sniffer/promisc detector

Wed Jan 21 21:42:17 UTC 2004

+++ Valdis.Kletnieks at vt.edu [21/01/04 11:40 -0500]:

> > Somebody who isn't smart enough to do 'nmap -p 0-65535 $target' isn't worth
> > diverting.

> I'm sure everybody who got whacked by Lion or CodeRed or Blaster or.... are
> glad to hear those attacks weren't worth diverting.

I'm sure moving www.microsoft.com to port 81 would have helped a lot against
CodeRed. But explaining that to the visitors would have been sheer hell,
don't you think?

Why would one have port 135 reachable from the big bad internet? Do you
really expect to use netbios-over-ip over that same big bad net?

Moving bind to port 54 would have stopped Lion. Along with the rest of the
internet.

Nice scenario's, but I still fail to see the advantage of having 'stealthy'
hidden http and bind servers. Dns is a large part of my bread and butter,
and http that of my customers. 

And, returning to the realm of realism, moving sshd to a different port
*could* help, but other services cannot be moved. Those can't be 'obscured',
and those can still present grave security-risks.

Like I said: digging yourself in the sand might be useful, but digging in
snow is a waste of time and effort which would have been better spend on
securing that IIS-monster lurking in your POP.

> The point is that if somebody is doing 'nmap -p 0-65535' at you, you are a *specific*
> target, and not one of the "get a probe every 4 minutes" targets that every machine
> on the wire is.

Given sufficient patience an attacker could pose like a random probe. Some
can be very hardheaded. One German D00d has been trying to get me for the
last six years. Every couple of weeks I see a pattern of probes which is
quite distinct, comes from the east, and takes days to complete. If one has
a gazillion hits a day one wouldn't notice such slow but persistant probing.

-- 

Ruben van der Leij