tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: translating Linux to NetBSD for blocking traffic



> Do you see any major downsides to these settings?

Certainly.

> the author recommends the following commands to reduce network
> attacks on a Linux host:

Faster and more effective: unplug its network connection.

I'm only half joking.  Assuming the commands do what they appear to,
this cripples its connectivity in significant ways; various things will
break.  I can only infer that the person suggesting them doesn't care
about little things like diagnostics or protocol conformance.

Disabling ICMP ECHO probably won't break much.  Most of my use of ECHO
is trying to diagnose network issues; if the admin in question is
willing to break their ability to diagnose with pings, well, I think
that's false economy/security, but it's on them.

Disabling destination-unreachables I don't entirely understand.  (Oh, I
understand what it does; I don't understand the point of it.)  It will
conceal what UDP ports are being listened to, but in a very obvious
way; I would actually expect it to _increase_ attack traffic - the
attacker won't know what's there and what isn't and is likely to try
all UDP attacks.  With unreachables, the attacker can at least have
some idea which ones aren't listening at all.

Disabling RSTs is more serious.  I suspect the author disables them to
prevent detection of which TCP ports are listening, but it won't do
that; all it will do is mean that ports which aren't listening are
silent instead of rejecting the connection.  Ports which _are_
listening will still answer normally.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index