On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
Generally speaking, security professionals prefer for there to be more roadblocks rather than fewer.
The soi-disant security 'professionals' who espouse layering unnecessary multiple, inefficient, illogical, and iatrogenic roadblocks in preference to expending the time and effort to learn enough about *actual* security (in contrast to security theater) to Do Things Right The First Time, aren't worthy of the title and ought to be ignored, IMHO.
If it is, and the address becomes virtually impossible to find, then we've just defeated an attack, and it's hard to see that as anything but positive.
If we had some cheese, we could make a ham-and-cheese sandwich, if we had some ham. ;> We must face up to the reality that the endpoint *will be found*, irrespective of the relative sparseness or density of the addressing plan. It will be found via DNS, via narrowing the search scope via examining routing advertisements, via narrowing the search scope via perusing whois, via the attackers simply throwing more of their near-infinite scanning resources (i.e., bots) at these dramatically-reduced search scopes. So, the endpoint will be found, no attack will be prevented, and we end up a) wasting wide swathes of address space for no good reason whilst b) making the routing/switching infrastructure elements far more vulnerable to DoS by turning them into sinkholes. No positive benefits, two negative drawbacks. ------------------------------------------------------------------------ Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay