strange MS visits
Henry Spencer
henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
Thu Dec 2 19:28:53 UTC 2004
On Thu, 2 Dec 2004, Andrew Hammond wrote:
> | big list of IP's used by the bot(s) here. time to make some new iptables
> | rules.
>
> Why DROP or REJECT when you can TARPIT?
For services where you do have a daemon that's going to answer on the
port, you can get somewhat the same effect without any patches: pass
*only* packets that have the SYN bit set, and discard any that don't. To
the other end, it looks like his connection succeeded, but he can't seem
to get any response from it. To your end, the connection hasn't *quite*
succeeded yet, and so your system doesn't bother the daemon about it.
(TCP connection setup uses a "three-way" handshake: initiator sends a
request, responder replies with approval, initiator sends confirmation.
Only the first two of those have the SYN bit set.)
Henry Spencer
henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list