DROP or REJECT

[bluesky]

I run a iptables stateful firewall box and di a little experimenting with DROP /REJECT. The results were obtained from various popular test sites such as dslreports, pcflank, grc.com, sygate.com.

1. When I used DROP as below, all test sides showed "stealthed ports" :

[rtn]

I tend to use REJECT over DROP. REJECT is more "polite" in that it sends a
message back to the source (which is configurable) saying that port/service
is unavailable. DROP just drops the packets, and the source never gets a
reply, which most applications will show as Filtered instead of Unavailable.

--rtn

[bluesky]

I scanned some mailinglist archives and the issue seemed controversial. I will quoted here a couple of opinions that favored REJECT. My stand on this issued is still undecisive:

[nikai]

[kaladis]

And since we all wouldn't be online without the RFCs, we should tend to behave according to the RFC. Ie, Reject the packets. Everything else has already been said.
_________________
Error 666: Repeated reboots failed to solve problem

Login Lanstation Corp Sysadmin - www.login-lanstation.de

[rtn]

[bluesky]

I found a pretty good paper on this subject "drop vs reject" :

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

So far, it seemed to me that the two sides used different arguments. The REJECT camp tried to explain the "why reject is better than drop". The DROP camp favors its cause around the word "stealth" and around the popularity of the test sides(grc.com, pcflank, sygate, dslreports...).

At this point, being no iptables expert, I am not sure which side is more correct. But either way, it is still acceptable. So, I really am not too worry about it but if there is a better explaination either way, I will be glad to hear it.
_________________
bluesky

"free as the wind"

[bluesky]

I looked at the "definition" of stealth at grc.com(gibson) from the "nano probe" tests:

[kaladis]

*coughs* gibson *coughs* bullshit *coughs*
_________________
Error 666: Repeated reboots failed to solve problem

Login Lanstation Corp Sysadmin - www.login-lanstation.de

[bluesky]

When I posted this same topic at dslreports, all responses were pro DROP( for stealth). Here, so far all responses have been pro REJECT. Unless we discuss the topic with facts we will not go anywhere.
_________________
bluesky

"free as the wind"

[474]

I generally favour the "DROP" approach. If my firewall receives a request to connect to a sevice that I do not offer, then it is (a) by definition, unauthorised or unwanted (b) junk or accidental traffic - there's far too much of this going around the Net due to poor stack implementations and software (Windows NT is quite appalling in this regard). I personally, do not wish to waste my time responding to either.

The spoofed argument does not apply if you have set up a proper ruleset. You should automatically drop any incoming traffic with a source IP matching a private range subnet (regardless of whether it is TCP/UDP/ICMP or where it was destined) - and these rules should be way up high before anything else gets considered. That way, you don't have to check for spoofed packets in any subsequent rules.

I can appreciate the argument that issuing a TCP RST back to an unwanted connection attempt can be seen as a kind of "shut up" response but for me, the obfuscation of not responding and not bothering to waste my bandwith dealing with and clogging the Internet with yet more pointless traffic takes precedence. By responding you make it easier for someone to put a load on your firewall just by hammering you with SYN packets, to the detriment of yourself and your users.

As for the argument that if you have any availabe services then you can't achieve full stealth anyway - true, but it's not the whole point. Not every unwanted access attempt is necessarily a script kiddie scanning every available port and looking for a way in, and such people might just probe commonly open ports. Script kiddies aren't really that clever - and they just want an easy target, IMO. Assuming such a scenario, you can conceivably appear to be invisible just by running your services on non-standard ports.

The only acception is that I send a RST on incoming IDENT/AUTH requests because it makes FTP a lot quicker - which is worth it for me. You can also run a fake identd daemon which will just respond with random IDs - which may be even more efficient.

Of course, there are valid counter-arguments - including the faking of services and open ports to make your machine look like something it is not. But for me, I'm more concerned with making sure the firewall itself is secure, that the services exposed are secure and that the whole thing is efficient.

I use OpenBSD for all of this, which confuses the hell out of nmap anyway (it is hopeless at identifying anything worthwhile about the host itself).

Just my two pence anyway ...

[Xor]

I'd like to join....

