Re: Re: Concepts: Security and Obscurity

[levinson_k () securityadmin info]

> > The top ports receiving unsolicited scans are all well known, 
> published server ports:
>
> This entire assertion is a faulty conclusion based on irrelevant data.
> It's obvious that SANS is going to show standard ports being probed
> more often, there's simply more of them to probe. 

You're saying there are more standard TCP/IP ports to probe than unassigned ports?  How do you figure that?

> This tells us
> absolutely nothing about whether or not any given port is more likely
> to be attacked.

I disagree.  Services running on Internet hosts on non-standard ports can only be discovered, and attacked, by 
scanning.  (Or by sniffing a network connection near a server, but that is a less common occurrence that is not 
relevant to this discussion.)

> For SANS data to be relevant to this discussion in any way we would
> have to know the actual numbers of both standard and nonstandard
> services existing on the net and the exact numbers of "scans" directed
> at each. 

We know that info already.  SANS lists all packets dropped by firewalls they monitor.  You can tell from the port 
number with a high degree of accuracy which ones are registered server ports.

> That's the only way we can know the likelihood that a given
> service of either "type" is going to be probed. 

Can we see some of this rigor of proof applied equally at the other side?  The side that argued that obscurity is never 
ever beneficial to anyone ever?  With this burden of proof required, no one would be able to assert anything about 
security ever.  Security isn't about absolute proof, it's about probability and likelihoods, it's about using Occam's 
Razor to arrive at the most likely scenario.  Before you buy a firewall, you wouldn't hire a consultant to do a risk 
assessment and require them to prove all of their figures.  Risk assessments are at least partly based on future 
predictions, and on this you choose what countermeasures to implement.

The bottom line is that I don't have to prove anything to anyone.  Everyone chooses their own countermeasures based on 
their own individual environment and needs, and people who attempt to dictate absolute musts to these people with zero 
knowledge of their environment are on very shaky ground.

> Simple math... if you have 1000 standard configurations and 10
> nonstandard, a level playing field would be some multiple of that
> ratio... 20 probes of nonstandard and 2000 probes of standard. If the
> nonstandard configuration were probed 21 times, even though it's a much
> smaller raw number than 2000, it still means the nonstandard
> configuration is more likely to be probed.

This is a wrong conclusion.  You are saying you'd rather have your server scanned 2000 times than 20 times, and that 
there's no benefit in reducing the number of times you're scanned from 2000 to 20.  The systems listening on 
nonstandard ports just sidestepped 1,980 scans, and probably a similar ratio of attackers.

> It's also important to note that the SANS numbers are rendered even
> less relevant in context by virtue of the fact that they're
> compilations of logged incidents, which are naturally skewed in favor
> of listening services. They don't generally reflect an accurate number
> of raw "probes" to begin with.

No, if anything, the reverse is true.  Attacks on open ports on listening servers are usually allowed in by the 
firewall without being dropped, logged and sent to SANS.


> It's a very straightforward process. Dummy services are specifically
> configured to listen on both standard and nonstandard ports, and then
> closely observed. Invariably, nonstandard ports are discovered and
> attacked as aggressively or in some cases more aggressively than the
> same services listening on standard ports.

How?  So you're saying that if I take my one or ten SSH servers on the Internet and run them on port 42386, an attacker 
running a honeypot is going to discover that and all of a sudden systems across the Internet are going to be scanned on 
that port?  Or are the attackers going to scan all 65,535 ports on my system and keep an enormous database of what 
ports are open across the Internet, and then start attacking my system based on that?  And then furthermore, that my 
system will then be scanned and attacked MORE OFTEN than SSH servers running on standard ports?  Does any of that sound 
likely to happen?


> > I don't see how that's very likely.  Putting hundreds of thousands
> of servers on the same nonstandard port would not be a good 
> implementation of obscurity.  
>
> Please don't delve into the ridiculous to try and make a point.
> Nobody is putting hundreds of thousands of anything anywhere. 

I'm simply pointing out how absurd it is to assume that if I put 1 or 10 SSH servers on the Internet on a nonstandard 
port, that those servers will quickly be identified and attacked MORE OFTEN than SSH servers running on standard ports. 
 That assertion makes no sense.  If you were www.whitehouse.gov, it would be discovered and attacked, but that's not a 
good case to use if you're going to try to draw conclusions for the entire world.

> What they
> *are* doing is comparing real world attacks against standard daemons and
> nonstandard, and coming to the conclusion that there's no actual
> difference by way of a hard comparison of relative numbers of attacks
> launched against actual, listening services (or simulations thereof).
>
> That's not theory, extrapolation, or any conclusion drawn from
> irrelevant numbers. It's plain vanilla reality.

Link please.  Show me.  So far people have vaguely alluded to studies they think they read, without posting links.

> My own experience supports this. I've been running services and reading
> logs for over 2 decades now. I've run services on standard ports and
> nonstandard ports, and the only real effect I've ever seen nonstandard
> port configurations produce has been a negative one. 
> This tells me in no uncertain terms that port numbers have nothing at
> all to do with anything.

No uncertain terms, except that it's one person's anecdotal evidence being applied to everyone and every system on the 
planet.  Am I really the only person that sees anything wrong with this kind of broad generalization?


> That's one of the main
> reasons for running honeypots in the first place... to both quantify
> and qualify attack patterns so you can better understand them and
> devise sane, informed defenses. Obscuring services by running them on
> nonstandard ports is neither. 

No, obscuring services by running on nonstandard ports is an acknowledgement that there is always some residual risk 
that there may be an unpatched, unmitigated zero day vulnerability on your system at some point in the future, and that 
most environments are most likely to be at risk to that vulnerability if they are listening on a standard port.  It can 
be a part of defense in depth for some users.


kind regards,
Karl Levinson
http://securityadmin.info