-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 03 Feb 2004 at 09:03:31AM -0500, Rolf Kutz wrote: > Your fooling yourself. What prevents sniffers from > sending multiple packets at once[0]. And you're > breaking the TCP-Protocol, which makes debugging > much harder.
As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood because now your host is generating traffic by replying to these otherwise useless packets. You could set a limit rule on sending a TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. 1. Unless they are on your subnet and they can send an ARP request for the IP and your machine responds. The statement above assumes the attacker/researcher is not on your subnet. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIBccS3Jybf3L5MQRAn+0AJ9vtu7B447kmAmkoEwdV/eeRP5m6QCaAh1F rvPYB97zggBJWMeJBKK8HvA= =r1v0 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
