> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Michael D. Berger > Sent: Friday, December 23, 2005 3:50 PM > To: netfilter > Subject: DROP TCP output to HTTP attackers? > > Using -j QUEUE, I DROP http packets that I don't like, and I > DROP all subsequent packets from the offending ipAddress. > Using ethereal, I note that when I DROP, I send tcp FIN > packets. Therefore, I added -j QUEUE to the OUTPUT filter, > and I block all OUTPUT to the offending ipAddress, including > the tcp FIN packets, as confirmed with ethereal. I just > deployed this in the last 30 minutes. My preliminary > observation, thanks to an obliging attacker, is that I get > less follow-up junk with the OUTPUT filter blocked, although > there did appear to be a few anomalies, that I assume are to > to timing issues. > > Any opinions on this procedure? Hmmmm. I DROP everything that is suspicious and follow up with a block on that IP afterward and have never noticed any packets going out with the DROP.