FreeBSD DDoS protection
xenophon\+freebsd
xenophon+freebsd at irtnog.org
Wed Feb 13 17:51:53 UTC 2013
khatfield at ... writes:
>
> Please read the rest of the thread before criticizing.
Let me clarify. Naïvely blocking ICMP isn't the only thing firewall admins should avoid doing. I think that one should construct firewalls in such a manner that for all prohibited classes of traffic, the firewall should return the correct destination-unreachable messages (TCP RST or ICMP UNREACHABLE) to the traffic source. For one, this makes the presence of a firewall less obvious to attackers, but more importantly, end users don't have to wait for their connections to mysteriously time out when they do something prohibited. Black holes and null routes have their place, such as in response to an active denial of service attack, but not in the primary traffic control policy.
--
I FIGHT FOR THE USERS
More information about the freebsd-security
mailing list