Matthew Woehlke wrote:
> BjÃrn Persson wrote:
> > That's obscurity, not security.
> Why is it people seem to have a problem with obscurity *on top of*
> security? What's wrong with making it as hard as possible for the "bad
It could be because you're not actually making it any harder for the bad guys,
only for yourself and for me.
> > If there's a hole in Sendmail for example,
> > then attackers trying to exploit that hole won't start by probing port
> > 26384 and then connect to port 25 only if they get an RST packet from
> > port 26384.
> ...and if I happen to not be running sendmail at the time, my machine
> will appear to not exist, rather than going on the 'try other exploits'
> list. (Especially if I happen to be not running /any/ services at the
> time and am therefore truly stealthy.)
Your address will go on the "try other exploits" list anyway, because the bad
guys know that many people think they're more secure if they're "stealthy".
They won't conclude that your machine doesn't exist. They'll only conclude
(correctly) that there's no public SMTP service at that address.
> > You're not truly "stealth" unless you drop *all* packets, at which
> > point you can just as well unplug the network cable (or turn WiFi off
> > with the kill switch).
> Not all packets, just incoming ones that don't belong to established
> connections. (I'll assume we're not talking about a black hat to whose
> server you have explicitly connected.)
You're also assuming that the attacker doesn't already own any of the other
machines in the local network, or cafÃ, or airport, or wherever you are at the
moment. If he does, he'll be able to eavesdrop your established connections,
and probably hijack them too. Even if those connections are encrypted and
authenticated he'll still discover that your machine exists, despite all your
> Besides, you didn't address the original question: if DROP is as
> non-useful as you claim, why does it exist?
I did address that question. DROP exists so I can DROP disallowed broadcast
and multicast packets and REJECT only unicast packets. If I'd REJECT broadcast
packets I'd violate some RFCs and become a traffic multiplier for DDOS attacks.
fedora-devel-list mailing list