[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] block vs. reject in LAN rules
 Date:  Sun, 3 Jun 2007 23:23:38 -0400
On 6/3/07, krt <kkrrtt at gmail dot com> wrote:
> Worm/Malicious traffic is the leading cause these days - the worms don't
> tend to care about TCP responses/timeouts (but by default they have to
> track some things some how, so they will run out of resources
> eventually, somewhere along the path).
> Rejects are an additional step (generate response, send response) but
> still perform a drop.  The additional step adds load.  When an outbreak
> of some random worm occurs, it's conceivable that the firewall will be
> generating (or attempting to generate) thousands of rejects per second.

That's a good point as well, though the types of worms that beat
networks to death aren't really common anymore. I've only seen one
actual infection in the last 2-3 years of something of that nature.
The 2-3 years prior to that they were rampant. Now things have moved
more towards what makes money, and pummeling networks to death is a
guaranteed way to get your malware removed and is hence
counterproductive to the bad guys' current goals.

It's something to consider, but in most well controlled networks I
wouldn't worry about it. If it's a network where you don't control the
machines at all, like most university networks, hot spots, and things
of that nature, then it may make sense.