nanog mailing list archives
RE: Update to BCP-38?
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Tue, 08 Oct 2019 11:53:33 -0600
On Tuesday, 8 October, 2019 11:03, William Herrin <bill () herrin us> wrote:
Limiting the server banner so it doesn't tell an adversary the exact OS- specific binary you're using has a near-zero cost and forces an adversary to expend more effort searching for a vulnerability. It doesn't magically protect you from hacking on its own. As you say, your security must not be breached just because the adversary figures out what version you're running. But viewed as one layer in an overall plan, limiting that information enhances your security at negligible cost. That's security smart.
I think your analysis is incorrect. There are two cases which are relevant: (1) The attack is non-targetted (that is, it is opportunistic) (2) The attack is targetted at you specifically. In the former (1) case, it does not matter whether the "banner" identifies the specific OS binary or not as it is irrelevant. The script either works or it does not. Even if the "banner" says "Beyond this point there be monsters" will make absolutely not one whit of difference. In the latter (2) case, it does not matter whether the "banner" identifies the specific OS binary or not as it is irrelevant. You have been targetted. All possible exploits will be attempted until success is achieved or the vat of exploits to try runs dry. So while the cost of doing the thing may be near-zero, it is not zero. All those near-zero cost things you do that have no actual advantage can add up to quite a huge total and it will be more advantageous to spend that somewhere where it will, in fact, make a difference. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Current thread:
- RE: Update to BCP-38?, (continued)
- RE: Update to BCP-38? Keith Medcalf (Oct 03)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 03)
- Re: Update to BCP-38? William Herrin (Oct 04)
- RE: Update to BCP-38? Keith Medcalf (Oct 04)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 08)
- RE: Update to BCP-38? Mark Collins (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 09)
- Re: Update to BCP-38? William Herrin (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 08)
- Re: Update to BCP-38? Mark Collins (Oct 10)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 09)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- Re: Update to BCP-38? Stephen Satchell (Oct 03)
- Re: Update to BCP-38? Fred Baker (Oct 03)