Obscurity isn't useless in all situations, but in this case it's important to re...

Joakal · on May 19, 2011

How about using "password" as a password if security is so good? Or do you suggest people keep track of 255 UTF-8 characters for a password?

An attacker would still need to go through all 65k ports. I would assume by even false scanning 5 ports, the attacker gets immediately null-routed and still get no response. I would also hope such programs have a paranoid sense of security that they would deny user/password if either are false by not even providing a response as if the program didn't exist.

Due to lack of feedback, users will get inconvenience and confusion why ssh doesn't work. Much like passwords example, there's a trade off between usability vs security with varying obscurity levels.

sorbus · on May 20, 2011

> I would assume by even false scanning 5 ports, the attacker gets immediately null-routed and still get no response.

So run the scan using a botnet. Each machine makes one attempt (there are some really big botnets out there). There's no way for the machine to prevent the attacker from finding the port being used, unless the machine notices that lots of requests are coming in from unknown machines and starts refusing all requests - of course, refusing requests from unknown machines is a good thing to do if you're being paranoid. Use a whitelist of allowed machines, not a blacklist of disallowed machines.

Joakal · on May 20, 2011

Is there really no way for the machine to prevent private ports from being be known without a specific call? It seems to me that machines are designed to follow the standard to be nice and respond back [0]. Even with a whitelist, I have concerns that the machine is opening itself for a DDoS SYN attack by simply replying back rejections.

[0] https://secure.wikimedia.org/wikipedia/en/wiki/Port_scan#TCP...

bostonvaulter2 · on May 20, 2011

You should look into tar pits:

http://en.wikipedia.org/wiki/Tarpit_%28networking%29