Re: Place your bets - Closed vs Stealthed in Security

Re: Place your bets - Closed vs Stealthed in Security http://www.dslreports.com/forum/r17079234 en Wed, 02 Dec 2009 09:48:54 EDT Wed, 02 Dec 2009 09:48:54 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17121042 no__1__here : I don't know of a doc off-hand, but I'm sure a Google search for iptables reject drop will give you more than you want to sift through. :) I'm not trying to be difficult -- if I knew of a good doc I'd happily post it.]]> http://www.dslreports.com/forum/remark,17121042 Thu, 19 Oct 2006 23:52:02 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17117055 Bane75 : You add those lines to the iptables.conf file. It is normally found in the /etc/sysconfig. ]]> http://www.dslreports.com/forum/remark,17117055 Thu, 19 Oct 2006 12:21:58 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17116635 Bane75 : How to change really depends on what firewall you are using. Some commercial products do not allow the change at all. Most open source firewalls such as BSD PF do. Prepackaged open source firewalls such as Monowall, generally do not with out a ton of work. ]]> http://www.dslreports.com/forum/remark,17116635 Thu, 19 Oct 2006 11:04:15 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17115864 Zydaco : Is there a post somwhere that explains the correct way to change from closed to stealth and vice versa?]]> http://www.dslreports.com/forum/remark,17115864 Thu, 19 Oct 2006 08:02:04 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17112539 no__1__here : I'm guessing you used the example as-is with the -A, in which case the rule got appended to the end (not really what you want). Sorry for my very poor examples.

Sent ya a PM Alphalutra1

;)]]> http://www.dslreports.com/forum/remark,17112539 Wed, 18 Oct 2006 17:43:29 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17112486 Alphalutra1 : Thanks for the help, put where do I issue these commands? I ssh into the router and issued them, but I still was stealth. I then tried to add them to the firewall script, but still I was stealth.

Thanks for the assistance, too bad I am too daft to understand how to use it though lol

Alphalutra1]]> http://www.dslreports.com/forum/remark,17112486 Wed, 18 Oct 2006 17:33:13 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17112097 no__1__here : Change the -j DROP to -j REJECT; for example:

UDP (should return ICMP port unreachable):
iptables -A INPUT -p udp -j REJECT

TCP (sends a TCP reset):
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

:)]]> http://www.dslreports.com/forum/remark,17112097 Wed, 18 Oct 2006 16:28:12 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17111611 Alphalutra1 : no_1_here, how do you change your wrt54g to do this? I have HyperWRT-thibor BTW, but I would rather show up closed than stealth.

Cheers,

Alphalutra1]]> http://www.dslreports.com/forum/remark,17111611 Wed, 18 Oct 2006 15:08:03 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17110952 EGeezer : Blake, from my bit of real world activity, your analysis is dead on.

The mass target scanners are looking for low hanging fruit. Closed or stealth, they move on since there are many other targets available. The more labor-intensive hacks would be reserved for those people or organisations the hackers would consider worth the effort. For the typical home user, "closed vs stealthed" is more of a matter of personal preference or comfort than necessity, legal due diligence or significant benefit.

The targeted attacks against those entities the attacker is working will, as you say, use multiple methods, including port scanning, fingerprinting, passive observations, PBX or IP telephony hacking and even physical visits, dumpster diving, surveillance or burglary of badges, uniforms or documents. They'd use these to gain internal access to phone mail, messaging, identity information etc to social engineer their way to internal systems, email addresses, passwords etc. that they can use to access more systems escalate privileges and install back doors or malcode.

If they can get to a user's or admin's desktop, they can access SNMP devices like network printers, OS and DB fingerprinting they can further discover servers, network appliances, system, software and firmware patch levels and launch exploits based on the specific profile of the target - a much quieter and more effective method of hacking than the brute force whacking or broad based NMAP and Nessus scans of the past.

This kind of project is becoming more refined in commercial, idealogical, terrorist and political entities engaging in criminal enterprise, information warfare and infrastructure attacks on SCADA/HMI systems, but not against joe sixpack with his home PC.
--
6EQUJ5]]> http://www.dslreports.com/forum/remark,17110952 Wed, 18 Oct 2006 13:02:59 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17110801 sivran : Maybe he meant that with closed you can make a reasonably educated guess whether or not you're banging your head against a firewall? Assuming you feel like bothering with a second look, that is. :)
--
Think outside the fox...Seamonkey]]> http://www.dslreports.com/forum/remark,17110801 Wed, 18 Oct 2006 12:32:54 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17110725 no__1__here : Excellent work as always Link Logger

said by Link Logger :
So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing,...

I can easily set my El Cheapo firewall (WRT54GS using IPTables) to do a reset or port unreachable instead of a drop, so a closed response doesn't always mean a firewall is not present. :)]]> http://www.dslreports.com/forum/remark,17110725 Wed, 18 Oct 2006 12:18:47 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17110135 Bane75 : "So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing,..."

I just wanted to add that closed ports do not always indicate that a firewall is missing. A service that is filtered but not allowing traffic from your particular IP address can also show up as closed depending on the firewall product in use. Cisco FireWall Services Module (a PIX blade that works in 6500 series switches) is one example of a device that acts this way.

Jamy]]> http://www.dslreports.com/forum/remark,17110135 Wed, 18 Oct 2006 10:24:05 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17109167 gkweb : Excellent write-up Blake, it sums it up very well :)

Regards,
gkweb.]]> http://www.dslreports.com/forum/remark,17109167 Wed, 18 Oct 2006 05:08:48 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17109135 SpannerITWks : Link Logger

It's very interesting to hear you say -

" closed ports are can be a willing participant, stealthed ports by their very nature will not " and " stealthed is just one of the benefits of using a firewall "

I've always felt that Sleath is preferable, even though Lots of people kept saying it had no benefits !

Thanx for the continued tests.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,17109135 Wed, 18 Oct 2006 05:05:15 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17108695 Link Logger : Now lets get evil, toss on the old black hat (I'll just pretend that my white hat is a little dirty) and look at this a little differently. Automated worms are just that automated and will scan any address existing or not, but what would happen if a real breathing hands on the keyboard hacker was to get in on this test. What does closed and stealthed mean to them (note it is unlikely that residential users will ever have a live hacker go after them, unless they are a ways to a bigger means).

So I see closed ports, what does that tell me, or could tell me. Well first I would suspect that its not a firewall, but a computer which is connected (and the owner is too lazy or cheap to install a firewall), now the fact the ports are closed means I can't attack them, but I know that one level of protection is missing, and if the owner makes a single mistake (eg turns on file sharing), then ownership is mine, whereas if they were behind a firewall, they are still untouchable. Also I could do some forms of OS fingerprinting which might allow me to investigate some other vulnerabilities/ports which might be open, but I didn't scan before, whereas stealthed tends to indicate usage of firewall and given I'd already scanned the expected ports, there isn't likely anything else to scan, also the firewall might be logged so they would see my scans, but given most admins don't watch their logs that typically wouldn't deter me from scanning all the TCP ports for example (you wouldn't believe how loud I've tromped through some sites and no one noticed).

Now given a good hacker already knows your IP addresses and such before scanning you, stealthed is typically only telling them your behind a firewall and have that layer of protection.

Purely technical attacks are far less common then they used to be (gone are the days when all I needed was for you to be simply connected to the internet). Patched OS's are pretty secure so if I was going after your company, I'd be really interested in any enterprise developed code, like your web site or web services, client server apps, etc as it would be far easier to find an exploit in that code then say Microsoft's anymore. Its very likely your corporate coders are not so good at secure coding practices, testing etc so for example I'd be after the 19 deadly coding sins in their code. Other options would be social engineering (of course) or to look at what products and such your company uses and look for exploits in them or in their configuration, or attack your wireless networks or devices, or remote systems(tend to have less admin attention) or mobile users. In short the OS isn't as big as attack vector as it once was, so hackers simply turn elsewhere and as far as security is concerned we haven't even been around the block once so there are lots of yet unexplored attack vectors.

Now concerning reflection DDOS attacks, yes closed ports are can be a willing participant, stealthed ports by their very nature will not, but with so many huge bot armies around, a reflection attack is almost just too much work for too little result, when I can get a bigger effect from spoofing TCP packets (nice big juicy packets at that) from my million bots at the desired target. The bot army is typically very distributed so upstream filtering and such is just as difficult as reflection attacks. Also considering vast increase in firewall usage (eg SP2 firewall on by default), I'd almost have to DOS myself in order to reflect off enough system to DOS you, or scan my brains out to find enough 'closed' port systems to make the attack worth while. Gone are the days when you could spray a whack of systems and most of them would reflect at your target.

So what would I recommend? Use a firewall as its is likely the easiest and cheapest layer of defense you can get and is as close to fire and forget as security gets (stealthed is just one of the benefits of using a firewall). Now I can still fingerprint some firewalls, but firewalls are far less likely to have vulnerabilities then OS's (its those stupid user vuls that tend to trip up OS's and a firewall will isolate those from the evilness trying to get in). Certainly to a real hacker closed ports can cough up more information then stealthed ports, but to some dumb old automated worm, it really makes very little difference. A solid brick wall or an internally locked steel door doesn't make any difference, its not getting in.

A firewall isn't the single silver bullet which can protect you from every form of evil, so you will need other bullets in your security gun, but a firewall should be pretty be a given anymore.

Hopefully this exercise and usual excellent discussion between members at DSLReports has helped clear up some of issues surrounding the stealth / close debate. Now certainly I haven't covered all the points from the black hats viewpoint but hopefully I've covered enough to convey to allow people to think about what closed and stealthed mean to them.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17108695 Wed, 18 Oct 2006 00:59:15 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17108182 Link Logger : A closed port when scan returns that its closed, whereas a stealthed report returns nothing. Given how TCP works a closed port should deter the worm from tossing anymore traffic at that port (assuming that worm authors are actually good coders (not), but we see that they didn't tend to try the remote shell port so they knew their attack was defeated in both the closed and stealthed tests), whereas with a stealthed port there could be some retries. Now does this slow down the worm, not really given how they are multi-threaded, they hammer tons of IP addresses at once (I'll post some samples from some other tests later this week when I'll put up some honeypots where the idea is to let them get infected). If we really wanted to slow down worms, perhaps we should ask the ISP to go back to slow dialup lines. Fact is smart bot masters don't set all their infected systems to scan as I found during my last round of honey pot testing as they only need a couple of systems to have more then ample coverage (at some point in time they expect to lose the scanner, but I've seen scanners go for months at a time on our ISP, sad).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17108182 Tue, 17 Oct 2006 23:23:18 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17108064 Link Logger :

said by MxxCon

:

»/r0/download/1···0IPs.JPG
it's interesting that number of unique IPs during 'open' period increased.
i can see 2 causes for this:
statistical error and/or coincidence
OR
some of those scanners are cross-communicating/using some central database?

I doubt any worm is that smart. The increase you are seeing is likely because the worms smell blood and are really going after the 'open' ports, in that they are scanning longer (including trying multiple exploits per port), so they tend to show up 'in more unique IPs/Hour' sort of thing. There was a small increase in the number of unique systems that day, but looking at the other IP from the netblock we see that number of systems was pretty consistent throughout the test.

So looking at the IP traffic from some of the infected systems over the duration of the test we see that closed and stealth resulted in short scans, but once we had open ports it was game on, complete with ports they hadn't scanned during closed or stealthed (likely the remote command shell port they thought their exploit would open as well as other exploitable ports).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17108064 Tue, 17 Oct 2006 23:04:58 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17106530 MxxCon :

said by justin

:

So I still don't see what the big (or even tiny) deal is for home users in this topic.

mainly to "defang" this type of FUD »/r0/download/1···tim1.JPG
that it's more important not to have un-needed ports open rather than how they are closed.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17106530 Tue, 17 Oct 2006 19:19:10 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17105002 EGeezer :

said by arleybls

:

** 8 years after the attack was first made public **

March, 2005 (Original disclosure post):
»www.securityfocus.com/archive/1/···-03-08/0

Seems the same thing might happen with a bad connection, marginal hardware or flakey cable.
--
6EQUJ5]]> http://www.dslreports.com/forum/remark,17105002 Tue, 17 Oct 2006 15:30:02 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104574 Jim Gurd :

said by justin

:

(does anyone really put a naked windows machine with a public IP online anymore?)

