iptables +block country

Markus Schönhaber ubuntu-users at list-post.mks-mail.de
Mon Aug 16 07:17:56 UTC 2010

16.08.2010 08:13, Harry Strongburg:

> I also agree with this statement. If you are having genuine problems
> with scan-bots, REJECTing them is bad. You should DROP instead.
> Why?
> 1) It makes known to them that you "exist", if they didn't already know.

You can't hide your "existence" by not answering to connection requests.
If you truly didn't "exist" the last hop *before* your not existing
machine would send a host unreachable ICMP message. The lack of this
message shows that something's there.

> 2) Wastes bandwidth sending a rejection to them.

You save the bandwidth a TCP reset / ICMP port unreachable package would
use. OTOH, the scan-bot might try multiple time because he thinks the
probe got lost somehow. So, depending on the behaviour of the bot,
dropping probes might even use more bandwidth.

> 3) It saves their time (if their scanner program is not threaded), if
> you REJECT them.

That may be (or not).


More information about the ubuntu-users mailing list