Stefan Monnier (12022-07-12): > Except that if you contact an IP address where there's no machine, you > may get a "no route to host" error (from the router that finds out > there's no machine at that address), whereas if that machine DROPs, then > you'll get no message, thus indicating that there *is* something there :-) And if the cracker are mediocre, it does not change a thing because your system is already safe from them. But if they are competent, they probably have other means to know you are there, and the absence of response will tell them you probably apply advice blindly. And if the incoming packets are not hostile, dropping silently breaks the proper diagnostic mechanisms that would have made them stop, causing useless load on your connection. I can go on and on and on. Unless somebody produces a study that tries to quantify the risk and cost of each solution, I will consider "DROP not REJECT" cargo cult. Regards, -- Nicolas George
Attachment:
signature.asc
Description: PGP signature