1 |
Ben Cressey said: |
2 |
>> To hide a host is always very stupid, why should you do this? There is |
3 |
>> no |
4 |
>> advantage. If you "hide" your computer an attacker knows there is an |
5 |
>> stupid guy who doesn't know anything about network security. |
6 |
> |
7 |
> You're rather free with calling people "stupid" with little to no |
8 |
> justification. One could as easily turn it around and ask "why should my |
9 |
> server reply at all to connection attempts to ports I am not running any |
10 |
> services on?" |
11 |
> |
12 |
> If I am just running a web server, nobody has any business connecting to |
13 |
> any |
14 |
> port besides 80/tcp and 443/tcp. ICMP traffic is fine, but what |
15 |
> legitimate |
16 |
> purpose is there in attempting a connection to another tcp port? If I was |
17 |
> running another service at that IP address, it would be advertised through |
18 |
> the appropriate channels. Users would (obviously) not need to run a port |
19 |
> scan to discover it. |
20 |
> |
21 |
> Since the person is trying to connect to a port they have no business |
22 |
> connecting to, I don't see why my server should send out a packet in |
23 |
> reply. |
24 |
> It's not about hiding the server or some fictitious security gain -- |
25 |
> although as someone pointed out replying to potentially spoofed source |
26 |
> addresses could be leveraged into some form of DoS attack. While the |
27 |
> chances of this are probably not high, they are precisely *zero* if you |
28 |
> don't bother to reply in the first place. |
29 |
> |
30 |
|
31 |
The post above is probably the most logical post on this subject to this |
32 |
list so far. No one is slowing down the "net" or causing problems for |
33 |
other people by using DROP instead of REJECT. Calling people stupid |
34 |
because they don't follow your interpretation of the RFC does nothing but |
35 |
lower your credibility on the subject. Instead of throwing insults at |
36 |
people, how about you just stick to sharing valid information? Like was |
37 |
said above, people have no reason to connect to a closed port on my |
38 |
servers. If I choose to DROP that connection attempt instead of REJECT |
39 |
it, then that is my choice and I don't really care if it causes problems |
40 |
for that person. I see no reason to waste *my* bandwidth in sending a |
41 |
reply back to a person that most likely has no valid reason for trying to |
42 |
connect to that closed port. People might say that it is "polite" to send |
43 |
a reply back, but why should I be polite to a uninvited and unwanted |
44 |
connection attempt on a port that isn't even open? |
45 |
|
46 |
Trevor |
47 |
|
48 |
-- |
49 |
gentoo-security@g.o mailing list |