List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Alexander Schreiber wrote:
> On Thu, Jan 08, 2004 at 06:57:28PM +0100, Daniel Privratsky wrote:
>>1) If you don't receive "destination unreachable" packet, you know
>>nothing about the target host yet. This is not perfect-network world.
>>There can be other fw/router anywhere in the way, killing this type of
>>2) It slows scans a lot.
> Only for people too stupid for doing port scans (a rare defect even
> among script kiddies).
Hmmm, a little schisophrenic situation. Are we talking about mass scan
seeking for live systems in some IP space or directed attack to your
For the first scenario it is some useful protection. No response still
means system down, attacker will hardly waste time for detail investigation.
For the second scenario, it's useful too. Time out waiting will slow him
>>You can of course do scannig in parallel, but
>>don't be surprised, when you find yourself killed with no mercy by IDS,
>>after matching SYN threshold. 1000+ syns/sec form IP adress to monitored
>>system is sure ban.
> Cool. Your IDS just banned the IPs of your customers mail-, web- and
> proxy-servers. Spoofing IP adresses just to mess with such automatic
> systems is easy.
Nonsense. Such active-response IDS is primary site protection. It
detects incoming SYNs, not outgoing.
firstname.lastname@example.org mailing list