[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Reject or Deny?
 Date:  Mon, 27 Jun 2005 21:07:48 -0400
On 6/27/05, Norman H. Azadian <norman at azadian dot ch> wrote:
> Here's a quote from the de.comp.security.firewall FAQ:
> Administrators who bother about script kiddies sometimes believe that they can > stop them with
DENY. This is wrong. It's possible to start several thousand 
> scans at once and therefore to wait for all timeouts at once.  A scanner wont 
> slow down because of this. 

umm...  Of course it'll slow it down.  It has to wait for timeouts
rather than immediately knowing the ports are closed.  In a quick and
dirty test over the Internet, it was 18 seconds for reject vs. 51
seconds for deny on a single IP.  If you launch 10,000 simultaneous
port scans (assuming you have the bandwidth to do so), it's still
going to take roughly 18 seconds if you're using reject, 51 seconds
for deny, for all 10,000.

Does it have a profound affect on script kiddies?  Not really, but
that's not why you do it.  Any firewall should be (IMO) completely
stealth by default, invisible from anyone probing the Internet.  You
shouldn't have to lock down your firewall after installing it to be as
secure to incoming hits as possible.  This does violate RFC's, but who
cares...  IIRC only ones written long before the Internet was a
dangerous place.

> On the other side you slow down all legitimate users and services. Specifically 
> the IDENT requests.

Not *all* legit users and services.  Only ones trying to get to ports
that aren't allowed, which isn't going to be legit traffic virtually
always anyway.  If you're doing egress filtering, you should use
reject so your users don't have to sit there and wait for a connection
to time out if it's dropped.

And the only thing I know of that sends out ident requests anymore is IRC.  

> The ident services gives the administrator of a neat system a help for identifying > misbehaving
users. DENY has the consequence that this help isn't recorded at 
> other servers. Do you want to hide spammers and script kiddies please use 

Hah.  By that methodology if you aren't running an ident daemon you're
also contributing to the decline of the Internet...  umm, ok.  When
was this written, a decade ago?  Virtually nobody runs ident anymore,
other than some IRC users.

If you want to be polite, sure, use reject.  But the Internet hasn't
been a polite place for quite some time.  And virtually everyone
you're being polite to is people trying to attack you, or worm
infected hosts.  Is anyone ever going to accidentally try to connect
to your public IP space on services you don't run?  Extremely
doubtful.  I'll leave my firewalls at deny.

On the flip side, does that bit of obfuscation really buy you much? 
Not really.  If you have ports open, they're going to find them either
way, and if you don't, it's not giving them much of anything to know
there's actually a host alive there vs. no host there.