On Jan 6, 2011, at 2:03 PM, Matthew Petach wrote:
I think what people are trying to say is that it doesn't matter whether o= r not your host is easily findable or not, if I can trivially take out your upstream router.
A good reason to see if there's a way to solve that (which there is, I'm sure).
That's part of it - the other part is that the host will be found, irrespec= tive of attempts to 'hide' it.
Sorry, but I see this as not grasping a fundamental security concept. You're not trying for DHS/TSA-style all-threats-always-prevented threat elimination. How many times do we have to learn that this isn't a practical goal? You want to make things more difficult for an attacker while providing usability for authorized users. Making a host harder to find (or more specifically to address from remote) is a worthwhile goal. Learn from history. Ten years ago, we *knew* DNS was "weak" due to the ultimate reliance on the transaction ID. There weren't enough bits there to protect a DNS server against certain types of attacks but that were deemed to be impractical at the time; time passes, cpu's got faster, upstream connections got faster, and suddenly some guy "discovers" that he can get a DNS server to do bad things if he floods it. So now our best current practices now have us using more bits, in the form of random source ports, to help out there. Even that's not a comprehensive fix - definitely won't be in another 20 years, when bandwidth, cpu, and pps rates have all seen a factor of 10000 increase again - but it's helpful for the time being. Things like 4941 take that a lot further, and provide enough bits to make both range scanning and scanning via learned addresses less useful techniques. The fact that you might be able to find a host somehow anyways doesn't lessen the value of making it harder for an attacker to find that host to begin with. This is basic security, whether or not you approve of it. You're trying to make it harder for bad guys. There are lots of security techniques that I don't like, too, or may disapprove of for one reason or another. NAT anyone? :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.