Umm... yes, they do. That's a big part of the problem.

Joe Schmoe goes out and buys a computer and hooks it up to the net. Thankfully since SP2 the Windows firewall is on by default which helps to limit the damage.
--
To be rich in friends is to be poor in nothing.]]> http://www.dslreports.com/forum/remark,17104574 Tue, 17 Oct 2006 14:20:16 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104418 NetFixer :

said by gkweb

:

Does the word "stealthed" really exists ?
Sorry for the slightly OT :)

Only as a marketing term, PR people invent new words all the time.

Try "blocked" or "filtered" which is what a "stealth" port really should be called.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.]]> http://www.dslreports.com/forum/remark,17104418 Tue, 17 Oct 2006 13:55:58 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104215 gkweb : Something a little OT.
English is not my native language, and if I look at the cambridge dictionaries online, close/closed is correct :
»dictionary.cambridge.org/define.···ict=CALD

However, I find "stealth", but not "stealthed" :
»dictionary.cambridge.org/define.···ict=CALD

Does the word "stealthed" really exists ?
Sorry for the slightly OT :)

Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com

*member of ASAP : Alliance of Security Analysis Professionals*]]> http://www.dslreports.com/forum/remark,17104215 Tue, 17 Oct 2006 13:30:08 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104068 justin : thats a DOS, not an exploit.
a) Aren't we talking about whether you or not one is "more secure"? (not more reliable) and whether or not having visible closed ports is somehow inviting exploits?
b) Is this the exception that proves the general rule that nobody needs to fear security, or even DOS attacks, from RST packet processing?
c) for the average home user, on their average nat router (does anyone really put a naked windows machine with a public IP online anymore?) the whole issue is moot.

Issue of DDOS mitigation is a different one in my book. I can DOS you (or any website) in dozens of ways. Stealth ports as DOS prevention is no solution: well, it happens to be only a solution for that particular OS in that particular situation faced with a particular attacker!]]> http://www.dslreports.com/forum/remark,17104068 Tue, 17 Oct 2006 13:09:29 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104027 jvmorris :

said by justin

:

. . . So I still don't see what the big (or even tiny) deal is for home users in this topic.

It's just a matter of myth debunking, Justin -- the concept that in some vaguely defined sense, being 'stealthed' (on all ports) is somehow better than simply being 'closed' (on all ports).

Generally, the argument seems to ignore the fact that most IP probing (certainly today) is done by automated 'bots that are preprogrammed to take certain actions depending on what, if any, response is received from 'probing' a limited set of often exposed (e.g., open 'listening') ports. Any malware (or blackhat) that would then institute a comprehensive port scan of a system indicating that the initially target port(s) is(are) only 'closed' would be considered totally clueless today.
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,17104027 Tue, 17 Oct 2006 13:02:41 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17104012 arleybls :

said by justin

:

...Which modern PC stack is (was) vulnerable to a land attack from a simple SYN packet and died or got rooted because it responds with a RST?

** 8 years after the attack was first made public **

March, 2005 (Original disclosure post):
»www.securityfocus.com/archive/1/···-03-08/0
--
(arleybls) CCSP, CQS-VPN, CQS-Firewall, CQS-IPS, CCNA, MCSE/MCSA Security, MCP+I, Security+, iNet+, OCP, CIWA]]> http://www.dslreports.com/forum/remark,17104012 Tue, 17 Oct 2006 13:01:23 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103972 jaykaykay : Most interesting thread since I have just had to reformat and wasn't sure how much I wanted to load back on this system. I test out with everything closed except port 80 stealth. Yes. I have a router. I remember this kind of question going on from years back and at that time felt that it was horribly important to be stealth all the way. Not so any more.

It's kind of like looking for a house. If you know it's there but can't find it, you're going to keep looking, but if you find it and the front door is closed, you go next door to look for any juicy pickings.
--
JKK:-) Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! »www.pbase.com/jaykaykay ]]> http://www.dslreports.com/forum/remark,17103972 Tue, 17 Oct 2006 12:55:47 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103895 justin : A massive inbound flow is going to kill your line no matter which way you look at it. A flood is a flood is a flood. Some routers even choke when faced with a regular nmap, whether they respond or not.

Ok first, some framing of my argument: we're not talking company or data center firewalls here, we're talking linksys type routers (home networking) or perhaps naked PCs.

Which home network gear ever had a documented exploit from processing a packet to a closed port rather than refusing to reply with a simple RST? or from replying to ICMP ping rather than ignoring it? Which modern PC stack is (was) vulnerable to a land attack from a simple SYN packet and died or got rooted because it responds with a RST?

The most common understanding of "you are stealthed" is to make yourself "unpingable" which is even more dubious an "advantage". (I'm just pointing that out as when most people see "stealthed" they think of the suggestion to disable ICMP).

Anyway.. most (all?) home routers default to NOT sending back RSTs anyway. eg: I telnet to my router address (default config) and SYN packets go unresponded. Ping packets are returned, however. In that sense 'closed' vs 'stealthed' is moot for most people .. for the average user behind their nat router, tcp/udp ports do not respond - They do respond to ping, however, and there is nothing wrong with that.

So I still don't see what the big (or even tiny) deal is for home users in this topic.]]> http://www.dslreports.com/forum/remark,17103895 Tue, 17 Oct 2006 12:40:56 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103741 arleybls :

said by justin

said by arleybls

said by justin

:

So it doesn't actually IMPROVE your security one jot, then why expend a single braincell on worrying about the option even if it is free and there?

It does improve security.

I don't believe it. Provide a real-life (imagined) example of how it improves security for the person enabling the option.

Read all the way up to the post which I talked about the LAND Attack.

Droping will efectively mitigate DRDOS not only as a reflection host but also as a target.

