|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
> > > > (I did not rated firewalls etc). > > Actually, an automated script or manual scan can find it trivially. > All you have to do is a quick port scan, looking for this: We can make an experiment: - I put such system (with ssh) on /26 network; - you scan it, find and report me time and bandwidth, used for this scan Do not forget - 1 host have 65,000 ports, and if I want to mislead you, I'll create 1,000 false sshd and 1 real sshd... 65000 ports means - approx 100,000 packets to scan... (in most cases, good firewall do not send negative response). Even if you send 1,000 packets / second (which is impossible on Internet), you wil spend 1 - 2 minute just to scan all ports (in our tests, it took 2 - 10 minutes on the LAN, depending of the tool, and armed all existing IDS systems), 2 minutes x 200 hosts == 6 hours. 2 - 6 hours to scan /24 network (just to scan all portss, without getting response). In real life, you can make some tricks, but the truth is that no any _full range_ port scans was detected on the Internet during 1 year (I had not more statistics). No one worm or virus was able to detect any non standard port. No one hacked host (with hackers tools installed), which I investigated, had any script, doing such scan. So, it is very good line 1 of defense. Just decreasing intensity of possible attacks 10 - 1000 times, and (again) for 0 cost. This does not eliminate possible attacks, of course. And I do not recommend it as _the only_ defense. But it is _effective_ precaution - do not use standard ports, if you can use nonstandard ones. > > 12:31 biohazard~>telnet [somewhere] [port] > Trying [ip_address]... > Connected to localhost. > Escape character is '^]'. > SSH-1.99-OpenSSH_3.4p1c > > > Plus, if you put it on a non-standard port, you tend to use the same > one across the enterprise, so it is only really obscure once. Moving > port numbers only protects you against idle vandalism; it is useless > against people who truly wish you harm. Those people make a simpler trick - pretend to be a janiator -:). They will not scan your network. Just again - this defelse is against any automated tools. 99.99% harm in the last attacks was made by automated tools. PS. We used simple schema to correlate _IP_ and _port_ (it was 6 years ago). So, it was not the same port. Then, if you have sshd opened, it will be 1 - 2 sshd for the whole enterprise - no problem with port number. List of services is wide - qpopper, sshd, cvs server - all was hacked by automated tools during last few years. I know a real cases for sshd and qpopper. In all cases, non standard port could prevent intrusion. > > You really need a firewall, particularly one that can detect a port > scan and shut off the scanner, for changing ports to have any real > security. It is kind of like a 4-digit PIN being useless for a bank > card without the 3-try limit. Yes, but firewall + non-standard port allows to see a scan in a very good advance; firewall + standard port allows undetected scan (use slow scan,no problems to scan all :22 ports for /16 network... much faster than to scan all ports for /24 network... Firewall + sshd on port 22 is worst, than no firewall and sshd on port 7765 (if no any other ports are opened). Firewall can not do much with ssl and ssh protocols, except if it terminates this protocols itself (which is the safest case). PS. Some automated responses make DOS attack easy, using this automated response. Just immitate an attack from address A - and firewalll wil block A instead of you... what a surprise... So, such tools are very sharp - for both, bad guys and good guys. > > -Dave
|