homepage Welcome to WebmasterWorld Guest from 54.166.108.167
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Invalid Packets and firewalls: to drop or not to drop?
1script




msg:4574218
 11:46 pm on May 14, 2013 (gmt 0)

How do you guys treat invalid IP packets in your firewall settings? I've looked into this after losing all of the traffic from Verizon Wireless this past weekend. I am not sure if this was the issue but after I removed the DROP rule for invalid packets, I can now connect from a smartphone (it goes through IPv6 -> IPv4 tunnel, which might have been what was throwing the firewall off). Oddly though, the packets don't get logged as INVALID (log is turned on for invalid packets) and yet as soon as I removed DROP for INVALID, I could connect.

Anyway, the broader issue here is this: until I set up that log file for invalid packets, I had no idea how common they were! I am seeing completely legit requests from the likes of Microsoft Corp. (Bingbot) that show up as INVALID in iptables and therefore were dropped. I would say about 10-20% of all Bingbot requests register as INVALID by iptables. I don't possess enough networking knowledge to find out exactly why they are marked as INVALID but I think something is not right here - the point is, by dropping all INVALID packets, there may be a tremendous amount of false positives.

So, what does this esteemed community think about dropping or allowing all INVALID IP packets? On one hand they are an attack vector, on another there seem to be some important false positives. Good idea to log them but not drop them?

 

1script




msg:4574222
 12:10 am on May 15, 2013 (gmt 0)

Forgot to mention another important source of invalids: Facebook! All 100% of the packets generated by facebookexternalhit/1.1 are marked as INVALID by iptables

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved