Re: Help - what is port 666 (DOOM) and why?
From: David (davidwnh_at_adelphia.net)
Date: 10/01/03
- Next message: PhilGreg: "Re: Sygate,Outpost query"
- Previous message: ASK: "Cisco Pix 501 - a simple set-up? Hlp."
- In reply to: Daniel Crichton: "Re: Help - what is port 666 (DOOM) and why?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 01 Oct 2003 17:32:43 GMT
They are not irrelevant. The vast majority of servers, particularly those on
the internet which are set up for public access, use the standard assigned
port numbers. Services are assigned standard ports for good reason. Client
applications use the standard assigned ports by default for the services
they are designed to access unless you specifically tell them to do
otherwise.
>
> Filenames are irrelevant. Port names are irrelevant. Any program can be
> named anything and use any port.
>
I haven't taken a narrow view at all. The same person wouldn't have a clue
if only the port number was given either. But some people do understand what
is going on. You're the one with the narrow view since you don't seem to
want to consider those for whom this type of information is useful. Would
you rather have people less confused and possibly more prone to accepting
random traffic when the alerts occur? Putting the commonly used service
name with the associated port is no more confusing then having just a port
number for those who don't have a clue about port assignments in the first
place. And it is extremely helpful to those who understand how to digest
such information.
Netstat does the same thing. When it prints out socket status it simply
reads the service names from the same type of list. As do most port
scanners, etc. etc. It is a feature that helps ease the analyzation of
certain things.
> Granted, this makes sense, as does your IRC example. But you've taken a
very
> narrow view of this. "OMG, iexplore.exe is trying to connect to port 1080
> (socks), Internet Explorer has nothing to do with socks, therefore it must
> be very bad!!!" - one example from a user I had to deal with recently who
> calmed down once I explained port 1080 is commonly used for proxy servers,
> and they asked me why it said socks and not proxy, took a bit of
explaining
> and I'm still not convinced they took it onboard.
No, it is generally the administrators who set up the proxies or other
services that change the configuration from the defaults.
>There is no longer a
> single, standardised list of ports and common names - the firewall
> developers just seem to pick one and use that.
Daytime is on 13, Ident on 113. So either you are wrong, forgot you eyewear,
or the person who made that particular list made a typo.
>I've seen port lists showing
> 13 as Daytime, yet I've always known this as Ident. When was the last time
> you saw a daytime service, or needed to access it? Yet Ident is very
common,
> and average joe user connecting up to IRC will commonly come across hits
to
> their firewall for port 13. A search on Google for Ident is going to much
> more useful to them than a search for Daytime.
>
>
DOOM IS one of two programs/protocols legitimately given that port
assignment. MDQS could have also been included since it is
legitimately assigned but maybe the developers chose to only include a
single name or they excluded MDQS since it is a Unix protocol and will
probably never surface for your average person using a windows specific
personal firewall. The rest of the "commonly" seen uses of this port are
from malware. So someone playing DOOM online and seeing this kind of alert
that included the port number, port assignment, and specific doom executable
that accesses the net would know what was going on. And someone who doesn't
know what DOOM is because they have never played it should be wary or
confused because the traffic is more than likely malicious or unwanted. What
you need to grasp is that these personal firewalls cannot by themselves
discern the difference between legitimate and illegitimate for most traffic.
That is why they pop up alerts "asking the user" whether to accept or deny
something. Providing the name of a legitimate program or service commonly
used with the ports indicated simply provides another piece of information
that will
often help guide some users towards making the correct choice. The
information it provides is not guaranteed to be perfect, but it will often
allow for a decision that has a lesser degree of doubt.
> I never said I was confused. I was merely pointing out that a firewall
> popping up a name to go with port for something that hasn't been seen for
> years may be confusing to average/less than average joe user. Why did the
> OP's firewall software use the name Doom for port 666 when it could also
> have used mdqs, or satansbackdoor, or a whole list of other names that in
> the past have been associated with this port.
>For very common port numbers I
> agree that names are useful, but for those rarely seen the arbitrary
> selection of 1 name only serves to confuse or panic people, especially
when
> the name used implies something "nasty".
>
>
- Next message: PhilGreg: "Re: Sygate,Outpost query"
- Previous message: ASK: "Cisco Pix 501 - a simple set-up? Hlp."
- In reply to: Daniel Crichton: "Re: Help - what is port 666 (DOOM) and why?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
