| 1 |
Ben Cressey said: |
| 2 |
>> To hide a host is always very stupid, why should you do this? There is |
| 3 |
>> no |
| 4 |
>> advantage. If you "hide" your computer an attacker knows there is an |
| 5 |
>> stupid guy who doesn't know anything about network security. |
| 6 |
> |
| 7 |
> You're rather free with calling people "stupid" with little to no |
| 8 |
> justification. One could as easily turn it around and ask "why should my |
| 9 |
> server reply at all to connection attempts to ports I am not running any |
| 10 |
> services on?" |
| 11 |
> |
| 12 |
> If I am just running a web server, nobody has any business connecting to |
| 13 |
> any |
| 14 |
> port besides 80/tcp and 443/tcp. ICMP traffic is fine, but what |
| 15 |
> legitimate |
| 16 |
> purpose is there in attempting a connection to another tcp port? If I was |
| 17 |
> running another service at that IP address, it would be advertised through |
| 18 |
> the appropriate channels. Users would (obviously) not need to run a port |
| 19 |
> scan to discover it. |
| 20 |
> |
| 21 |
> Since the person is trying to connect to a port they have no business |
| 22 |
> connecting to, I don't see why my server should send out a packet in |
| 23 |
> reply. |
| 24 |
> It's not about hiding the server or some fictitious security gain -- |
| 25 |
> although as someone pointed out replying to potentially spoofed source |
| 26 |
> addresses could be leveraged into some form of DoS attack. While the |
| 27 |
> chances of this are probably not high, they are precisely *zero* if you |
| 28 |
> don't bother to reply in the first place. |
| 29 |
> |
| 30 |
|
| 31 |
The post above is probably the most logical post on this subject to this |
| 32 |
list so far. No one is slowing down the "net" or causing problems for |
| 33 |
other people by using DROP instead of REJECT. Calling people stupid |
| 34 |
because they don't follow your interpretation of the RFC does nothing but |
| 35 |
lower your credibility on the subject. Instead of throwing insults at |
| 36 |
people, how about you just stick to sharing valid information? Like was |
| 37 |
said above, people have no reason to connect to a closed port on my |
| 38 |
servers. If I choose to DROP that connection attempt instead of REJECT |
| 39 |
it, then that is my choice and I don't really care if it causes problems |
| 40 |
for that person. I see no reason to waste *my* bandwidth in sending a |
| 41 |
reply back to a person that most likely has no valid reason for trying to |
| 42 |
connect to that closed port. People might say that it is "polite" to send |
| 43 |
a reply back, but why should I be polite to a uninvited and unwanted |
| 44 |
connection attempt on a port that isn't even open? |
| 45 |
|
| 46 |
Trevor |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-security@g.o mailing list |
Archives