| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
epistula illius MA profluit verbis: |
| 5 |
> When an exploit is found and everybody use reject more computers can be |
| 6 |
> scanned for the exploitable program/service in the same time... I don't |
| 7 |
> see why we should make it easy for the script kids... |
| 8 |
> [...] |
| 9 |
|
| 10 |
|
| 11 |
As shown that's no advantage. One could generate many, many parallel ICMPs |
| 12 |
and wait for the one timeout period. Quite the opposite of Your |
| 13 |
proposition is true: Ident eg. helps You to identify the "bad guys" in |
| 14 |
Your network - supposed You got a propperly configured network. DENY for |
| 15 |
ident renders such information useless, because DENIED packets won't get |
| 16 |
logged anymore. So - one could even say You're going to protect the "bad |
| 17 |
guys". |
| 18 |
|
| 19 |
- From a more or less "psychological point of view" it's even worse |
| 20 |
concerning the traffic load: the curious "bad guy" would try to go on. So |
| 21 |
it's better to explicitly tell him to go away. |
| 22 |
|
| 23 |
- -- |
| 24 |
mental floss prevents moral decay |
| 25 |
-----BEGIN PGP SIGNATURE----- |
| 26 |
Version: GnuPG v1.2.3 (GNU/Linux) |
| 27 |
|
| 28 |
iD8DBQE//XIZwGaWYjpgASMRAs41AKCsOUY0sllFBTmLIrYi9ZxgSH5viACcDyYv |
| 29 |
ogd9opzM8Upwwp8BdjaDmJk= |
| 30 |
=ogTH |
| 31 |
-----END PGP SIGNATURE----- |
| 32 |
|
| 33 |
-- |
| 34 |
gentoo-security@g.o mailing list |
Archives