Using -j QUEUE, I DROP http packets that I don't like, and I DROP all subsequent packets from the offending ipAddress. Using ethereal, I note that when I DROP, I send tcp FIN packets. Therefore, I added -j QUEUE to the OUTPUT filter, and I block all OUTPUT to the offending ipAddress, including the tcp FIN packets, as confirmed with ethereal. I just deployed this in the last 30 minutes. My preliminary observation, thanks to an obliging attacker, is that I get less follow-up junk with the OUTPUT filter blocked, although there did appear to be a few anomalies, that I assume are to to timing issues. Any opinions on this procedure? Thanks, Mike. -- Michael D. Berger m.d.berger@xxxxxxxx
