[ale] Frequency of high port scans

Adrin haswes at mindspring.com
Sat Apr 13 14:54:36 EDT 2002


Why not use VPN's?  Cost?   Secondly if it is an intranet
why even let it be accessed by outside traffic (internet)?


-----Original Message-----
From: Charles Marcus [mailto:CharlesM at Media-Brokers.com]
To: ale at ale.org
Sent: Saturday, April 13, 2002 10:36 AM
To: Ale (E-mail)
Subject: RE: [ale] Frequency of high port scans

Actually, I would argue that it can *help* - and even more
importantly, what
can it *hurt*?

So, you lock down the server as much as possible, then, on
*top* of that, you
use a very non-standard port - just one more little thing to
frustrate the
port scans.

Of *course* anyone who relied solely on this would be a
fool - but I see no
good reson *not* to use non-standard ports (for
private/corporate DB access,
etc), and *very* good reasons *to* do so.

Charles


> -----Original Message-----
> From: Michael H. Warfield [mailto:mhw at wittsend.com]
> Sent: Friday, April 12, 2002 10:04 PM
> To: Dow Hurst
> Cc: ale at ale.org
> Subject: Re: [ale] Frequency of high port scans
>
>
> On Fri, Apr 12, 2002 at 07:22:26PM -0400, Dow Hurst wrote:
> > When crackers are scanning for open ports, what is the
> frequency of high
> > port scans of normally unused ports?  Most crackers
would
> not scan every
> > port on every machine, correct?  So would having a
> webserver available
> > on port 61235, for example, keep a webserver from being
> attacked based
> > on current attack profiles?  Many webservers are for
limited use by
> > small workgroups and aren't really meant to be truly
> public.  I am just
> > interested in current hard data on how port scans are
usually
> > conducted.  I would imagine this might be how security
by obscurity
> > could actually succeed.  I can use the kind of data the
Michael H.
> > Warfield posted to warn people to stay on top of patches
for all
> > webservers.
>
>       Security through obscurity can never succeed.
NEVER.  For many
> and varied reasons.  For the most part, security through
obscurity
> insures that you will remain vulnerable (through a false
> sense of security)
> until they come and take your carcass away...  Security
> through obscurity
> is insecurity.
>
>       Scanning...
>
>       Over the years, there have been a number of notable
trends.
> Nobody has ever focused on scanning every possible port on
a
> particular
> IP address.  Simple fact.  Not done.  Not in all my years
on
> the internet
> have I even seen someone try other than misguided security
people who
> thought they had to scan everything on everybox they had.
There has
> simply never been anything productive the effort.
>
>       In the past, it was productive to scan for "well
known
> services" on
> a particular IP and this was common for a very long time.
> This is what I
> call a "deep scan".  Scan a single point (IP address) and
scan it deep
> for everything it's got.  It can be useful, particularly
if
> you (as liveware
> at a keyboard) know what's sitting in the middle of that
bullseye you
> just drew around that IP address.  That's just not the
rule anymore...
>
>       In the last few years it has become much more
popular, orders of
> magnitude more popular, to scan across as many IP
addresses
> as possible
> (and there is a black art to studying the scanning
patterns
> in those addresses)
> for only one or a few services.  This is what I personally
> refer to as a "wide
> scan".  This actually yields a much higher "bang for the
> buck" especially if
> you already know of some exploitable services.  Almost all
> autonomous worm
> operate this way.  Some, such as l1on, Ramen, CodeRed,
Nimda,
> and the sadmind
> cross-platform worm, actually scan for multiple services
and
> will exploit
> what they find.  Invariably, it's a limited number of
services.  But
> scanning isn't the only way they propagate (and isn't even
the most
> productive way they propagate).  Hybrid threats
(autonomous
> threats which
> use multimodal propagation techniques) are the big problem
> right now and
> getting bigger...
>
>       That being said...  Hiding by using a non standard
port
> is doomed
> to failure.  Why?  Because someone has to know about it
somewhere.  So
> you have a web server on port 12345 (I've chosen that
number
> for a special
> reason).  Do you publish it somewhere?  Will it get
sniffed from the
> wire somewhere?  Will you send it to a friend in an
E-Mail?  If you
> don't ever use it and don't ever tell anyone about it, you
MIGHT have
> a half chance of hiding it, but what good is it?  But
scanning is NOT
> the only way these things find you.  They do glom web page
> requests, they
> do sniff the wire, they do grouse E-Mail (and, by
extension,
> mailing list
> archives).  Sooner or later, your "hidden" port number
will
> be known to
> those you are hiding it from.  And you won't know when it
> happens or how
> it happens or who gets it or who they give it to.  But it
> will happen...
> What if some just HAPPENS to come out with a backdoor on
that
> port (12345
> has a well known backdoor - did you know that)?  Did you
know about it
> when you set it up?  Do you know that they are scanning
for
> it CONSTANTLY?
> Another one is 31337 (Hacker code for Elite - ELEET).  Do
you have a
> current and up to date list of what the commonly abused
high
> order ports
> are?  Once you start using it and you get slammed by some
lamer that
> finds you, then what'cha'gonna'do?
>
>       On top of all of that...  The number one way that
systems get
> broken into, to this day, remains social engineering.
What a
> friend of
> mine, Rob Thomas, refers to as the "come and get me"
> approach.  You make
> something attractive and just let people screw themselves.
That's how
> all those worms got behind all those NAT devices.  Once
> there, they can
> use other tricks to find web pages and web servers and
> proxies (yes, they
> will even find your proxies) and continue their
activities.  Once they
> have glommed it (aquired it through sniffing or trickery)
or
> groused it
> (aquired it by pawing through your files) it's going to
> spread.  Secret
> go bye-bye...  Now what?  Change the port?  That'll be
real
> damn useful...
>
>       Worrying about hidding a web server from scanning is
worrying
> about a needle in a haystack with a tornado bearing down
on
> your butt...
> You got bigger problems and bigger things to worry about.
>
> > Dow
>
> > --
> >
__________________________________________________________
> > Dow Hurst                   Office: 770-499-3428
> > Systems Support Specialist  Fax:    770-423-6744
> > 1000 Chastain Rd.
> > Chemistry Department SC428  Email:dhurst at kennesaw.edu
> > Kennesaw State University
Dow.Hurst at mindspring.com
> > Kennesaw, GA 30144
> > *********************************
> > *Computational Chemistry is fun!*
> > *********************************
>
>       Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |
mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |
http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in
the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is
sure of it!

---
This message has been sent through the ALE general
discussion list.
See http://www.ale.org/mailing-lists.shtml for more info.
Problems should be
sent to listmaster at ale dot org.


---
This message has been sent through the ALE general
discussion list.
See http://www.ale.org/mailing-lists.shtml for more info.
Problems should be
sent to listmaster at ale dot org.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list