On Wed, 06 Nov 2013 14:00:09 +0200 Lars NoodÃn <lars.nooden@xxxxxxxxx> allegedly wrote: > On 11/06/2013 01:26 PM, mick wrote: > > I disagree. Dropping all traffic other than that which is > > explicitly required is IMHO a better practice. (And how do you know > > in advance which ports get attacked?) > > Using reject instead of drop simplifies troubleshooting. > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > > Drop tends to get in the way. Again, I disagree. But I recognise that this can be a religious decision. My default policy is to drop rather than reject. I know that strict adherence to standards implies we should âREJECTâ with a helpful ICMP error message. But, doing that can mean that incoming packets with a spoofed source address can get replies sent back to that (innocent) source address. DDOS bots exploit this behaviour. Iâd rather break standards than help a DDOS bot. :-) Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays