> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Michael D. Berger > Sent: Friday, December 23, 2005 3:50 PM > To: netfilter > Subject: DROP TCP output to HTTP attackers? > > Using -j QUEUE, I DROP http packets that I don't like, and I > DROP all subsequent packets from the offending ipAddress. > Using ethereal, I note that when I DROP, I send tcp FIN > packets. Therefore, I added -j QUEUE to the OUTPUT filter, > and I block all OUTPUT to the offending ipAddress, including > the tcp FIN packets, as confirmed with ethereal. I just > deployed this in the last 30 minutes. My preliminary > observation, thanks to an obliging attacker, is that I get > less follow-up junk with the OUTPUT filter blocked, although > there did appear to be a few anomalies, that I assume are to > to timing issues. > > Any opinions on this procedure? > > Thanks, > Mike. > -- > Michael D. Berger > m.d.berger@xxxxxxxx > My only comment would be that for proxy users (AOL, for instance) you may end up dropping legitimate traffic. The risk/reward of that is something you'll have to determine for yourself. Derick Anderson
