On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote: > > On Jan 6, 2011, at 10:08 AM, Joe Greco wrote: > >> Packing everything densely is an obvious problem with IPv4; we learned early >> on that having a 48-bit (32 address, 16 port) space to scan made >> port-scanning easy, attractive, productive, and commonplace. > > I don't believe that host-/port-scanning is as serious a problem as you seem > to think it is, nor do I think that trying to somehow prevent host from being > host-/port-scanned has any material benefit in terms of security posture, > that's our fundamental disagreement. > You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.
> If I've done what's necessary to secure my hosts/applications, > host-/port-scanning isn't going to find anything to exploit > (overly-aggressive scanning can be a DoS vector, but there are ways to > ameliorate that, too). > And there are ways to mitigate ND attacks as well. > If I haven't done what's necessary to secure my hosts/applications, one way > or another, they *will* end up being exploited - and the faux > security-by-obscurity offered by sparse addressing won't matter a bit. > Sparse addressing is a win for much more than just rendering scanning useless, but, making scanning useless is still a win. Owen
