sniffer/promisc detector
Alexei Roudnev
alex at relcom.net
Thu Jan 22 10:47:24 UTC 2004
I started such scan 10 - 20 minutes ago; it did not completed yet, so I do
not have exact time (it is DSL -> 100 Mbit link + firewall).
But you results shows just what I am saying - 99% of all attacks was caused
by automated tools, and non-standard ports effectively blocks all such
attacks. I agree to spend some time and set up non-standard ports (and even
explain them to customers), if I decrease rate of attacks 100 - 1000 times
(what really happen if ports are non-standard). If you are not a bank, do
not host IRC server, and are not SCO, attack rate decreases to absolute 0.
If you run nmap -p1-65000 in automated tool (with 10 minutes / host, and
usually much more), you will scan Internet forever.
So, it pay off.
----- Original Message -----
From: "Fyodor" <fyodor at insecure.org>
To: "Alexei Roudnev" <alex at relcom.net>
Cc: "Ruben van der Leij" <ruben-nanog at nutz.nl>; <nanog at merit.edu>
Sent: Thursday, January 22, 2004 1:12 AM
Subject: Re: sniffer/promisc detector
>
> On Wed, Jan 21, 2004 at 09:04:40AM -0800, Alexei Roudnev wrote:
> >
> > Please, do it:
> >
> > time nmap -p 0-65535 $target
> >
> > You will be surprised (and nmap will not report applications; to test a
> > response, multiply time at 5 ). And you will have approx. 40% of packets
> > lost.
> >
> > Practically, nmap is useless for this purpose.
>
> Oh, really? I'll do a quick test of your theory that Nmap will be
> slow with a 65K port scan, miss 40% of the open ports due to packet
> loss, and not be able to report the application/services running on
> the port. I may be biased, but anyone who wants to can reproduce this
> test (at the risk of pissing off SCO, who admittedly are rather
> litigous). To be even more fair, I'll run the scan from a
> 128kbps-upstream aDSL line:
>
> # nmap -sSV -T4 -O -p0-65535 apollo.sco.com
> WARNING: Scanning "port 0" is supported, but unusual.
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-22 00:49
PST
> Interesting ports on apollo.sco.com (216.250.128.35):
> (The 65524 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE VERSION
> 0/tcp filtered unknown
> 21/tcp open ftp WU-FTPD 2.1WU(1)+SCO-2.6.1+-sec
> 22/tcp open ssh SSH 1.2.22 (protocol 1.5)
> 199/tcp open smux?
> 457/tcp open http NCSA httpd 1.3
> 615/tcp open http NCSA httpd 1.5
> 1035/tcp filtered unknown
> 1521/tcp open oracle-tns Oracle DB Listener 2.3.4.0.0 (for SCO System
V/386)
> 13722/tcp open inetd inetd (failed to exec
/usr/openv/netbackup/bin/bpjava-msvc: No such file or directory)
> 13782/tcp open inetd inetd (failed to exec
/usr/openv/netbackup/bin/bpcd: No such file or directory)
> 13783/tcp open inetd inetd (failed to exec /usr/openv/bin/vopied:
No such file or directory)
> 64206/tcp open unknown
> Device type: general purpose
> Running: SCO UnixWare
> OS details: SCO UnixWare 7.0.0 or OpenServer 5.0.4-5.0.6
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 501.897 seconds
> #
>
> So the full 65K port scan, plus OS and version detection took a little
> over 8 minutes over a relatively slow connection. I ran it several
> times to ensure ports weren't being missed. A quick test from my
> colocated machine took 3 minutes. And it isn't like I had to watch
> the whole time -- I was surfing a porn site in another window while it
> ran. The services would have still been detected on different ports
> as the same probes are done. I don't think using nonstandard ports
> will help against any but the most marginal attackers and worms. But
> if those are a serious problem, perhaps more time should be spent
> patching rather than moving vulnerable services to unusual ports.
>
> I am not saying you won't get _any_ benefit at all from this
> obfuscation, but I seriously doubt it will be worth the headaches. If
> ports don't have to be reachable from the outside, filter them at
> your firewall/router. If outsiders do need to reach the ports, moving
> them around will just be a pain in the @#$ for those legitimate
> users. You'll find that your own users are the ones port scanning you
> in order to locate the services you've hidden.
>
> Cheers,
> Fyodor
> http://www.insecure.org
>
> PS: Yes, the scan would have been much slower if that host had a
> "default deny" policy, but would not have been outrageous. You are
> permitted to scan "scanme.insecure.org" to test that scenario. The
> time taken is not unreasonable, when I run 65K scans against large
> heavily filtered networks, I usually just let it run overnight.
More information about the NANOG
mailing list