[lug] IP Tables
karl horlen
horlenkarl at yahoo.com
Sat Sep 22 18:00:53 MDT 2007
> then the attacker can both fill your incoming and
> outgoing bandwidth up
> at the same time with one packet stream.
>
> With DROP, they can only fill your incoming pipe.
> Your machine never
> replies.
Another example of how a reply has opened my eyes to a
very simple concept that i probably would have
overlooked otherwise. thanks for the simple insight.
> Additionally *if* your ISP were to allow a spoofed
> source address to
> make it to your machine, the REJECT's could be going
> to a third-party
> machine who'd follow the trail back to you.
>
> With DROP, you can't be used in that way.
another nugget for me to digest.
> attacker attempting a DDoS on you is going to crush
> your bandwidth, but
> using you as a DDoS amplifier by messing with where
> your REJECT's go, is
> one reason not to use REJECT, and to just DROP it if
> you don't want it.
you just expanded my understanding "how" some more.
:-)
> REJECT is from the days when the Internet was still
> a polite place with
> reasonable people.
and historically speaking, another good nugget.
thanks nate
____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html
More information about the LUG
mailing list