Re: NAK dropped SYN-packets to sender?

[Matt Curtin <cmcurtin () interhack net>]

> > > > > On Mon, 9 Aug 1999 09:47:30 +0200, "Frank Heinzius" <frimp () mms de> said:

Hallo,

Frank> Both methods have their advantage: silent dropping gives you an
Frank> additional kinda "security by obscurity" level. The
Frank> disadvantage is that TCP stacks from the originator will do a
Frank> couple of retransmits due to the timeouts.

The "security by obscurity" isn't useful.  However, the incredible
amount of time that it would take in order to perform a traditional
network scan is very useful.

Frank> If I sent ICMP unreachable, the attacker knows that there is a
Frank> firewall mechanism which make port scans very fast (if based on
Frank> SYN-ACK).

This can also be useful.  The fact that traffic has been redirected
doesn't mean that the original target host or service is there; it
could just be a rule that applies to the entire network, even where
hosts won't be found.

Frank> What is the common and/or most recommended way?

Both are common.  Which you choose will depend on how you want to
handle those who poke at your doors.  It sounds like you understand
the issues at hand.  If you define your requirements, you'll likely be 
able to make the decision that is best.  (It isn't like either one
will be an absolute blunder.)

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/