FreeBSD DDoS protection

Ekkehard 'Ekki' Gehm gehm at physik.tu-berlin.de
Wed Feb 13 18:35:25 UTC 2013


Ahoi!

Am 13.02.2013 19:31, schrieb khatfield at socllc.net:
> Yes and let me clarify.
>
> If you read the rest of this discussion, all other emails, you would see that has been said already.
>

So true!

>
>
> On Feb 13, 2013, at 11:52 AM, "xenophon\\+freebsd" <xenophon+freebsd at irtnog.org> wrote:
>
>> khatfield at ... writes:
>>> Please read the rest of the thread before criticizing.
>> Let me clarify.  Naïvely blocking ICMP isn't the only thing firewall admins should avoid doing.  I think that one should construct firewalls in such a manner that for all prohibited classes of traffic, the firewall should return the correct destination-unreachable messages (TCP RST or ICMP UNREACHABLE) to the traffic source.  For one, this makes the presence of a firewall less obvious to attackers, but more importantly, end users don't have to wait for their connections to mysteriously time out when they do something prohibited.  Black holes and null routes have their place, such as in response to an active denial of service attack, but not in the primary traffic control policy.
>>
>> -- 
>> I FIGHT FOR THE USERS
>>
>>
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"



More information about the freebsd-isp mailing list