[j-nsp] SSH_Brute_Force events

Pavel Lunin plunin at senetsy.ru
Sun Apr 8 11:46:06 EDT 2012


4/6/2012 г. 3:08 Tim Hogard wrote:

i.e.  going from port 22 to 10022 means the attacker needs to scan first
> and that makes that job 10^4 times harder.
>

It's just like if an MX router doing lookups in 400-entries table had 1000
times more performance than this same router looking against the full
table. Problem with this logic is that scanning X ports is not necessarily
N times harder than scanning N*X ports.

This logic have reasons though, some bruteforcers are too lazy to perform
port scans (there are enough other hosts to try), so the change of port
will let you to not be exposed against them. This divides the 'probability
space of attackers' into two parts: lazy and diligent. But in order to
calculate how much secure you will be after changing the port number, you
must understand which part of attackers overall are lazy and, of course, be
sure that the ones trying to hack you are uniformly distributed over all
attackers :)


More information about the juniper-nsp mailing list