As a target you wouldn't even bother to process unexpected packets "further" as you're dropping them. But CLOSED ports DO process packets, they need to reply with a appropriate answer and thus a massive inbound flow of malformed packets could bring the target to resource starvation state.

This all may sounds rare, may even sounds outter-space, but it is a fact and is kindy easy to implement if you know your way trough programming.

--
(arleybls) CCSP, CQS-VPN, CQS-Firewall, CQS-IPS, CCNA, MCSE/MCSA Security, MCP+I, Security+, iNet+, OCP, CIWA]]> http://www.dslreports.com/forum/remark,17103741 Tue, 17 Oct 2006 12:13:03 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103703 penguins4evr : I voted "not significantly" because, to be honest, I don't really know one way or the other. It just seems like either "closed" or "stealthed" would be much better than "open."

Interesting poll and interesting thread to read. Thanks for mentioning it on the front page and for the invitation to vote :)
--
Q: What's black, white, orange, and waddles? A: A penguin with a jack-o-lantern.
Team Discovery]]> http://www.dslreports.com/forum/remark,17103703 Tue, 17 Oct 2006 12:04:15 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103631 justin :

said by arleybls

said by justin

:

So it doesn't actually IMPROVE your security one jot, then why expend a single braincell on worrying about the option even if it is free and there?

It does improve security.

I don't believe it. Provide a real-life (imagined) example of how it improves security for the person enabling the option.]]> http://www.dslreports.com/forum/remark,17103631 Tue, 17 Oct 2006 11:52:03 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103342 MxxCon :

said by justin

:

not true. "attackers" (they are actually not attackers, they are dumb scan scripts looking for typically vulnerable services on known addresses) do scans in parallel, they don't care about non-responding IPs. Whether an IP is turned off or stealth does not slow down the number of exploitable machines they can find per hour.

well, a system can have only so many open connections before scan traffic begin to interfere with return of results.
I'd guess majority of scans are being done by infected machines looking to spread. with XP-SP2, default system can have only 10 half-open connections... if 5 consecutive IPs are filtered, that scan is already going twice as slow.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17103342 Tue, 17 Oct 2006 10:53:17 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103187 arleybls :

said by justin

:

So it doesn't actually IMPROVE your security one jot, then why expend a single braincell on worrying about the option even if it is free and there?

It does improve security.

But the question is, does this improvement worth for you and you assets or you feel that you can just take this risk?

--
(arleybls) CCSP, CQS-VPN, CQS-Firewall, CQS-IPS, CCNA, MCSE/MCSA Security, MCP+I, Security+, iNet+, OCP, CIWA]]> http://www.dslreports.com/forum/remark,17103187 Tue, 17 Oct 2006 10:22:14 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103168 justin :

said by MxxCon

:

that's why all non-mail servers should have spamd tar pits installed :D

tar pits are detectable: scanners can tell they are being led on, or they can simply do more work in parallel. They also tie up some of YOUR resources too, and are another potential source of bugs.]]> http://www.dslreports.com/forum/remark,17103168 Tue, 17 Oct 2006 10:18:57 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103145 justin : not true. "attackers" (they are actually not attackers, they are dumb scan scripts looking for typically vulnerable services on known addresses) do scans in parallel, they don't care about non-responding IPs. Whether an IP is turned off or stealth does not slow down the number of exploitable machines they can find per hour.

So it doesn't actually IMPROVE your security one jot, then why expend a single braincell on worrying about the option even if it is free and there?]]> http://www.dslreports.com/forum/remark,17103145 Tue, 17 Oct 2006 10:12:37 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103123 MxxCon : that's why all non-mail servers should have spamd tar pits installed :D
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17103123 Tue, 17 Oct 2006 10:08:35 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17103016 Jim Gurd : The bottom line is there is no disadvantage to being stealth. None whatsoever. It's as if you don't exist.

Being stealth also slows down attackers since they must wait for a specific amount of time to receive a response. Only after timing out do they move on to someone else. This means for each stealthed user it forces the attacker to waste more time scanning their secured IP address thus reducing their efficiency in finding vulnerable machines.
--
Correlation does not imply causation.]]> http://www.dslreports.com/forum/remark,17103016 Tue, 17 Oct 2006 09:50:45 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102857 justin : I think the last time someone personally scanned a randomly chosen IP address or address block then decided based on the results what to do next was when companies answered their main phone number with a human receptionist. What, about 1993?

Therefore, the whole filtered/closed thing is a complete waste of bandwidth and test time and has been for years. I doubt turning "WAN response off" on any home router or naked zone alarm has saved a single infection since linksys or whatever added the option due to so many people using 'shields up' then harassing their help desk staff.

99% of machines that are invaded from outside are done so with one or perhaps a few specific exploits in mind (from default passwords on VNC, onwards) and all searches are done with mass scanning looking for a port that isn't just open, but is active, engaged, interested, and falls immediately.

That is it, end of story.

PCs are not starships: nobody cares that you are hanging there, romulan cloaking technology is a waste of time and brain cells.]]> http://www.dslreports.com/forum/remark,17102857 Tue, 17 Oct 2006 09:18:57 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102756 arleybls : Less traffic does not means less attention! Probably means "Oh ok, I got a RST, so I can reach the port, now let's move to the next one", while a stealthed port could mean "Oh, no answer? let's try again...still no answer..I give up". It depends only of what/how is the script/worm digging or the hacker looking.

Most o today's enterprise grade firewalls, by default, comes with inbound blocking configured and implement some sort of session control and inspection. Asking a security administrator to allow RSTs or any other answer (even directly from a perimeter equipment) from un-used ports is a unforgivable sin.

The question is, do I need be as secure as a enterprise and fine tune my personal firewall to do the same? I would say 'NO' if that action requires lots of time and expertise, but on most of today's products that may be as easy as running a wizard and clicking next, so I would definitely say 'YES'.]]> http://www.dslreports.com/forum/remark,17102756 Tue, 17 Oct 2006 08:53:09 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102592 MxxCon : »digg.com/security/Are_you_more_s···ed_ports
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17102592 Tue, 17 Oct 2006 08:13:47 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102543 MxxCon : »/r0/download/1···0IPs.JPG
it's interesting that number of unique IPs during 'open' period increased.
i can see 2 causes for this:
statistical error and/or coincidence
OR
some of those scanners are cross-communicating/using some central database?

maybe if you have that capacity, run the same test on 3 ips on the same subnet at once? that should eliminate time variable(some scan only on Mondays).
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17102543 Tue, 17 Oct 2006 08:00:21 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102394 norwegian : So how would you interpret all this then ?

A closed port isn't hiding anything, whereas a stealthed port may be hiding something worth looking at ?

So for example, does it boil down to whether you are concerned for your company's secrets as in a Bank, or whether you are used in a DOS flood to maybe harm your company's reputation as in a security firm ?

2 maybe different things with different end results, or purposes ?

Thanks for the insight though Blake, and for your time to pass on the information. :)
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/remark,17102394 Tue, 17 Oct 2006 06:37:26 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102355 arleybls : One big point is being missed here, a packet to a stealthed port is dropped, this means that is NOT "further" processed by the stack, a CLOSED port DOES get the packet "further" processed by the stack which then responds with appropriate answer (FIN/RST/ACK...)

That means that CLOSED ports are OPENED to much more flaws and exploits (eg. plain old LAND Attack) on the tcp/ip stack than stealthed ports.

Here's a very nice thread back from the days of the old Land attack:
»insecure.org/sploits/land.ip.DOS.html

One of the users findings states: "..It doesn't appear to matter if the port is opened or closed!"

And why was that? Simply, 'cause CLOSED ports will answer (eg: send and RST/ACK to a SYN request) and thus (at that time) causing the pc to hang due to the malformed src/dst/port packet.]]> http://www.dslreports.com/forum/remark,17102355 Tue, 17 Oct 2006 06:18:45 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102243 gkweb : Thanks for the test Blake.

quote:
The overall summary is there is no significant difference in 'interest' between closed and stealthed, if anything closed has a slightly lower 'interest' level

I have foreseen these results, when I said that scans towards closed ports would move away, whereas those towards filtered ports would try again because no answers was received (hence more scans on stealthed machines).
However, the fact that "there is no significant difference" prevent your results to be interpreted against close or stealth.

Still, I stand by the fact that both close and stealth have advantages, and that stealth prevents reflective attacks. But at least your test shows that stealth does not reduce inbound scans.

Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com

*member of ASAP : Alliance of Security Analysis Professionals*]]> http://www.dslreports.com/forum/remark,17102243 Tue, 17 Oct 2006 04:57:50 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17102080 no__1__here : Great work Link Logger

. :D]]> http://www.dslreports.com/forum/remark,17102080 Tue, 17 Oct 2006 03:10:19 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101996 Link Logger : Now I thought it would be interesting to plot a chart of number of scans per IP per hour just to see if that would show a difference in 'interest' and appears to show that Closed has a slightly lower interest level then Stealthed, and both have a lower 'interest' then Open which again was expected.

Also attached is inbound traffic to a stealthed system in the same netblock, again the inbound spike was from me testing/cleaning up a friends infected system.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17101996 Tue, 17 Oct 2006 02:28:32 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101981 Link Logger : Inbound traffic broken down by port. Also graph showing number of unique IP's per hour scanning. Note the 'open' port test becomes a bit of a gong show, so Open ports will definitately cause an increase in 'interest' even by automated worms, but that was expected and so test is consistent with our expectations there.

NOTE 1026, 1027 traffic (ie Messenger Spam) could care less about what its sending to.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17101981 Tue, 17 Oct 2006 02:21:34 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101965 Link Logger : Inbound system traffic over the duration of the test, with break outs of TCP, UDP and ICMP traffic (the spike of ICMP traffic was me testing to ensure that ICMP were being dropped). UDP and ICMP traffic were relatively consistent over the test, but TCP traffic did spike noticeably with Open ports as typically to 135, 445, 139 increased and port 5000 came into play as when some worms find an open ports they try to fingerprint the OS via a scan to TCP port 5000 (UPNP) (see this in the next group of charts).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17101965 Tue, 17 Oct 2006 02:14:46 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101947 Link Logger : I'm going to put a number of charts up which will show the differences in traffic for closed, stealthed and open. The overall summary is there is no significant difference in 'interest' between closed and stealthed, if anything closed has a slightly lower 'interest' level as shown in the average scans per IP address chart.

Note there is typically a spike of traffic after each state change which is typically me using grc.com to scan the system as I did upload screen shots of the scan results.

I have will also upload a inbound traffic chart from another system which was in the same netblock as the test system, showing it's inbound traffic over the duration of the test, which shows the inbound scans were relatively consistent over the duration of the test. There is one large spike in that graph but that was me plugging a friends system into that network not knowing they had P2P software running on their system (and they wonder why they were infected :mad:).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17101947 Tue, 17 Oct 2006 02:07:30 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101926 anon : Who cares? You ain't getting through either wsy]]> http://www.dslreports.com/forum/remark,17101926 Tue, 17 Oct 2006 01:59:59 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101913 spuddiver : I tend to think if your ports are closed your 100% protected.
If your ports are stealth, your not 100% protected. Its only a matter of time before your firewall line of defence will let someone in.]]> http://www.dslreports.com/forum/remark,17101913 Tue, 17 Oct 2006 01:56:15 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17101861 Link Logger : OK so I have shut off the test and at this time the voting is:

Yes - 75
Not Significantly - 75
No - 68

Perhaps I should have added a 'Reduces Traffic' option in the list just so I'd have all the bases covered.

I'll start posting the graphs and such now.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17101861 Tue, 17 Oct 2006 01:40:24 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17098426 MxxCon : i'm betting 1/16th of 1 cent that with closed ports scans from any given ip will be quicker and with filtered/stealthed you'll get less hits.
i accept only wire transfers.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17098426 Mon, 16 Oct 2006 16:10:03 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17096452 Link Logger : When I get home tonight I'll post the results, so make sure you get your bets in. I'm not sure anyone is expecting the results as they have played out, but certainly it depends on your situation.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17096452 Mon, 16 Oct 2006 10:36:02 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17094747 kruser :

said by garys_2k

:

I think you're in the BEST position, then, to test the premise of this thread.

I have no doubt that OPEN ports attract attention, that's no surprise. But if you went with your three now-stealthed IPs an unstealthed one of them, just set all ports closed, see if you have an uptick in aggressive scanning on those.

Bots do the initial scans and then other programs are run to further scan the IPs with open ports. But my 2¢ is on that an IP with all ports responding "closed" would never make it to a tier two scan.

The type of really aggressive manual scans that people (like Gibson) seem to think closed ports invite just won't happen, unless the attacker either knows you have something really, really, REALLY worth going after or they have personal reasons for hitting you. No point wasting hours of time on one box when hundreds of wide open ones are waiting to get owned.

One thing I failed to mention in my last post was when I do see the second more aggressive scan, it usually is done only once. It is rare that I'll see the same IP again come back for a third or fourth attempt except maybe to pound on the open ports found.
Possible they return days later but I do not watch it that close as I have nothing that anyone would gain from in the first place other than perhaps turning the machines into spam relays which I do watch for daily :D
Also not aware of anyone having any reason to try and gain access to my systems unless it is a pre-planned test.
I may do as you say and un-stealth an IP and see what happens. If I do then I'll make sure and report the findings back to this thread.]]> http://www.dslreports.com/forum/remark,17094747 Sun, 15 Oct 2006 23:11:20 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17094490 garys_2k :

said by kruser

said by garys_2k

said by kruser

:

I prefer being invisible.
If I'm scanned and the scanner finds nothing then it moves on.
If however I just have ports blocked then the scanner would see that and raise a flag or log showing a possible IP with open ports.

Really? Do you have any idea how many IPs are scanned by botnets? Do you really think that they'd bother going back to visit the thousands of closed port PCs when hundreds have wide open ports?

No idea how many IP's are scanned but I do know it is most likely a ton.
I also know that I have 5 IP's with two running smtp or http as well as other services. I can follow the scanner across all 5 IP's regardless if the ports show or not.
What I then see more often then I'd like is when they do hit my two IP's with visible ports, the same source IP will come back a few minutes later and often do a much more aggressive port scan on only the two IP's that had visible ports. Not just a scan on the open ports found earlier but rather a whole port range scan. It is hard to say if these are bots or manual scans. I also see many return and just hack at the open ports. None have been successful in gaining any access.
I would tend to guess if I had ports that responded regardless of a service listening on them that I would also see returning aggressive scans on those IP's as well.

I do log and often report these obvious scans when the originating IP is from within the country.
Especially the ones that keep targeting a certain port for an extended length of time.

edit: spelling

I think you're in the BEST position, then, to test the premise of this thread.

I have no doubt that OPEN ports attract attention, that's no surprise. But if you went with your three now-stealthed IPs an unstealthed one of them, just set all ports closed, see if you have an uptick in aggressive scanning on those.

Bots do the initial scans and then other programs are run to further scan the IPs with open ports. But my 2¢ is on that an IP with all ports responding "closed" would never make it to a tier two scan.

The type of really aggressive manual scans that people (like Gibson) seem to think closed ports invite just won't happen, unless the attacker either knows you have something really, really, REALLY worth going after or they have personal reasons for hitting you. No point wasting hours of time on one box when hundreds of wide open ones are waiting to get owned.]]> http://www.dslreports.com/forum/remark,17094490 Sun, 15 Oct 2006 22:24:23 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17094430 kruser :

said by garys_2k

said by kruser

Really? Do you have any idea how many IPs are scanned by botnets? Do you really think that they'd bother going back to visit the thousands of closed port PCs when hundreds have wide open ports?

said by garys_2k

:

Really? Do you have any idea how many IPs are scanned by botnets? Do you really think that they'd bother going back to visit the thousands of closed port PCs when hundreds have wide open ports?

Perhaps that is the main question of interest of this thread! :D]]> http://www.dslreports.com/forum/remark,17094255 Sun, 15 Oct 2006 21:42:16 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17094220 garys_2k :

said by kruser

Really? Do you have any idea how many IPs are scanned by botnets? Do you really think that they'd bother going back to visit the thousands of closed port PCs when hundreds have wide open ports?]]> http://www.dslreports.com/forum/remark,17094220 Sun, 15 Oct 2006 21:35:55 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17093927 Link Logger :

said by BurntCricket

:

Maybe you can set a system to have open ports AND have something that will answer the call and post how long it takes in "real life" for that system to be taken over, which being who you are, should be easy.

I've done a number of these tests in the past (how you can find the bot command and control system), and on our ISP systems are compromised within a couple of minutes, rarely lasting even 5 minutes. I will be doing another round of this test likely later this week, so I'll post my results for those then.

The system I'm using in this test is a fully patched XP SP2 system and even with the firewall removed it will likely survive every attack thrown at it (I recommend using a firewall). When I do compromise testing I used totally fresh and unpatched installs of XP and Win2k as then I can plow through a bunch of tests quickly (ie the idea is to get owned and then look at how and what happened after ownership).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17093927 Sun, 15 Oct 2006 20:46:28 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17093522 EGeezer : As usual, I think the answer is "it depends". Since the overwhelming majority of scans are automated bots looking for open ports only, closed or stealth makes no difference.

However, if an attacker is targeting a particular system for a particular purpose, it may provide some bits of information that, combined with other observations, might be used to build a profile of the system or network being observed.

It would be beyond reason to expect the typical anonymous home user to be the target of such operations, unless they were a known "high value" target worth the effort to do a multi-stage probe/fingerprint/social engineer/custom attack requiring much time and effort.

That being said, I'd advise my typical home/SOHO customers to not worry if their ports are closed vs. stealthed, but if it makes 'em feel better, click the little config button on their firewall product and stealth the ports.
--
6EQUJ5]]> http://www.dslreports.com/forum/remark,17093522 Sun, 15 Oct 2006 19:31:50 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17093435 BurntCricket : I believe from reading(no personal experience)about OPEN ports will get you a flood of hits on that port looking for something that will "answer the phone".

Maybe you can set a system to have open ports AND have something that will answer the call and post how long it takes in "real life" for that system to be taken over, which being who you are, should be easy.
--
There is nothing more valuable than a man whos loyalty can be purchased with cold hard cash.]]> http://www.dslreports.com/forum/remark,17093435 Sun, 15 Oct 2006 19:13:30 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17093286 Link Logger : The next phase will be to flip the setup over to exposing some open ports using an XP SP2 Patch system without the firewall, just so we can see how much difference having open ports makes.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17093286 Sun, 15 Oct 2006 18:43:06 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17087918 jbob : Just my .02 cents worth but if you're gonna test using Stealth then in my opinion all the ports should be "Filtered". Even one "Closed" port that is SEEN could alter the results of the test. A scanner seeing that one "Closed" port could cause whoever is using the scanner to spend more time looking.

You can easily "Filter" that port by Forwarding TCP/UDP Port 113 to an unused IP.]]> http://www.dslreports.com/forum/remark,17087918 Sat, 14 Oct 2006 17:17:26 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17087367 Link Logger : I have switched over to fully stealthed, except I'm using a Linksys WRV54G (firmware 2.38.6 v2) which doesn't stealth TCP port 113 (ident), but I can say that given the only traffic that I have received to that port during this test has been the scans from grc, so I think it would be fair to say that a port not scanned is better then either closed or stealthed so it shouldn't affect this test.

I should mention that ICMP replies have also been 'sleathed'.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17087367 Sat, 14 Oct 2006 15:17:29 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17087288 Link Logger : Switching over to fully sleathed.

Blake]]> http://www.dslreports.com/forum/remark,17087288 Sat, 14 Oct 2006 14:58:20 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17085585 cork1958 : If nothing else, the poll results are VERY close. I say no, they won't attract any more than usual traffic.
--
Do the walk
Zenwalk Linux 3.0]]> http://www.dslreports.com/forum/remark,17085585 Sat, 14 Oct 2006 06:11:29 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17085328 kruser : I prefer being invisible.
If I'm scanned and the scanner finds nothing then it moves on.
If however I just have ports blocked then the scanner would see that and raise a flag or log showing a possible IP with open ports.
Then the scammer or pirate targets the IP showing positive results and does a further scan hoping for open ports.

Now if I run a fully filtered firewall then the same spammers would never get a response and most likely, never come back.

Blocked is fine but why advertise it?]]> http://www.dslreports.com/forum/remark,17085328 Sat, 14 Oct 2006 02:25:19 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17084994 garys_2k : I doubt any method gets "attention," as most scans are done by either malware randomly autoscanning IPs or by those looking to increase their botnet size, also to random IPs.

Maybe IF someone wanted to target your IP in particular might a concept like "attention" be warranted, but with it highly unlikely that your particular box is worth bothering with (either because you are a big company and get a lot of attention, or maybe it'd be a challenge, or maybe someone has a grudge) you just will get hit with random scans. Those will fail with either closed or stealthed ports on your end.

Open ports, though, could get logged by the autoscans and visited again later to see if something's worth going after. But with the typical botnet owner scanning thousands of IPs every day, they wouldn't bother with boxes that are either closed or stealthed. There are too many wide open ones that are open for exploiting.]]> http://www.dslreports.com/forum/remark,17084994 Sat, 14 Oct 2006 00:34:32 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17084948 norwegian : You mention you were drafted in »How did you become a security experts? . I was just wondering, your tests sound like fun, where do you join up.

Note: Even if it is laborious work, it still sounds like fun. :)

Look forward to the results.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/remark,17084948 Sat, 14 Oct 2006 00:26:19 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17084917 Link Logger : So how long would shall I leave it on 'closed' port mode, shall I switch it over to stealth now? I will add a third state to the test where I'll put it up with default ports open (ie 135, 139, 445) and we should be able to see just how much 'attention' an 'open' system gets.

I'll post a number of charts, reports and such showing the traffic for each state, so we can see how much of a difference closed/sleathed/opened makes.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17084917 Sat, 14 Oct 2006 00:21:18 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17084533 BurntCricket : I am not an "expert" by any stretch but I have read a lot about stealth or closed and neither security wise is more secure.
Simple comparison for the cheap seats:
Call as much as you want and unless they have a phone connected to that line, no one will ever answer.

If you ARE infected AND allow unlimited connections you ARE a victim in the making.
--
There is nothing more valuable than a man whos loyalty can be purchased with cold hard cash.]]> http://www.dslreports.com/forum/remark,17084533 Fri, 13 Oct 2006 23:12:46 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17083945 ranschultz :

said by no__1__here

said by ranschultz

:

Host unreachable is sent by routers when they don't have a path to get to the given host. If they know where to send a packet they just send it and have no idea of whether it arrived or not.

Protocol/port unreachable is sent by an end-point when it receives a packet for which it doesn't have a protocol or port associated. With a truly stealthed system the end-point would never send this out.

I believe you're confusing host unreachable with network unreachable. Perhaps you need to bone up on the "internet basics"?

Host unreachable is the response delivered by the last hop prior to the host, when no response is received...

»www.freesoft.org/CIE/RFC/1812/105.htm

Host Unreachable
Generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP);

We are both right, but you are probably "more" right :-) As I said, a router sends the host unreachable message when it doesn't know how to get there. What I didn't say, and forgot about, was that using things such as ARP and recent traffic caching tables the router can, and probably will, find a route to a given end-point if there has been any recent activity.

What no response generally means is that a machine was at the destination address recently and that the router still has the machine's address cached. I'm not sure how long "recently" is but I've seen my home router keep the address for some pretty long periods after I've disconnected.

said by no__1__here

:

Also, with a stealthed port the far end continues to try and try and try. A closed response tells them to go away. Will they try again? Maybe. But for say something like a P2P app that is sending you crap because you just got someone else's DHCP address, a closed response will stop it much much sooner.

As I indicated, it doesn't make a difference for targeted attacks. Worms and such generally aren't targeted and choose semi-random addresses and try to move as quickly as possible from one random address to another looking for some sort of positive feedback.]]> http://www.dslreports.com/forum/remark,17083945 Fri, 13 Oct 2006 21:35:31 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082717 Bane75 : In this case you most likely wouldn't attempt to penetrate the host itself, but to penetrate hosts behind the stealth forwarding device. Take a look at the Firewalk white paper for some more insight into this method.

