Re: Concepts: Security and Obscurity

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

levinson_k () securityadmin info wrote:

> > Actually, I believe the honeynet project compiles statistics on how well
> > obfuscation of ports works, and last I read they have decided it makes
> > no difference at all. Services running on nonstandard ports are
> > attacked just as much as services on standard ports over time. 
>
> It is easy to demonstrate this is false.
>
> http://www.incidents.org/top10.html
>
> The top ports receiving unsolicited scans are all well known, published server ports:

This entire assertion is a faulty conclusion based on irrelevant data.
It's obvious that SANS is going to show standard ports being probed
more often, there's simply more of them to probe. This tells us
absolutely nothing about whether or not any given port is more likely
to be attacked.

For SANS data to be relevant to this discussion in any way we would
have to know the actual numbers of both standard and nonstandard
services existing on the net and the exact numbers of "scans" directed
at each. That's the only way we can know the likelihood that a given
service of either "type" is going to be probed. 

Simple math... if you have 1000 standard configurations and 10
nonstandard, a level playing field would be some multiple of that
ratio... 20 probes of nonstandard and 2000 probes of standard. If the
nonstandard configuration were probed 21 times, even though it's a much
smaller raw number than 2000, it still means the nonstandard
configuration is more likely to be probed.

It's also important to note that the SANS numbers are rendered even
less relevant in context by virtue of the fact that they're
compilations of logged incidents, which are naturally skewed in favor
of listening services. They don't generally reflect an accurate number
of raw "probes" to begin with.

> Besides, given that so much hacking nowadays is financially motivated and aims at compromising the most systems 
> starting with low hanging fruit, I don't see how could anyone could prove that non-standard ports are attacked just 
> as often as standard ports.

It's a very straightforward process. Dummy services are specifically
configured to listen on both standard and nonstandard ports, and then
closely observed. Invariably, nonstandard ports are discovered and
attacked as aggressively or in some cases more aggressively than the
same services listening on standard ports. That's one of the main
reasons for running honeypots in the first place... to both quantify
and qualify attack patterns so you can better understand them and
devise sane, informed defenses. Obscuring services by running them on
nonstandard ports is neither. 

[...]

> > conclusion that it can't be any other way. Obscurity carries with it
> > precisely as much potential for disaster as it does its ability to "hide
> > something". That direct relationship exists by the very definition of
> > obscurity.
>
> Most of the supposed dangers, risks and costs of obscurity are actually risks of incompetent administration and 
> failures of other recommended security countermeasures such as the system procedures and configuration being 
> documented.  If your sysadmin assumes a system is in the default configuration and takes a damaging action based on 
> that assumption, that's arguably not the fault of obscurity, and that damage would arguably be just as likely to 
> happen without obscurity, when you have an incompetent sysadmin plus inadequate documentation.

You can't shift the blame for nonstandard methods of "securing" a
system causing breakage elsewhere in that system onto the shoulders of
the administrators. It's just a simple fact of life that nobody can
account for every possibility. This is why standards exist in the
first place. Obscuring services in this manner is contrary to those
standards, and as a result more likely not to benefit from well
established and time-tested methods.

> > There
> > may be brief respites and fluctuations, but they're invariably
> > discovered and quite often attacked even harder than services on
> > standard ports, for obvious reasons. 
>
> I don't see how that's very likely.  Putting hundreds of thousands of servers on the same nonstandard port would not 
> be a good implementation of obscurity.  Attacking a poor implementation of anything is not really relevant to whether 
> or not a good implementation of it has merit.

Please don't delve into the ridiculous to try and make a point.
Nobody is putting hundreds of thousands of anything anywhere. What they
*are* doing is comparing real world attacks against standard daemons and
nonstandard, and coming to the conclusion that there's no actual
difference by way of a hard comparison of relative numbers of attacks
launched against actual, listening services (or simulations thereof).

That's not theory, extrapolation, or any conclusion drawn from
irrelevant numbers. It's plain vanilla reality.

My own experience supports this. I've been running services and reading
logs for over 2 decades now. I've run services on standard ports and
nonstandard ports, and the only real effect I've ever seen nonstandard
port configurations produce has been a negative one. I've seen standard
configurations that seem to go unnoticed, nonstandard configurations
that were attacked aggressively, and every imaginable variation thereof.
This tells me in no uncertain terms that port numbers have nothing at
all to do with anything.