RE: FreeBSD DDoS protection

看板FB_security作者時間12年前 (2013/04/27 12:34), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串5/5 (看更多)
khatfield@... writes: > = > Please read the rest of the thread before criticizing. Let me clarify. Na=EFvely blocking ICMP isn't the only thing firewall admi= ns should avoid doing. I think that one should construct firewalls in such= a manner that for all prohibited classes of traffic, the firewall should r= eturn the correct destination-unreachable messages (TCP RST or ICMP UNREACH= ABLE) to the traffic source. For one, this makes the presence of a firewal= l less obvious to attackers, but more importantly, end users don't have to = wait for their connections to mysteriously time out when they do something = prohibited. Black holes and null routes have their place, such as in respo= nse to an active denial of service attack, but not in the primary traffic c= ontrol policy. -- = I FIGHT FOR THE USERS _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 xenophon+fr. 的文章
文章代碼(AID): #1HUrLC0S (FB_security)
更多 xenophon+fr. 的文章
文章代碼(AID): #1HUrLC0S (FB_security)