[ale] Frequency of high port scans
Michael H. Warfield
mhw at wittsend.com
Fri Apr 12 22:04:29 EDT 2002
On Fri, Apr 12, 2002 at 07:22:26PM -0400, Dow Hurst wrote:
> When crackers are scanning for open ports, what is the frequency of high
> port scans of normally unused ports? Most crackers would not scan every
> port on every machine, correct? So would having a webserver available
> on port 61235, for example, keep a webserver from being attacked based
> on current attack profiles? Many webservers are for limited use by
> small workgroups and aren't really meant to be truly public. I am just
> interested in current hard data on how port scans are usually
> conducted. I would imagine this might be how security by obscurity
> could actually succeed. I can use the kind of data the Michael H.
> Warfield posted to warn people to stay on top of patches for all
> webservers.
Security through obscurity can never succeed. NEVER. For many
and varied reasons. For the most part, security through obscurity
insures that you will remain vulnerable (through a false sense of security)
until they come and take your carcass away... Security through obscurity
is insecurity.
Scanning...
Over the years, there have been a number of notable trends.
Nobody has ever focused on scanning every possible port on a particular
IP address. Simple fact. Not done. Not in all my years on the internet
have I even seen someone try other than misguided security people who
thought they had to scan everything on everybox they had. There has
simply never been anything productive the effort.
In the past, it was productive to scan for "well known services" on
a particular IP and this was common for a very long time. This is what I
call a "deep scan". Scan a single point (IP address) and scan it deep
for everything it's got. It can be useful, particularly if you (as liveware
at a keyboard) know what's sitting in the middle of that bullseye you
just drew around that IP address. That's just not the rule anymore...
In the last few years it has become much more popular, orders of
magnitude more popular, to scan across as many IP addresses as possible
(and there is a black art to studying the scanning patterns in those addresses)
for only one or a few services. This is what I personally refer to as a "wide
scan". This actually yields a much higher "bang for the buck" especially if
you already know of some exploitable services. Almost all autonomous worm
operate this way. Some, such as l1on, Ramen, CodeRed, Nimda, and the sadmind
cross-platform worm, actually scan for multiple services and will exploit
what they find. Invariably, it's a limited number of services. But
scanning isn't the only way they propagate (and isn't even the most
productive way they propagate). Hybrid threats (autonomous threats which
use multimodal propagation techniques) are the big problem right now and
getting bigger...
That being said... Hiding by using a non standard port is doomed
to failure. Why? Because someone has to know about it somewhere. So
you have a web server on port 12345 (I've chosen that number for a special
reason). Do you publish it somewhere? Will it get sniffed from the
wire somewhere? Will you send it to a friend in an E-Mail? If you
don't ever use it and don't ever tell anyone about it, you MIGHT have
a half chance of hiding it, but what good is it? But scanning is NOT
the only way these things find you. They do glom web page requests, they
do sniff the wire, they do grouse E-Mail (and, by extension, mailing list
archives). Sooner or later, your "hidden" port number will be known to
those you are hiding it from. And you won't know when it happens or how
it happens or who gets it or who they give it to. But it will happen...
What if some just HAPPENS to come out with a backdoor on that port (12345
has a well known backdoor - did you know that)? Did you know about it
when you set it up? Do you know that they are scanning for it CONSTANTLY?
Another one is 31337 (Hacker code for Elite - ELEET). Do you have a
current and up to date list of what the commonly abused high order ports
are? Once you start using it and you get slammed by some lamer that
finds you, then what'cha'gonna'do?
On top of all of that... The number one way that systems get
broken into, to this day, remains social engineering. What a friend of
mine, Rob Thomas, refers to as the "come and get me" approach. You make
something attractive and just let people screw themselves. That's how
all those worms got behind all those NAT devices. Once there, they can
use other tricks to find web pages and web servers and proxies (yes, they
will even find your proxies) and continue their activities. Once they
have glommed it (aquired it through sniffing or trickery) or groused it
(aquired it by pawing through your files) it's going to spread. Secret
go bye-bye... Now what? Change the port? That'll be real damn useful...
Worrying about hidding a web server from scanning is worrying
about a needle in a haystack with a tornado bearing down on your butt...
You got bigger problems and bigger things to worry about.
> Dow
> --
> __________________________________________________________
> Dow Hurst Office: 770-499-3428
> Systems Support Specialist Fax: 770-423-6744
> 1000 Chastain Rd.
> Chemistry Department SC428 Email:dhurst at kennesaw.edu
> Kennesaw State University Dow.Hurst at mindspring.com
> Kennesaw, GA 30144
> *********************************
> *Computational Chemistry is fun!*
> *********************************
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list