[e2e] What if there were no well known numbers?

[Spencer Dawkins]

Hi, Fergie,

I was confused when I read this the first time, so kept reading. I think I 
understand where you're coming from now. Please let me try to restate...


> Not responding necessarily to Christian, but more to the fallacy
> that blocking ports (paraphrased) "...doesn't achieve anything."
>
> That's a ridiculous assumption.
>
> When threat intelligence is gleaned in (near) real-time, and
> aged appropriately (bad stuff is taken off-line), blocking it
> (or perhaps, access to it, as the case may be) achives a great
> deal. Depending on what you want to achive.

You're coming from previous experience where people closed down specific 
ports, based on attacks that were exploiting the availability of specific 
ports.

If this is what you are saying, I agree. Detecting 135/TCP scans was the 
documented detection method for Blaster, for example.

I think the "...doesn't achieve anything" is looking a bit further down the 
road, and a bit further from side to side going down the road:

- attacks are forced onto the same (usually open) ports as well-known 
applications, as network administrators move to "white lists" for ports, and

- as more and more application protocols are port-agile, you have less and 
less clue about what the traffic actually is, if you care about more than 
"is this an attack?".

with "everything over port 80" being the terminal condition (there is only 
one port that you can count on, so all application protocols and all attacks 
use port 80).

Does this make sense?

Thank you,

Spencer