Broadband Tech > Security > Security > Place your bets - Closed vs Stealthed

reply to justin

Re: Place your bets - Closed vs Stealthed

reply to justin

reply to arleybls
thats a DOS, not an exploit.
a) Aren't we talking about whether you or not one is "more secure"? (not more reliable) and whether or not having visible closed ports is somehow inviting exploits?
b) Is this the exception that proves the general rule that nobody needs to fear security, or even DOS attacks, from RST packet processing?
c) for the average home user, on their average nat router (does anyone really put a naked windows machine with a public IP online anymore?) the whole issue is moot.

Issue of DDOS mitigation is a different one in my book. I can DOS you (or any website) in dozens of ways. Stealth ports as DOS prevention is no solution: well, it happens to be only a solution for that particular OS in that particular situation faced with a particular attacker!

reply to Link Logger
Something a little OT.
English is not my native language, and if I look at the cambridge dictionaries online, close/closed is correct :
»dictionary.cambridge.org/define.···ict=CALD

However, I find "stealth", but not "stealthed" :
»dictionary.cambridge.org/define.···ict=CALD

Does the word "stealthed" really exists ?
Sorry for the slightly OT

Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com

*member of ASAP : Alliance of Security Analysis Professionals*

reply to justin

reply to arleybls

reply to justin

reply to MxxCon

reply to MxxCon
A closed port when scan returns that its closed, whereas a stealthed report returns nothing. Given how TCP works a closed port should deter the worm from tossing anymore traffic at that port (assuming that worm authors are actually good coders (not), but we see that they didn't tend to try the remote shell port so they knew their attack was defeated in both the closed and stealthed tests), whereas with a stealthed port there could be some retries. Now does this slow down the worm, not really given how they are multi-threaded, they hammer tons of IP addresses at once (I'll post some samples from some other tests later this week when I'll put up some honeypots where the idea is to let them get infected). If we really wanted to slow down worms, perhaps we should ask the ISP to go back to slow dialup lines. Fact is smart bot masters don't set all their infected systems to scan as I found during my last round of honey pot testing as they only need a couple of systems to have more then ample coverage (at some point in time they expect to lose the scanner, but I've seen scanners go for months at a time on our ISP, sad).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

reply to Link Logger
Now lets get evil, toss on the old black hat (I'll just pretend that my white hat is a little dirty) and look at this a little differently. Automated worms are just that automated and will scan any address existing or not, but what would happen if a real breathing hands on the keyboard hacker was to get in on this test. What does closed and stealthed mean to them (note it is unlikely that residential users will ever have a live hacker go after them, unless they are a ways to a bigger means).

So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing, and if the owner makes a single mistake (eg turns on file sharing), then ownership is mine, whereas if they were behind a firewall, they are still untouchable. Also I could do some forms of OS fingerprinting which might allow me to investigate some other vulnerabilities/ports which might be open, but I didn't scan before, whereas stealthed tends to indicate usage of firewall and given I'd already scanned the expected ports, there isn't likely anything else to scan, also the firewall might be logged so they would see my scans, but given most admins don't watch their logs that typically wouldn't deter me from scanning all the TCP ports for example (you wouldn't believe how loud I've tromped through some sites and no one noticed).

Now given a good hacker already knows your IP addresses and such before scanning you, stealthed is typically only telling them your behind a firewall and have that layer of protection.

Purely technical attacks are far less common then they used to be (gone are the days when all I needed was for you to be simply connected to the internet). Patched OS's are pretty secure so if I was going after your company, I'd be really interested in any enterprise developed code, like your web site or web services, client server apps, etc as it would be far easier to find an exploit in that code then say Microsoft's anymore. Its very likely your corporate coders are not so good at secure coding practices, testing etc so for example I'd be after the 19 deadly coding sins in their code. Other options would be social engineering (of course) or to look at what products and such your company uses and look for exploits in them or in their configuration, or attack your wireless networks or devices, or remote systems(tend to have less admin attention) or mobile users. In short the OS isn't as big as attack vector as it once was, so hackers simply turn elsewhere and as far as security is concerned we haven't even been around the block once so there are lots of yet unexplored attack vectors.

