1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
epistula illius MA profluit verbis: |
5 |
> When an exploit is found and everybody use reject more computers can be |
6 |
> scanned for the exploitable program/service in the same time... I don't |
7 |
> see why we should make it easy for the script kids... |
8 |
> [...] |
9 |
|
10 |
|
11 |
As shown that's no advantage. One could generate many, many parallel ICMPs |
12 |
and wait for the one timeout period. Quite the opposite of Your |
13 |
proposition is true: Ident eg. helps You to identify the "bad guys" in |
14 |
Your network - supposed You got a propperly configured network. DENY for |
15 |
ident renders such information useless, because DENIED packets won't get |
16 |
logged anymore. So - one could even say You're going to protect the "bad |
17 |
guys". |
18 |
|
19 |
- From a more or less "psychological point of view" it's even worse |
20 |
concerning the traffic load: the curious "bad guy" would try to go on. So |
21 |
it's better to explicitly tell him to go away. |
22 |
|
23 |
- -- |
24 |
mental floss prevents moral decay |
25 |
-----BEGIN PGP SIGNATURE----- |
26 |
Version: GnuPG v1.2.3 (GNU/Linux) |
27 |
|
28 |
iD8DBQE//XIZwGaWYjpgASMRAs41AKCsOUY0sllFBTmLIrYi9ZxgSH5viACcDyYv |
29 |
ogd9opzM8Upwwp8BdjaDmJk= |
30 |
=ogTH |
31 |
-----END PGP SIGNATURE----- |
32 |
|
33 |
-- |
34 |
gentoo-security@g.o mailing list |