RE: [cobalt-users] PortSentry works !

[flash22@xxxxxxx]

On Sat, 17 Mar 2001, Rodolfo Paiz wrote:

> > > Creates a route *from your host* and *to that host* which is
> >
> > Is this true? Surely if packets don't return from the
> > destination there'll be no way of knowing that the socket is
> > open and the client will timeout and terminate the connection.
> > > He can also DoS you... again, packets come in but don't go
> 
> Yes. But leaving bandwidth aside, we were talking about locking out
> undesirables; and he could request connections from sendmail until it
> shut down from high load and your "route -reject" would do *nothing* to
> protect you. That's what I meant; sorry if I didn't communicate more
> clearly.

Hmm, there are two different issues here, accepting a connection, and
recieving data, and they aren't the same thing. route -reject is not as
ineffective as people seem to think, it causes a request to open a
connection to get a 'host unreachable' reply. This basiclly says there is
no way to get to that computer from this computer, given that reply, it's
not possible to open TCP connetions, so it does in fact provide protection
that is fairly good for service connection abuses. It also, oddly,
provides some protection from DOS attacks , provided the incoming router
isn't too dumb, because the router will also see these and 'notice' there
is no route back, in theory, it should also add source-quench, tho noone
pays any attention to it anymore.

The question to be asking here is, what are you going to make ipchains do
that the kernel routing logic doesn't already do?

The only other option is to send no ICMP reply , instead of
host-unreachable, so you save sending back a half dozen bytes...and you
deprive the gateway router of any clues that it shouldn't be sending you
this traffic (assuming it cares of course)

gsh