|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
Clipped for brevity... On 1/21/2004 at 10:52:00 +0000, [email protected] said: > > >> > Uhm, that would be wrong. This is simply "security through > obscurity". > >> Yes, it is wrong for the _smart books_. But it works in real life. > > >Actually, an automated script or manual scan can find it trivially. > > If security through obscurity was useless then the USAF > would never have developed the stealth bomber. [...] Yes. But making a bomber "stealth" means designing it to be difficult to detect by an opponent. It doesn't mean painting "I am Not a Bomber, I Am The Ice Cream Man" on the side and hoping nobody takes a second glance at it. Somebody else pointed out that nmap in its basic mode isn't terribly fast. That's true. But redesigning for speed wouldn't be that hard. Scan lots of ports in parallel, checking just for an ACK back from a SYN, then go through those that responded in order of likelihood (22, then unassigned ports, then assigned ones), and having it stop when it finds ssh, and you reduce the time required by several orders of magnitude. And that's assuming you don't have the help of tons of zombies. If everybody tries to get obscure with their ports, then this will become common, and it will be the people who are legitimately trying to connect who get annoyed by the obscurity. And if you're only trying to provide services for members of your organization, a VPNish solution makes a lot more sense than complicated custom port juggling. So, okay, sure, like many other things, if a small number of clueful people are doing this, then they will reap benefits for it. If it becomes widely spread practice, there will be more harm than good from it, and people will start ignoring it, working around it, and/or taking direct action against it that will render it pointless or harmful to the user. Lots of things have hit this death and been forgotten or relegated back to the fringe. I'll risk the wrath of many and mention multicast. Somewhere out there, Randy Bush is probably thinking of his vision of the future of deaggregated /24s. -Dave
|