700 (PDT)
Received: from ux1.ibb.net (ux1.ibb.net [64.215.98.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06CBC43D1F
	for <freebsd-security@freebsd.org>;
	Wed,  5 May 2004 05:01:23 -0700 (PDT)	(envelope-from mipam@ibb.net)
Received: from localhost (mipam@localhost)
	by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with ESMTP id MAA18567
	for <freebsd-security@freebsd.org>; Wed, 5 May 2004 12:50:09 +0200
X-Authentication-Warning: ux1.ibb.net: mipam owned process doing -bs
Date: Wed, 5 May 2004 12:50:09 +0200 (MET DST)
From: Mipam <mipam@ibb.net>
To: <freebsd-security@freebsd.org>
Message-ID: <Pine.LNX.4.33.0405051236550.18504-100000@ux1.ibb.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: worms and fw sending rst's instead of drop
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2004 12:01:24 -0000

Hi,

I was wondering upon how some of you think upon some issues upon block
policies in firewalls. Basically you can choose a firewall to send resets
back as answer upon probes etc to not allowed ports, or you can choose a
firewall to drop the packets.
In general i think just dropping is the better one.
Consider the lastest worms like blaster and sasser. How many hits would
some firewalls encounter on blocked ports from such worms on bussy
networks? If a firewall has to send resets upon each hit, the firewall is
very bussy sending out resets. On very bussy firewalls it may even lead to
a serious degree of resource starvation? Simply dropping these probes
wouldnt cause these problems because no answer is generated.
Of course, another possibility is to limit the amount of resets you're
sending back. Like: if i have to send more then n resets back i wont,
meaning not on all packets resets are send back. But i dont think
firewalls support such a feature yet?

Moreover worms like blaster and sasser spread way to fast for manual
intervention. An IDS would have to intervene i guess.
How difficult would it be for an IDS to notice that in such a short notice
so much traffic from and to certain ports (eg 445) is being generated and
block the stuff because such an amount has to be an anomaly?
I guess it's the only way to remedy such problems. Of course traffic
shaping helps as well.
Bye,

Mipam.