[474]

OK - I never thought I'd read something so abrasive in these forums. I'm sorry you so vehemently find everything I said disagreeable, but as I said that is my 2 pence and the general tone of the response ensures that I am sticking by it. As your reply shows mild signs of one-upmanship and remarks which seem to be contrived to contradict almost everything I could possibly have said (seeing as it is littered with quotes from myself interspersed with almost purely the negative or oh-so-slight deragatory), I believe this warrants a reply:

[Xor]

[474]

Hmm, I guess I did over-react a bit.
Obviously I was considerably angry and what seemed to me to be a picky deconstruction of my post and it resulted in my breathing fire and brimstone all over the place, which I realise isn't necessarily the best way to respond.

After a few days, I think it's safe to say I've cooled down about it. I'll try not to do it again ...

[Crg]

[erik_swanson]

Facts)
1. DROP breaks things (IDENT,FINGER...)
2. DROPping everything cannot completely hide the existence of your computer
3. DROP goes against the RFCs

My opinions)
1. Obscurity is not security
2. It's better (and easier!) to not break things in the first place then to set exceptions

I use REJECT.

[Xor]

One small token to think about it

pinging a host that does not exist says:
--($:~)-- ping 212.25.4.27
PING 212.25.4.27 (212.25.4.27) 56(84) bytes of data.
From 212.25.27.98 icmp_seq=4 Destination Host Unreachable
Fro--- 212.25.4.27 ping statistics ---

5 packets transmitted, 0 received, +2 errors, 100% packet loss, time 4000ms
m 212.25.27.98 icmp_seq=5 Destination Host Unreachable

pinging a host that blocks icmp says:
--($:~)-- ping www.ibm.com
PING www.ibm.com (129.42.16.99) 56(84) bytes of data.

--- www.ibm.com ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 17997ms

it's a difference between "nothing" and "acting as nothing"....

anyhow, it doesn't matter... or does NIMDA ping you befor it attacks? The "stealth" reason is a joke, nothing more... its like cutting of your legs, you seriously damaging a working system in the hope that a terrorist wont see you just because you are a meter smaller... forgetting that they shoot at everything that moves anyway.[/quote]

[madchaz]

My personal opinion

both are good. It's a mather of how you use them.

the polite way to use it is reject. This is good because it lets the other party know you are actively refusing connections.

this is proper responce and from legitimate connections will end up saving time, resources and bandwidth.

This, however, leaves you upen to reflected DOS attacts. Basicaly, it's someone requesting a connection to you with the wrong IP adresse. this then floods the adress that was spoofed.

Using drop will stop those and waste resources on the attacker. However, so will using a limiter on the reject.

Personaly, I use drop. I like making the anoying port scaners in my node waste there time. They know port 80 is up but the rest doesn't awnser.

It's a mather of how you look at it. If you want the easy fast way, use drop. Keeps you from being used in a reflected DOS attack and anoys port scaners. Otherwise, use reject, but for goodness' sake, use a limiter to keep from being used in a reflected DOS, or at least lower the impact of yourself.
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.

[Xor]

[puddpunk]

You sure know how to make friends around here, dont you

[uzik]

If you want to use DROP to protect against reflected DOS attacks
perhaps the thing to do would be to write the IPTABLES rule such
that it does REJECT for the first request from each source IP and
then switches to DROP thereafter. This is polite, unless you're
abusive and keep sending repeated requests. It's not perfect,
but it's a good attempt.

I don't really feel the it's polite and it's in the RFC is a very
valid argument. There are a lot of minimal hardware boxes
with dedicated functionality. It's unreasonable to expect them
to answer queries to every possible port. That allows you
to build modular hardware that can share precious IP
addresses.

It's also unreasonable to expect existing boxes to
keep upgrading by requiring them to give polite
refusals to protocols that weren't invented yet
when the box was installed.

Thus, DROP is my choice for protocols I don't support.

[nikai]

[uzik]

I thought about the spoofed IP's but didn't think about them spoofing
me. You're pretty devious!

[SpinDizzy]

99.999% of all traffic my firewall drops is unwanted port scans/attacks, I'm more then happy to drop/tarpit this traffic and see it as doing a good deed by doing what I can to slow this traffic.

This has nothing to do with stealth, if I wanted to be stealthy, I'd configure my DNS to return 127.0.0.1 to all queries regarding my domain from those IPs not on my whitelist...