Oliver Schad wrote:
> Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky:
>>1) If you don't receive "destination unreachable" packet, you know
>>nothing about the target host yet. This is not perfect-network world.
>>There can be other fw/router anywhere in the way, killing this type of
>>2) It slows scans a lot. You can of course do scannig in parallel, but
>>don't be surprised, when you find yourself killed with no mercy by IDS,
>>after matching SYN threshold. 1000+ syns/sec form IP adress to
>>monitored system is sure ban.
> What the fuck...
> I don't understand this, we want to break internet standards because some
> script kids could be (under some circumstances) a little bit slower with
> their attacks, which can only be successful, when an administrator is too
> stupid to configure his systems. Is that the argumentation for breaking
> internet standards?
It is not about script kiddies. It's about security philosophy. REJECT
means system alive & port closed or firewall in the way and that IS the
information. DROP covers it with a fog of uncertainty.
Yas, it's bad to standards. Yes, it's good to security. You can choose
what is good to you.
Same applies to NAT, transparent proxies, syn defenders etc. Bad for
pure-internet utopia, but sometimes good for security.
And that's what is discussed here.
btw: I still don't get it with the icmp "destination unrechable" idea.
does it mean, that some ultra tight checkpoint firewall should be
reconfigured, to propagete to the outer space it's interfaces just
because someone tries to reach non working system? you must be joking.
firstname.lastname@example.org mailing list