[time] Other traffic to strange ports
Sun Dec 6 16:36:30 UTC 2009
On Dec 6, 2009, at 8:43 AM, Adrian von Bidder wrote:
> replying with icmp packets on
> unused ports does lend itself to a bit of abuse (send TCP SYN with spoofed
> sender address to known-closed ports and you can send ICMP packets to some 3rd
> party host.) But since fewer and fewer routers will route packets with
> seriously spoofed sender addresses (i.e. not from the local net), the attack
> window is a bit narrow.
So more and more, fewer and fewer packets to closed ports are from spoofed IPs. So more and more of them are accidents. That sounds like an argument for a response.
OTOH, the ones that do have spoofed IPs are coming from places where routers and such are under the control of crackers. But I can't tell whether the return address is spoofed. That sounds an argument for dropping them.
Since no response to a mistake is an inconvenience and response to an attack can cause harm, no response is the better choice. No?
ghe at slsware.com
More information about the pool