[e2e] What if there were no well known numbers?
spencer at mcsr-labs.org
Thu Aug 3 05:15:24 PDT 2006
I was confused when I read this the first time, so kept reading. I think I
understand where you're coming from now. Please let me try to restate...
> Not responding necessarily to Christian, but more to the fallacy
> that blocking ports (paraphrased) "...doesn't achieve anything."
> That's a ridiculous assumption.
> When threat intelligence is gleaned in (near) real-time, and
> aged appropriately (bad stuff is taken off-line), blocking it
> (or perhaps, access to it, as the case may be) achives a great
> deal. Depending on what you want to achive.
You're coming from previous experience where people closed down specific
ports, based on attacks that were exploiting the availability of specific
If this is what you are saying, I agree. Detecting 135/TCP scans was the
documented detection method for Blaster, for example.
I think the "...doesn't achieve anything" is looking a bit further down the
road, and a bit further from side to side going down the road:
- attacks are forced onto the same (usually open) ports as well-known
applications, as network administrators move to "white lists" for ports, and
- as more and more application protocols are port-agile, you have less and
less clue about what the traffic actually is, if you care about more than
"is this an attack?".
with "everything over port 80" being the terminal condition (there is only
one port that you can count on, so all application protocols and all attacks
use port 80).
Does this make sense?
More information about the end2end-interest