-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Lars Noodén:
On 11/06/2013 01:26 PM, mick wrote:
I disagree. Dropping all traffic other than that which is explicitly required is IMHO a better practice. (And how do you know in advance which ports get attacked?)
Using reject instead of drop simplifies troubleshooting.
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
Drop tends to get in the way.
I agree with the above document, but on really low-end hardware (hi, I'm the resident Raspberry Pi person ;)), and with consumer routers, REJECT can also cause problems during a Tor SYN flood by consuming resources on both the relay and the router.
Since I *do* agree with REJECTing when possible, I do a two-stage approach and only DROP hosts which have proven themselves more aggressive than I can deal with during an overload condition. This saves some resources to keep the relay alive.
Best, - -Gordon M.