1 |
> > When an exploit is found and everybody use reject more computers can |
2 |
> > be scanned for the exploitable program/service in the same time... I |
3 |
> > don't see why we should make it easy for the script kids... |
4 |
> |
5 |
> As shown that's no advantage. One could generate many, many parallel |
6 |
> ICMPs and wait for the one timeout period. Quite the opposite of Your |
7 |
> proposition is true: Ident eg. helps You to identify the "bad guys" in |
8 |
> Your network - supposed You got a propperly configured network. DENY for |
9 |
> ident renders such information useless, because DENIED packets won't get |
10 |
> logged anymore. So - one could even say You're going to protect the "bad |
11 |
> guys". |
12 |
|
13 |
Then why do people run tarpits? The scanner has limited outgoing |
14 |
resources, having to wait for a timeout reduces the amount of ports they |
15 |
can scan in a specific timeframe. |
16 |
|
17 |
Whether or not you run an ident server and allow access to it is another |
18 |
matter. |
19 |
|
20 |
And what's to stop you logging dropped packets? |
21 |
|
22 |
|
23 |
regards |
24 |
|
25 |
-- |
26 |
gentoo-security@g.o mailing list |