Re: Slow and Fast IP addresses on http ?
In message <20030616210129.GM751@reifa-wave.karrenberg.net>, Daniel Karrenberg writes:
tcp-wrapper.
Check DNS of the client address affected, forward and reverse.
It might also be port 113 -- some sites try to query your tcp port 113, and wait for a timeout if the port is firewalled. A better solution than blocking it is to send an immediate RST. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)
smb@research.att.com ("Steven M. Bellovin") writes:
It might also be port 113 -- some sites try to query your tcp port 113, and wait for a timeout if the port is firewalled. A better solution than blocking it is to send an immediate RST.
people who depend on tcp/113 deserve everything stupid that happens to them. dropping SYN packets or returning a fixed string are both better than sending an immediate RST. (false confidence being valued less than low confidence.) i was rather shocked to discover tcp/113 clientness enabled by default in postfix and sendmail. but even widespread ignorance does not call for widespread coddling such as returning immediate RST's. -- Paul Vixie
In the immortal words of Paul Vixie (vixie@vix.com):
It might also be port 113 -- some sites try to query your tcp port 113, and wait for a timeout if the port is firewalled. A better solution than blocking it is to send an immediate RST.
people who depend on tcp/113 deserve everything stupid that happens to them. dropping SYN packets or returning a fixed string are both better than sending an immediate RST. (false confidence being valued less than low confidence.) i was rather shocked to discover tcp/113 clientness enabled by default in postfix and sendmail. but even widespread ignorance does not call for widespread coddling such as returning immediate RST's.
What Paul said. Ident delenda est. ftp://blank.org/pub/misc/identd.pl <-- suitable for use under inetd and tcpserver, if all else fails. -n ------------------------------------------------------------<memory@blank.org> "Must I pray in Hebrew?" No, and wipe that look of terror off your face. Fluency in Hebrew, of course, is vital to the proper understanding of Israeli truck driver insults. (--David Bader, "How to Be an Extremely Reform Jew") <http://blank.org/memory/>----------------------------------------------------
On Tue, Jun 17, 2003 at 05:14:49PM +0000, Paul Vixie wrote:
smb@research.att.com ("Steven M. Bellovin") writes:
It might also be port 113 -- some sites try to query your tcp port 113, and wait for a timeout if the port is firewalled. A better solution than blocking it is to send an immediate RST.
people who depend on tcp/113 deserve everything stupid that happens to them. dropping SYN packets or returning a fixed string are both better than sending an immediate RST. (false confidence being valued less than low confidence.) i was rather shocked to discover tcp/113 clientness enabled by default in postfix and sendmail. but even widespread ignorance does not call for widespread coddling such as returning immediate RST's.
If you are the only user of your machine, feel free to return whatever you want. However, there are still people out there running these things called servers, where multiple users have accounts, and ident is a perfectly valid and useful protocol for providing some accountability against non-root abuse. You could also run a DNS server which doesn't return any kind of answer for your reverse DNS if you so desired, but you should be prepared to have the rest of the world delay your connections on certain services while they try to figure out why you can't play nice like everyone else. Any time you decide not to return an RST, you are making the decision to violate rfc's and may be punished with timeouts accordingly. Rate limiting RSTs is a perfectly valid method of handling this. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
participants (4)
-
Nathan J. Mehl -
Paul Vixie -
Richard A Steenbergen -
Steven M. Bellovin