Security Basics mailing list archives
Re: Re: Concepts: Security and Obscurity
From: levinson_k () securityadmin info
Date: 16 Apr 2007 21:47:58 -0000
The top ports receiving unsolicited scans are all well known,published server ports: This entire assertion is a faulty conclusion based on irrelevant data. It's obvious that SANS is going to show standard ports being probed more often, there's simply more of them to probe.
You're saying there are more standard TCP/IP ports to probe than unassigned ports? How do you figure that?
This tells us absolutely nothing about whether or not any given port is more likely to be attacked.
I disagree. Services running on Internet hosts on non-standard ports can only be discovered, and attacked, by scanning. (Or by sniffing a network connection near a server, but that is a less common occurrence that is not relevant to this discussion.)
For SANS data to be relevant to this discussion in any way we would have to know the actual numbers of both standard and nonstandard services existing on the net and the exact numbers of "scans" directed at each.
We know that info already. SANS lists all packets dropped by firewalls they monitor. You can tell from the port number with a high degree of accuracy which ones are registered server ports.
That's the only way we can know the likelihood that a given service of either "type" is going to be probed.
Can we see some of this rigor of proof applied equally at the other side? The side that argued that obscurity is never ever beneficial to anyone ever? With this burden of proof required, no one would be able to assert anything about security ever. Security isn't about absolute proof, it's about probability and likelihoods, it's about using Occam's Razor to arrive at the most likely scenario. Before you buy a firewall, you wouldn't hire a consultant to do a risk assessment and require them to prove all of their figures. Risk assessments are at least partly based on future predictions, and on this you choose what countermeasures to implement. The bottom line is that I don't have to prove anything to anyone. Everyone chooses their own countermeasures based on their own individual environment and needs, and people who attempt to dictate absolute musts to these people with zero knowledge of their environment are on very shaky ground.
Simple math... if you have 1000 standard configurations and 10 nonstandard, a level playing field would be some multiple of that ratio... 20 probes of nonstandard and 2000 probes of standard. If the nonstandard configuration were probed 21 times, even though it's a much smaller raw number than 2000, it still means the nonstandard configuration is more likely to be probed.
This is a wrong conclusion. You are saying you'd rather have your server scanned 2000 times than 20 times, and that there's no benefit in reducing the number of times you're scanned from 2000 to 20. The systems listening on nonstandard ports just sidestepped 1,980 scans, and probably a similar ratio of attackers.
It's also important to note that the SANS numbers are rendered even less relevant in context by virtue of the fact that they're compilations of logged incidents, which are naturally skewed in favor of listening services. They don't generally reflect an accurate number of raw "probes" to begin with.
No, if anything, the reverse is true. Attacks on open ports on listening servers are usually allowed in by the firewall without being dropped, logged and sent to SANS.
It's a very straightforward process. Dummy services are specifically configured to listen on both standard and nonstandard ports, and then closely observed. Invariably, nonstandard ports are discovered and attacked as aggressively or in some cases more aggressively than the same services listening on standard ports.
How? So you're saying that if I take my one or ten SSH servers on the Internet and run them on port 42386, an attacker running a honeypot is going to discover that and all of a sudden systems across the Internet are going to be scanned on that port? Or are the attackers going to scan all 65,535 ports on my system and keep an enormous database of what ports are open across the Internet, and then start attacking my system based on that? And then furthermore, that my system will then be scanned and attacked MORE OFTEN than SSH servers running on standard ports? Does any of that sound likely to happen?
I don't see how that's very likely. Putting hundreds of thousandsof servers on the same nonstandard port would not be a good implementation of obscurity. Please don't delve into the ridiculous to try and make a point. Nobody is putting hundreds of thousands of anything anywhere.
I'm simply pointing out how absurd it is to assume that if I put 1 or 10 SSH servers on the Internet on a nonstandard port, that those servers will quickly be identified and attacked MORE OFTEN than SSH servers running on standard ports. That assertion makes no sense. If you were www.whitehouse.gov, it would be discovered and attacked, but that's not a good case to use if you're going to try to draw conclusions for the entire world.
What they *are* doing is comparing real world attacks against standard daemons and nonstandard, and coming to the conclusion that there's no actual difference by way of a hard comparison of relative numbers of attacks launched against actual, listening services (or simulations thereof). That's not theory, extrapolation, or any conclusion drawn from irrelevant numbers. It's plain vanilla reality.
Link please. Show me. So far people have vaguely alluded to studies they think they read, without posting links.
My own experience supports this. I've been running services and reading logs for over 2 decades now. I've run services on standard ports and nonstandard ports, and the only real effect I've ever seen nonstandard port configurations produce has been a negative one. This tells me in no uncertain terms that port numbers have nothing at all to do with anything.
No uncertain terms, except that it's one person's anecdotal evidence being applied to everyone and every system on the planet. Am I really the only person that sees anything wrong with this kind of broad generalization?
That's one of the main reasons for running honeypots in the first place... to both quantify and qualify attack patterns so you can better understand them and devise sane, informed defenses. Obscuring services by running them on nonstandard ports is neither.
No, obscuring services by running on nonstandard ports is an acknowledgement that there is always some residual risk that there may be an unpatched, unmitigated zero day vulnerability on your system at some point in the future, and that most environments are most likely to be at risk to that vulnerability if they are listening on a standard port. It can be a part of defense in depth for some users. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 16)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
- Re: RE: Re: Concepts: Security and Obscurity levinson_k (Apr 16)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 16)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)