Sorry for top-posting, but it's simply easier contain all of the
dialogue.

What I really meant was more in line with the original topic of
the thread: What if there were no well known port numbers?

In other words, what if Microsoft loc-srv/epmap did not use tcp/135?
What if it just used any various potr at any time? What if http did
not use tcp/80? What it just used various random port numbers?

The point that I was trying to make (and probably not so well) was
that if behavioral analysis of threats is done in (near) real-time,
it really doesn't make much of a difference.

Cheers,

- ferg

-- "Spencer Dawkins" <spencer@mcsr-labs.org> wrote:
Hi, Fergie,

I was confused when I read this the first time, so kept reading. I think I 
understand where you're coming from now. Please let me try to restate...


> Not responding necessarily to Christian, but more to the fallacy
> that blocking ports (paraphrased) "...doesn't achieve anything."
>
> That's a ridiculous assumption.
>
> When threat intelligence is gleaned in (near) real-time, and
> aged appropriately (bad stuff is taken off-line), blocking it
> (or perhaps, access to it, as the case may be) achives a great
> deal. Depending on what you want to achive.

You're coming from previous experience where people closed down specific 
ports, based on attacks that were exploiting the availability of specific 
ports.

If this is what you are saying, I agree. Detecting 135/TCP scans was the 
documented detection method for Blaster, for example.

I think the "...doesn't achieve anything" is looking a bit further down
the 
road, and a bit further from side to side going down the road:

- attacks are forced onto the same (usually open) ports as well-known 
applications, as network administrators move to "white lists" for
ports, and

- as more and more application protocols are port-agile, you have less and 
less clue about what the traffic actually is, if you care about more than 
"is this an attack?".

with "everything over port 80" being the terminal condition (there is only 
one port that you can count on, so all application protocols and all
attacks 
use port 80).

Does this make sense?

Thank you,

Spencer 


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/