How much do teaching responsibilities hinder a researcher at a small university?

The REJECT target rejects the packet. If you do not specify which ICMP message to reject with, the server by default will send back ICMP port unreachable (type 3, code 3).

--reject-with modifies this behaviour to send a specific ICMP message back to the source host. You can find information about --reject-with and the available rejection messages in man iptables:

REJECT

This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only called from those chains. The following option controls the nature of the error packet returned:

--reject-with type

The type given can be:

  • icmp-net-unreachable
  • icmp-host-unreachable
  • icmp-port-unreachable
  • icmp-proto-unreachable
  • icmp-net-prohibited
  • icmp-host-prohibited or
  • icmp-admin-prohibited (*)

which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).

(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT


  • How does a JTI prevent a JWT from being replayed?
  • How often should the JTI field be regenerated? On every request? or only when a new token is generated?

I believe the answers to these two questions will depend on the application itself.

For example, if it has been programmed to only receive messages that have a unique JTI, then a replay of the same JTI can be ignored by the application.

The JTI would be regenerated in this case when it is valid for the same message to be repeated.


Great question. I think the RFC text is a little confusing.

If the JWT is intercepted in some API call, this token can of course be used again and again (unless the application creates one-time-use JWT's, but that kind of defeats the purpose of JWTs). This is not the kind of "replay attack" that JTIs protect against.

Cryptographic nonces "can be used just once", so it's only a nonce in the sense that it shouldn't be used in two separate JWT synthetizations. They more like TLS certificate serial numbers.

I would say that JTIs makes it easier to do 2 things to an API developer:

  • Store other information server-side related to a particular JWT: who requested it, from where, how many times has it been used, etc.
  • Create a server-side JWT revocation list. This can certainly make an application more secure if there are mechanisms to recognize active abuse.

Tags:

Publications

Career Path

Related

I'm about to tell my advisor I want to leave my PhD. Do I mention this when scheduling a meeting or do I drop a bombshell while there in person? What should I do when my work has been published by my supervisor without my knowledge? What undergraduate work stays on a CV once you start graduate school? A quote that one has to be rich to engage in science? How to choose keywords for papers? Obtaining feedback from supervisors Unclear terms: Statement of Purpose, Academic Statement and Personal Statement Do other countries have a oral exam system similar to French “colles”? How to just gain root permission without running anything? Why are some snaps fast, and others so slow? Are apt packages in main and universe ALWAYS guaranteed to be built from source by Ubuntu or Debian mantainers? I am trying to unzip bz2 file but then I get the error saying No space left

Recent Posts