[Discuss] port-knocking
Rich Pieri
richard.pieri at gmail.com
Wed Mar 27 21:16:14 EDT 2013
--On Wednesday, March 27, 2013 8:59 PM -0400 Tom Metro
<tmetro+blu at gmail.com> wrote:
> Not merely workarounds...it's trivial to design a port knocking scheme
> that is resistant to DoS attacks.
Perhaps, but it isn't as easy to implement such a system such that use is
transparent to users. That's not me saying that security is a tradeoff with
usability. That's me saying that you're using the wrong tool.
> Of course any public facing server is subject to DoS attacks if the
> sender can overwhelm your inbound bandwidth.
That's orthogonal to the point: your port knocking "security" wall and my
IP spoofing can subject you to DoS attacks with a handful of packets unless
you implement workarounds for the lockout. If you have to work around a
basic function of the security system just to make it usable then you're
using the wrong tool for the job.
But I repeat myself.
--
Rich P.
More information about the Discuss
mailing list