[ale] Frequency of high port scans

Dow Hurst dhurst at kennesaw.edu
Mon Apr 15 10:47:07 EDT 2002 

Excellent point!  There really isn't a need to expose data if the setup
is thought out properly.  Thanks for all the replies,
Dow

Adrin wrote:
> 
> Why not use VPN's?  Cost?   Secondly if it is an intranet
> why even let it be accessed by outside traffic (internet)?
> 
> -----Original Message-----
> From: Charles Marcus [mailto:CharlesM at Media-Brokers.com]
> Sent: Saturday, April 13, 2002 10:36 AM
> To: Ale (E-mail)
> Subject: RE: [ale] Frequency of high port scans
> 
> Actually, I would argue that it can *help* - and even more
> importantly, what
> can it *hurt*?
> 
> So, you lock down the server as much as possible, then, on
> *top* of that, you
> use a very non-standard port - just one more little thing to
> frustrate the
> port scans.
> 
> Of *course* anyone who relied solely on this would be a
> fool - but I see no
> good reson *not* to use non-standard ports (for
> private/corporate DB access,
> etc), and *very* good reasons *to* do so.
> 
> Charles
> 
> > -----Original Message-----
> > From: Michael H. Warfield [mailto:mhw at wittsend.com]
> > Sent: Friday, April 12, 2002 10:04 PM
> > To: Dow Hurst
> > Cc: ale at ale.org
> > Subject: Re: [ale] Frequency of high port scans
> >
> >
> > On Fri, Apr 12, 2002 at 07:22:26PM -0400, Dow Hurst wrote:
> > > When crackers are scanning for open ports, what is the
> > frequency of high
> > > port scans of normally unused ports?  Most crackers
> would
> > not scan every
> > > port on every machine, correct?  So would having a
> > webserver available
> > > on port 61235, for example, keep a webserver from being
> > attacked based
> > > on current attack profiles?  Many webservers are for
> limited use by
> > > small workgroups and aren't really meant to be truly
> > public.  I am just
> > > interested in current hard data on how port scans are
> usually
> > > conducted.  I would imagine this might be how security
> by obscurity
> > > could actually succeed.  I can use the kind of data the
> Michael H.
> > > Warfield posted to warn people to stay on top of patches
> for all
> > > webservers.
> >
> >       Security through obscurity can never succeed.
> NEVER.  For many
> > and varied reasons.  For the most part, security through
> obscurity
> > insures that you will remain vulnerable (through a false
> > sense of security)
> > until they come and take your carcass away...  Security
> > through obscurity
> > is insecurity.
> >
> >       Scanning...
> >
> >       Over the years, there have been a number of notable
> trends.
> > Nobody has ever focused on scanning every possible port on
> a
> > particular
> > IP address.  Simple fact.  Not done.  Not in all my years
> on
> > the internet
> > have I even seen someone try other than misguided security
> people who
> > thought they had to scan everything on everybox they had.
> There has
> > simply never been anything productive the effort.
> >
> >       In the past, it was productive to scan for "well
> known
> > services" on
> > a particular IP and this was common for a very long time.
> > This is what I
> > call a "deep scan".  Scan a single point (IP address) and
> scan it deep
> > for everything it's got.  It can be useful, particularly
> if
> > you (as liveware
> > at a keyboard) know what's sitting in the middle of that
> bullseye you
> > just drew around that IP address.  That's just not the
> rule anymore...
> >
> >       In the last few years it has become much more
> popular, orders of
> > magnitude more popular, to scan across as many IP
> addresses
> > as possible
> > (and there is a black art to studying the scanning
> patterns
> > in those addresses)
> > for only one or a few services.  This is what I personally
> > refer to as a "wide
> > scan".  This actually yields a much higher "bang for the
> > buck" especially if
> > you already know of some exploitable services.  Almost all
> > autonomous worm
> > operate this way.  Some, such as l1on, Ramen, CodeRed,
> Nimda,
> > and the sadmind
> > cross-platform worm, actually scan for multiple services
> and
> > will exploit
> > what they find.  Invariably, it's a limited number of
> services.  But
> > scanning isn't the only way they propagate (and isn't even
> the most
> > productive way they propagate).  Hybrid threats
> (autonomous
> > threats which
> > use multimodal propagation techniques) are the big problem
> > right now and
> > getting bigger...
> >
> >       That being said...  Hiding by using a non standard
> port
> > is doomed
> > to failure.  Why?  Because someone has to know about it
> somewhere.  So
> > you have a web server on port 12345 (I've chosen that
> number
> > for a special
> > reason).  Do you publish it somewhere?  Will it get
> sniffed from the
> > wire somewhere?  Will you send it to a friend in an
> E-Mail?  If you
> > don't ever use it and don't ever tell anyone about it, you
> MIGHT have
> > a half chance of hiding it, but what good is it?  But
> scanning is NOT
> > the only way these things find you.  They do glom web page
> > requests, they
> > do sniff the wire, they do grouse E-Mail (and, by
> extension,
> > mailing list
> > archives).  Sooner or later, your "hidden" port number
> will
> > be known to
> > those you are hiding it from.  And you won't know when it
> > happens or how
> > it happens or who gets it or who they give it to.  But it
> > will happen...
> > What if some just HAPPENS to come out with a backdoor on
> that
> > port (12345
> > has a well known backdoor - did you know that)?  Did you
> know about it
> > when you set it up?  Do you know that they are scanning
> for
> > it CONSTANTLY?
> > Another one is 31337 (Hacker code for Elite - ELEET).  Do
> you have a
> > current and up to date list of what the commonly abused
> high
> > order ports
> > are?  Once you start using it and you get slammed by some
> lamer that
> > finds you, then what'cha'gonna'do?
> >
> >       On top of all of that...  The number one way that
> systems get
> > broken into, to this day, remains social engineering.
> What a
> > friend of
> > mine, Rob Thomas, refers to as the "come and get me"
> > approach.  You make
> > something attractive and just let people screw themselves.
> That's how
> > all those worms got behind all those NAT devices.  Once
> > there, they can
> > use other tricks to find web pages and web servers and
> > proxies (yes, they
> > will even find your proxies) and continue their
> activities.  Once they
> > have glommed it (aquired it through sniffing or trickery)
> or
> > groused it
> > (aquired it by pawing through your files) it's going to
> > spread.  Secret
> > go bye-bye...  Now what?  Change the port?  That'll be
> real
> > damn useful...
> >
> >       Worrying about hidding a web server from scanning is
> worrying
> > about a needle in a haystack with a tornado bearing down
> on
> > your butt...
> > You got bigger problems and bigger things to worry about.
> >
> > > Dow
> >
> > > --
> > >
> __________________________________________________________
> > > Dow Hurst                   Office: 770-499-3428
> > > Systems Support Specialist  Fax:    770-423-6744
> > > 1000 Chastain Rd.
> > > Chemistry Department SC428  Email:dhurst at kennesaw.edu
> > > Kennesaw State University
> Dow.Hurst at mindspring.com
> > > Kennesaw, GA 30144
> > > *********************************
> > > *Computational Chemistry is fun!*
> > > *********************************
> >
> >       Mike
> > --
> >  Michael H. Warfield    |  (770) 985-6132   |
> mhw at WittsEnd.com
> >   /\/\|=mhw=|\/\/       |  (678) 463-0932   |
> http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in
> the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is
> sure of it!
> 
> ---
> This message has been sent through the ALE general
> discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
> 
> ---
> This message has been sent through the ALE general
> discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list