[ale] Frequency of high port scans

Charles Marcus CharlesM at Media-Brokers.com
Sat Apr 13 10:35:39 EDT 2002 

Actually, I would argue that it can *help* - and even more importantly, what
can it *hurt*?

So, you lock down the server as much as possible, then, on *top* of that, you
use a very non-standard port - just one more little thing to frustrate the
port scans.

Of *course* anyone who relied solely on this would be a fool - but I see no
good reson *not* to use non-standard ports (for private/corporate DB access,
etc), and *very* good reasons *to* do so.

Charles


> -----Original Message-----
> From: Michael H. Warfield [mailto:mhw at wittsend.com]
> Sent: Friday, April 12, 2002 10:04 PM
> To: Dow Hurst
> Cc: ale at ale.org
> Subject: Re: [ale] Frequency of high port scans
>
>
> On Fri, Apr 12, 2002 at 07:22:26PM -0400, Dow Hurst wrote:
> > When crackers are scanning for open ports, what is the
> frequency of high
> > port scans of normally unused ports?  Most crackers would
> not scan every
> > port on every machine, correct?  So would having a
> webserver available
> > on port 61235, for example, keep a webserver from being
> attacked based
> > on current attack profiles?  Many webservers are for limited use by
> > small workgroups and aren't really meant to be truly
> public.  I am just
> > interested in current hard data on how port scans are usually
> > conducted.  I would imagine this might be how security by obscurity
> > could actually succeed.  I can use the kind of data the Michael H.
> > Warfield posted to warn people to stay on top of patches for all
> > webservers.
>
> 	Security through obscurity can never succeed.  NEVER.  For many
> and varied reasons.  For the most part, security through obscurity
> insures that you will remain vulnerable (through a false
> sense of security)
> until they come and take your carcass away...  Security
> through obscurity
> is insecurity.
>
> 	Scanning...
>
> 	Over the years, there have been a number of notable trends.
> Nobody has ever focused on scanning every possible port on a
> particular
> IP address.  Simple fact.  Not done.  Not in all my years on
> the internet
> have I even seen someone try other than misguided security people who
> thought they had to scan everything on everybox they had.  There has
> simply never been anything productive the effort.
>
> 	In the past, it was productive to scan for "well known
> services" on
> a particular IP and this was common for a very long time.
> This is what I
> call a "deep scan".  Scan a single point (IP address) and scan it deep
> for everything it's got.  It can be useful, particularly if
> you (as liveware
> at a keyboard) know what's sitting in the middle of that bullseye you
> just drew around that IP address.  That's just not the rule anymore...
>
> 	In the last few years it has become much more popular, orders of
> magnitude more popular, to scan across as many IP addresses
> as possible
> (and there is a black art to studying the scanning patterns
> in those addresses)
> for only one or a few services.  This is what I personally
> refer to as a "wide
> scan".  This actually yields a much higher "bang for the
> buck" especially if
> you already know of some exploitable services.  Almost all
> autonomous worm
> operate this way.  Some, such as l1on, Ramen, CodeRed, Nimda,
> and the sadmind
> cross-platform worm, actually scan for multiple services and
> will exploit
> what they find.  Invariably, it's a limited number of services.  But
> scanning isn't the only way they propagate (and isn't even the most
> productive way they propagate).  Hybrid threats (autonomous
> threats which
> use multimodal propagation techniques) are the big problem
> right now and
> getting bigger...
>
> 	That being said...  Hiding by using a non standard port
> is doomed
> to failure.  Why?  Because someone has to know about it somewhere.  So
> you have a web server on port 12345 (I've chosen that number
> for a special
> reason).  Do you publish it somewhere?  Will it get sniffed from the
> wire somewhere?  Will you send it to a friend in an E-Mail?  If you
> don't ever use it and don't ever tell anyone about it, you MIGHT have
> a half chance of hiding it, but what good is it?  But scanning is NOT
> the only way these things find you.  They do glom web page
> requests, they
> do sniff the wire, they do grouse E-Mail (and, by extension,
> mailing list
> archives).  Sooner or later, your "hidden" port number will
> be known to
> those you are hiding it from.  And you won't know when it
> happens or how
> it happens or who gets it or who they give it to.  But it
> will happen...
> What if some just HAPPENS to come out with a backdoor on that
> port (12345
> has a well known backdoor - did you know that)?  Did you know about it
> when you set it up?  Do you know that they are scanning for
> it CONSTANTLY?
> Another one is 31337 (Hacker code for Elite - ELEET).  Do you have a
> current and up to date list of what the commonly abused high
> order ports
> are?  Once you start using it and you get slammed by some lamer that
> finds you, then what'cha'gonna'do?
>
> 	On top of all of that...  The number one way that systems get
> broken into, to this day, remains social engineering.  What a
> friend of
> mine, Rob Thomas, refers to as the "come and get me"
> approach.  You make
> something attractive and just let people screw themselves.  That's how
> all those worms got behind all those NAT devices.  Once
> there, they can
> use other tricks to find web pages and web servers and
> proxies (yes, they
> will even find your proxies) and continue their activities.  Once they
> have glommed it (aquired it through sniffing or trickery) or
> groused it
> (aquired it by pawing through your files) it's going to
> spread.  Secret
> go bye-bye...  Now what?  Change the port?  That'll be real
> damn useful...
>
> 	Worrying about hidding a web server from scanning is worrying
> about a needle in a haystack with a tornado bearing down on
> your butt...
> You got bigger problems and bigger things to worry about.
>
> > Dow
>
> > --
> > __________________________________________________________
> > Dow Hurst                   Office: 770-499-3428
> > Systems Support Specialist  Fax:    770-423-6744
> > 1000 Chastain Rd.
> > Chemistry Department SC428  Email:dhurst at kennesaw.edu
> > Kennesaw State University         Dow.Hurst at mindspring.com
> > Kennesaw, GA 30144
> > *********************************
> > *Computational Chemistry is fun!*
> > *********************************
>
> 	Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |
http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list