I'm SO mad about computers sending ICMP Unreachable messages about closed UDP ports.
DON'T JUST GIVE AWAY WHAT PORTS YOU ARE USING
@jennamagius I'm curious what your reasoning behind this is.
@espen When 17-010 dropped, worms started spamming every SMB service on the internet with EternalBlue. There's no reason somebody who doesn't have authorization to access my system should know if I am or am-not running remote access services: https://www.shodan.io/search?query=ssh
@espen I'll admit to you that I'm running a remote access service after you've proven that you're authorized to access that service. Otherwise, you're an attacker, and you don't need to know shit.
@espen Strong disagree. It is absolutely not security theatre, it is surface area minimization. MS17-010 said "access denied" and EternalBlue said "Boy, there sure is a LOT of surface area on the outside of your access denied" and then pwned the shit out of services that were "denying" "access"
@espen There's going to be an unauthenticated RCE in OpenSSH some day. The only way to reduce the chance that RCE will happen is by reducing the amount of codepaths an attacker can hit without creds. The minimum codepaths possible is "Does this UDP packet contain a specific static value? If not, we have reached the end of our codepaths."
@espen The even more minimal codepath is "You don't even know where to send the knock, so you don't even have the ability to trigger that static check at will. You can run 0.00 instructions of service code"
@jennamagius we ARE talking closed ports, right? Ports where no services are running?
My apologies if I misunderstood something.
@espen I'm talking about running services that appear to be closed ports unless you can authorize yourself enough get get the service to admit that it exists.
@jennamagius Right, a system protected behing 7 port knocks. But fine, I get that we're talking about something slightly different than I thought so I'll let this be. But thanks for taking the time to explain. :)
@jennamagius I get that. I'm not certain there are any "correct" answers here, that is why I am interested in your reasoning.
Like you, I assume "everyone" is an attacker, but I also assume that anyone interested in attacking me would be able to discover what services are available with little effort. Any effort I make to mask this is little more than theater and security through obscurity. So, given that, I prefer to say "access denied, keep moving" than not responding.