| 1 |
> > When an exploit is found and everybody use reject more computers can |
| 2 |
> > be scanned for the exploitable program/service in the same time... I |
| 3 |
> > don't see why we should make it easy for the script kids... |
| 4 |
> |
| 5 |
> As shown that's no advantage. One could generate many, many parallel |
| 6 |
> ICMPs and wait for the one timeout period. Quite the opposite of Your |
| 7 |
> proposition is true: Ident eg. helps You to identify the "bad guys" in |
| 8 |
> Your network - supposed You got a propperly configured network. DENY for |
| 9 |
> ident renders such information useless, because DENIED packets won't get |
| 10 |
> logged anymore. So - one could even say You're going to protect the "bad |
| 11 |
> guys". |
| 12 |
|
| 13 |
Then why do people run tarpits? The scanner has limited outgoing |
| 14 |
resources, having to wait for a timeout reduces the amount of ports they |
| 15 |
can scan in a specific timeframe. |
| 16 |
|
| 17 |
Whether or not you run an ident server and allow access to it is another |
| 18 |
matter. |
| 19 |
|
| 20 |
And what's to stop you logging dropped packets? |
| 21 |
|
| 22 |
|
| 23 |
regards |
| 24 |
|
| 25 |
-- |
| 26 |
gentoo-security@g.o mailing list |
Archives