Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Mon, 16 Apr 2007 13:21:36 -0400
levinson_k () securityadmin info wrote:
Actually, I believe the honeynet project compiles statistics on how well obfuscation of ports works, and last I read they have decided it makes no difference at all. Services running on nonstandard ports are attacked just as much as services on standard ports over time.It is easy to demonstrate this is false. http://www.incidents.org/top10.html The top ports receiving unsolicited scans are all well known, published server ports:
This entire assertion is a faulty conclusion based on irrelevant data. It's obvious that SANS is going to show standard ports being probed more often, there's simply more of them to probe. This tells us absolutely nothing about whether or not any given port is more likely to be attacked. For SANS data to be relevant to this discussion in any way we would have to know the actual numbers of both standard and nonstandard services existing on the net and the exact numbers of "scans" directed at each. That's the only way we can know the likelihood that a given service of either "type" is going to be probed. Simple math... if you have 1000 standard configurations and 10 nonstandard, a level playing field would be some multiple of that ratio... 20 probes of nonstandard and 2000 probes of standard. If the nonstandard configuration were probed 21 times, even though it's a much smaller raw number than 2000, it still means the nonstandard configuration is more likely to be probed. It's also important to note that the SANS numbers are rendered even less relevant in context by virtue of the fact that they're compilations of logged incidents, which are naturally skewed in favor of listening services. They don't generally reflect an accurate number of raw "probes" to begin with.
Besides, given that so much hacking nowadays is financially motivated and aims at compromising the most systems starting with low hanging fruit, I don't see how could anyone could prove that non-standard ports are attacked just as often as standard ports.
It's a very straightforward process. Dummy services are specifically configured to listen on both standard and nonstandard ports, and then closely observed. Invariably, nonstandard ports are discovered and attacked as aggressively or in some cases more aggressively than the same services listening on standard ports. That's one of the main reasons for running honeypots in the first place... to both quantify and qualify attack patterns so you can better understand them and devise sane, informed defenses. Obscuring services by running them on nonstandard ports is neither. [...]
conclusion that it can't be any other way. Obscurity carries with it precisely as much potential for disaster as it does its ability to "hide something". That direct relationship exists by the very definition of obscurity.Most of the supposed dangers, risks and costs of obscurity are actually risks of incompetent administration and failures of other recommended security countermeasures such as the system procedures and configuration being documented. If your sysadmin assumes a system is in the default configuration and takes a damaging action based on that assumption, that's arguably not the fault of obscurity, and that damage would arguably be just as likely to happen without obscurity, when you have an incompetent sysadmin plus inadequate documentation.
You can't shift the blame for nonstandard methods of "securing" a system causing breakage elsewhere in that system onto the shoulders of the administrators. It's just a simple fact of life that nobody can account for every possibility. This is why standards exist in the first place. Obscuring services in this manner is contrary to those standards, and as a result more likely not to benefit from well established and time-tested methods.
There may be brief respites and fluctuations, but they're invariably discovered and quite often attacked even harder than services on standard ports, for obvious reasons.I don't see how that's very likely. Putting hundreds of thousands of servers on the same nonstandard port would not be a good implementation of obscurity. Attacking a poor implementation of anything is not really relevant to whether or not a good implementation of it has merit.
Please don't delve into the ridiculous to try and make a point. Nobody is putting hundreds of thousands of anything anywhere. What they *are* doing is comparing real world attacks against standard daemons and nonstandard, and coming to the conclusion that there's no actual difference by way of a hard comparison of relative numbers of attacks launched against actual, listening services (or simulations thereof). That's not theory, extrapolation, or any conclusion drawn from irrelevant numbers. It's plain vanilla reality. My own experience supports this. I've been running services and reading logs for over 2 decades now. I've run services on standard ports and nonstandard ports, and the only real effect I've ever seen nonstandard port configurations produce has been a negative one. I've seen standard configurations that seem to go unnoticed, nonstandard configurations that were attacked aggressively, and every imaginable variation thereof. This tells me in no uncertain terms that port numbers have nothing at all to do with anything.
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- Message not available
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Re: Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 13)
- Re: Concepts: Security and Obscurity jbloss (Apr 13)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Re: Concepts: Security and Obscurity Florian Rommel (Apr 16)
- Re: Re: Concepts: Security and Obscurity Justin Lintz (Apr 16)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)