Surge has built-in multiple different REJECT policies, with some subtle differences between them:
REJECT: Rejects the request; when the connection type is HTTP, an error page will be returned. (This behavior can be controlled by the show-error-page-for-reject parameter)
REJECT-TINYGIF: Rejects the request; when the connection type is HTTP, it returns a 1px GIF image response. If the connection is of other types, it is disconnected directly. This policy is mainly used for Web ad blocking.
REJECT-DROP: Rejects the request; unlike REJECT, this policy silently discards the request. Some applications have very aggressive retry logic and will immediately retry when the connection fails, causing a request storm that can waste system resources.
If a large number of requests to a particular hostname trigger the REJECT/REJECT-TINYGIF policy within a short period (the threshold for the current version is 10 times within 30 seconds), Surge will automatically upgrade the REJECT policy to the REJECT-DROP policy.
REJECT-NO-DROP: Generally, it is the same as the REJECT policy. The difference is that using this rule will not trigger the automatic upgrade behavior mentioned above.