a record?

Robert Bonomi bonomi at mail.r-bonomi.com
Sun Nov 20 18:25:46 UTC 2005


> From: "Patrick W. Gilmore" <patrick at ianai.net>
> Subject: Re: a record?
> Date: Sun, 20 Nov 2005 10:45:21 -0500
>
> On Nov 20, 2005, at 6:17 AM, Elmar K. Bins wrote:
>
> >> Unfortunately, we now have decades of experience in cybersecurity  
> >> that
> >> this isn't true.  It appears to work for a while, but on the Internet
> >> bears are always hungry and learn.  There are people actively  
> >> scanning
> >> for any open ports running any protocol, without a SPECIFIC  
> >> interest in
> >> your computer.
> >
> > Funnily, I see many many more scanning attempts for the same port (or
> > handful of ports) across entire networks than the other way around.
> >
> > And as stated before: If somebody scans 63023, he has interest in your
> > site and is worth the effort of doing something about it. That's the
> > whole point in changing the port.
> >
> > Changing the port is not making the system more secure, it only  
> > filters
> > out passers-by.
>
> I'm going to repeat what Sean said, because you clearly didn't read  
> what he said:
>
> "There are people actively scanning for any open ports running any  
> protocol, without a SPECIFIC interest in your computer."
>
> Allow me to re-state again in slightly different language so you  
> understand this time:
>
> Changing your port may (will?) lower the number of automated scans  
> you see hitting your daemon, but it will _NOT_ eliminate them. 

You know, you and he are "having an agreement", in large part.  He 
*expressly*disclaimed* any increase in security.  that his approach 
*only* eliminated the casual 'passers-by'.

>                                                                 IOW:  
> Just because someone is probing for an SSH daemon on 65K ports  
> against your box does _NOT_ mean he has a specific interest in your box.

A sweep across all ports on each box, for a specific protocol,  is
orders of magnitude slower than scanning only the (be it a single one
or a handful) 'well known' ports for that service.

A scan-all-ports search can only check 16 machines in the time a single-port
scan can check _over_a_milliion_ machines.

The scan-all-ports searcher is clearly more interested in finding an exploit
on "one of a relatively small number of boxes" than he is in 'finding an
exploitable box, "somewhere"'.

He is concentrating his attack efforts on a _comparatively_small_ range
of addresses, rather than on a broad-based 'opportunistic' search.

And he has a 'reason' for doing that.  It may well *NOT* be "because of
who the boxes belong to", nor "what 'interesting' data can be found on
them" -- it may simmply be that they're on a 'fat pipe' connection.  or
'who knows what.'

> If you honestly believe that just 'cause someone tried "ssh -p 63xxx  
> $YOUR.BOX" it means he is specifically targeting your box, well, that  
> is your prerogative.  You are almost certain to be wrong at least  
> part of the time, though.

The guy who does that _is_ "more worrisome" than the 'casual door knocker'
on 'port 22'.

Whether or not he's after me _in_particular_, I don't really care.  He is
mounting a 'more determined' attack against my resources, than the average
clown.  

*AS*SUCH*, the 'wise man' takes faster, and more aggressive, defensive 
actions when this type shows his face.   He is considerably more determined,
and quite probably somewhat more skilfull, than the 'typical' doorknob
rattler.  This is true, whether or not he's deliberately going after _me_.
<grin>


Lastly, by setting things up such that you don't have to examine all the
port 22 doorknob rattling to see if there's any thing 'more determined'
going on -- that 'noise reduction' makes the serious attempts *much* more
visible.

"Security by obscurity" is _not_ a complete solution, in-and-of itself, no 
question.  However, it _can_ be a big 'first step' to help in weeding out 
the 'casual' stuff from the more determined attempts.




More information about the NANOG mailing list