On Wed, 16 Mar 2005 16:54:39 +0000, Matthew Byng-Maddick
<exim@???> wrote:
>On Wed, Mar 16, 2005 at 05:51:16PM +0100, Marc Haber wrote:
>> It might be a good idea to be RFC compliant. So, if an ident request
>> comes in, be nice and reject it, or answer it. Droping it without
>> rejecting will grant you that nice delay, which is _your_ fault.
>
>"but then people can probe our network"
I trust _you_ that _you_ know you're joking.
For the archive, better let's make it explicitly clear: Rejecting a
connection attempt does not reveal any more information than dropping
the connection attempt gives. A "drop" gives an attacker the
information that something is there. And that it is desperately trying
to be invisible.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
