TCP packets with RST flag set but **not** ACK flag OK??

Chris Brenton cbrenton at
Tue Apr 12 06:06:59 CEST 2005

On Mon, 2005-04-11 at 22:32, Grant Taylor wrote:
> One reason that some institutions decide to DROP verses REJECT is so that someone can not spoof their source IP while performing some sort of attack

I don't think I quite follow what you are saying. I'm not sure how using
drop or reject would have any effect on someone's ability to use your
address space as the source IP in a spoofed packet.

> the institutions system expecting the REJECT to go to the spoofed source IP thus becoming part of what I think is considered a reflected attack.

If I follow what you are saying here, the concern is the returning ICMP
host unreachables may be used as part of a DoS. Is this correct? 

If so, the concern is pretty minimal. Packet size is small, only 56
bytes in size, so bandwidth utilization is small. Unsolicited ICMP
errors are going to be quickly discarded by the receiving system, so its
not going to cause much of a CPU hit on the target. Unfortunately there
are far too many other ways of performing a DoS that would be much more
effective and efficient. 

> These issues and many more like them are some of the things that I would like to spend some more time reading about and gaining a better understanding

Ya, geek stuff is cool. :D


More information about the netfilter mailing list