Now concerning reflection DDOS attacks, yes closed ports are can be a willing participant, stealthed ports by their very nature will not, but with so many huge bot armies around, a reflection attack is almost just too much work for too little result, when I can get a bigger effect from spoofing TCP packets (nice big juicy packets at that) from my million bots at the desired target. The bot army is typically very distributed so upstream filtering and such is just as difficult as reflection attacks. Also considering vast increase in firewall usage (eg SP2 firewall on by default), I'd almost have to DOS myself in order to reflect off enough system to DOS you, or scan my brains out to find enough 'closed' port systems to make the attack worth while. Gone are the days when you could spray a whack of systems and most of them would reflect at your target.

So what would I recommend? Use a firewall as its is likely the easiest and cheapest layer of defense you can get and is as close to fire and forget as security gets (stealthed is just one of the benefits of using a firewall). Now I can still fingerprint some firewalls, but firewalls are far less likely to have vulnerabilities then OS's (its those stupid user vuls that tend to trip up OS's and a firewall will isolate those from the evilness trying to get in). Certainly to a real hacker closed ports can cough up more information then stealthed ports, but to some dumb old automated worm, it really makes very little difference. A solid brick wall or an internally locked steel door doesn't make any difference, its not getting in.

A firewall isn't the single silver bullet which can protect you from every form of evil, so you will need other bullets in your security gun, but a firewall should be pretty be a given anymore.

Hopefully this exercise and usual excellent discussion between members at DSLReports has helped clear up some of issues surrounding the stealth / close debate. Now certainly I haven't covered all the points from the black hats viewpoint but hopefully I've covered enough to convey to allow people to think about what closed and stealthed mean to them.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

reply to Link Logger
Link Logger

It's very interesting to hear you say -

" closed ports are can be a willing participant, stealthed ports by their very nature will not " and " stealthed is just one of the benefits of using a firewall "

I've always felt that Sleath is preferable, even though Lots of people kept saying it had no benefits !

Thanx for the continued tests.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

reply to Link Logger
Excellent write-up Blake, it sums it up very well

Regards,
gkweb.

reply to Link Logger
"So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing,..."

I just wanted to add that closed ports do not always indicate that a firewall is missing. A service that is filtered but not allowing traffic from your particular IP address can also show up as closed depending on the firewall product in use. Cisco FireWall Services Module (a PIX blade that works in 6500 series switches) is one example of a device that acts this way.

Jamy

Excellent work as always Link Logger .

said by Link Logger:

---

So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing,...

---

reply to Bane75
Maybe he meant that with closed you can make a reasonably educated guess whether or not you're banging your head against a firewall? Assuming you feel like bothering with a second look, that is.
--
Think outside the fox...Seamonkey

reply to Link Logger
Blake, from my bit of real world activity, your analysis is dead on.

The mass target scanners are looking for low hanging fruit. Closed or stealth, they move on since there are many other targets available. The more labor-intensive hacks would be reserved for those people or organisations the hackers would consider worth the effort. For the typical home user, "closed vs stealthed" is more of a matter of personal preference or comfort than necessity, legal due diligence or significant benefit.

The targeted attacks against those entities the attacker is working will, as you say, use multiple methods, including port scanning, fingerprinting, passive observations, PBX or IP telephony hacking and even physical visits, dumpster diving, surveillance or burglary of badges, uniforms or documents. They'd use these to gain internal access to phone mail, messaging, identity information etc to social engineer their way to internal systems, email addresses, passwords etc. that they can use to access more systems escalate privileges and install back doors or malcode.

If they can get to a user's or admin's desktop, they can access SNMP devices like network printers, OS and DB fingerprinting they can further discover servers, network appliances, system, software and firmware patch levels and launch exploits based on the specific profile of the target - a much quieter and more effective method of hacking than the brute force whacking or broad based NMAP and Nessus scans of the past.

This kind of project is becoming more refined in commercial, idealogical, terrorist and political entities engaging in criminal enterprise, information warfare and infrastructure attacks on SCADA/HMI systems, but not against joe sixpack with his home PC.
--
6EQUJ5

reply to no__1__here
no_1_here, how do you change your wrt54g to do this? I have HyperWRT-thibor BTW, but I would rather show up closed than stealth.

Cheers,

Alphalutra1

Change the -j DROP to -j REJECT; for example:

UDP (should return ICMP port unreachable):
iptables -A INPUT -p udp -j REJECT

TCP (sends a TCP reset):
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

Thanks for the help, put where do I issue these commands? I ssh into the router and issued them, but I still was stealth. I then tried to add them to the firewall script, but still I was stealth.

Thanks for the assistance, too bad I am too daft to understand how to use it though lol

Alphalutra1