»www.packetfactory.net/projects/firewalk/]]> http://www.dslreports.com/forum/remark,17082717 Fri, 13 Oct 2006 17:49:35 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082684 SpannerITWks : Bane75

Re - 12 * * * Request timed out.

But as they see no IP, how could they attempt to penetrate it etc ?

Thanx

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,17082684 Fri, 13 Oct 2006 17:43:26 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082568 no__1__here :

said by ranschultz

:

First, it sounds like some Internet basics are required.

If a machine is "stealthed" there is no way to know whether it is there or not.

I respectfully disagree. No response means something is there, just that it is silently dropping the packets.

said by ranschultz

»www.freesoft.org/CIE/RFC/1812/105.htm

Host Unreachable
Generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP);

said by ranschultz

:

Now to the original topic, I believe that stealthed is more secure. How much so can easily be debated and is. It doesn't really make a difference if you have an aggressive attacker. Attackers that want to cover the most address space looking for vulnerabilities as quickly as possible, like worms, will first look for commonly open ports just to confirm that they've got a target. After that they are likely to dig deeper, but even then they'll want to be quick so that they can move on to the next target so if they don't get responses on other ports they're more likely to move on, or at least, waste more time on your machine and not move on and propagate nearly as quickly.

Stealth provides less (no) information back. It doesn't hide that you're there. I drop my packets, but I don't pretend this is more secure. I get a lot of unsolicited traffic even though I am "stealthed". Matters not one bit to the far end...

Also, with a stealthed port the far end continues to try and try and try. A closed response tells them to go away. Will they try again? Maybe. But for say something like a P2P app that is sending you crap because you just got someone else's DHCP address, a closed response will stop it much much sooner.]]> http://www.dslreports.com/forum/remark,17082568 Fri, 13 Oct 2006 17:22:01 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082512 Bane75 : "First, it sounds like some Internet basics are required.

If a machine is "stealthed" there is no way to know whether it is there or not."

This is not entirely true. There are methods to detect stealthed machines. For example by pinging through a stealthed device, I can determine that a stealth device exists. In the below example,

ping host1.host.com

8 7 ms 4 ms 3 ms core4.fe0-1-bbnet2.ocy.pnap.net [216.52.96.70]
9 21 ms 16 ms 15 ms 216-112-203-101.dia.xo.com [216.112.203.101]
10 4 ms 4 ms 6 ms p4-3-0.MAR1.SantaAna-CA.us.xo.net [207.88.81.9]
11 42 ms 101 ms 11 ms p5-1-0-0.RAR1.LA-CA.us.xo.net [65.106.5.13]
12 * * * Request timed out.
13 14 ms 17 ms 25 ms p1-0.IR1.PaloAlto-CA.us.xo.net [65.106.5.178]

(Note: This is not a complete ping to a host, I pieced this together to illustrate the point)

Hop 12 shows a time out for all three attempts, yet the immediate next hop is pingable. This indicates that there is potentially a stealthed device such as a firewall at hop 12. This information can further be verified by using a tool such as Firewalk. ]]> http://www.dslreports.com/forum/remark,17082512 Fri, 13 Oct 2006 17:12:37 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082444 Fluker : A closed port might solicit more pestering from a scanner whereas not responding may make it give up and look elsewhere..

who knows. I think the closed ports will cause a SLIGHT increase in hammering.]]> http://www.dslreports.com/forum/remark,17082444 Fri, 13 Oct 2006 17:01:50 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17082383 ranschultz : First, it sounds like some Internet basics are required.

If a machine is "stealthed" there is no way to know whether it is there or not.

Host unreachable is sent by routers when they don't have a path to get to the given host. If they know where to send a packet they just send it and have no idea of whether it arrived or not.

Protocol/port unreachable is sent by an end-point when it receives a packet for which it doesn't have a protocol or port associated. With a truly stealthed system the end-point would never send this out.

Now to the original topic, I believe that stealthed is more secure. How much so can easily be debated and is. It doesn't really make a difference if you have an aggressive attacker. Attackers that want to cover the most address space looking for vulnerabilities as quickly as possible, like worms, will first look for commonly open ports just to confirm that they've got a target. After that they are likely to dig deeper, but even then they'll want to be quick so that they can move on to the next target so if they don't get responses on other ports they're more likely to move on, or at least, waste more time on your machine and not move on and propagate nearly as quickly.]]> http://www.dslreports.com/forum/remark,17082383 Fri, 13 Oct 2006 16:52:36 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17081089 no__1__here :

said by nemo1966

:

A stealthed port attracts NO attention because the attacker never knows its there.

Untrue. I get TONS of packets to "stealth" ports. They are blindly sent.

said by nemo1966

:

Its very simple. Get a decent firewall and don't open it inwardly for servers unlerss you really have to.

Theres not a lot else to know.... add a virus and spyware scanner and you'll never get a virus or get hacked.

It's not rocket science.

Not quite true either... AV/spyware are not 100%. Never is a long time. ;)]]> http://www.dslreports.com/forum/remark,17081089 Fri, 13 Oct 2006 12:55:56 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17081071 no__1__here : Closed will get about the same. The only benefit to stealth is that there is no returned packets so no chance of fingerprinting or whatever. I do not feel stealth is any more secure, or closed any more attractive to attackers.

SG is again silly... I love this:

And of course then the next stage of this is a so-called �stealth port,� where incoming traffic hits the machine. If the port is not open and would normally respond in some affirmative fashion, saying no traffic is being accepted on that port, instead the machine is completely mute. It just says nothing. So, and that�s, of course, exactly the response that you generally get for a dead connection, where there�s just nothing on the IP at all.

That's just wrong. No response means something IS there, otherwise the last router would respond with an ICMP host unreachable.]]> http://www.dslreports.com/forum/remark,17081071 Fri, 13 Oct 2006 12:52:11 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17081039 nemo1966 :

said by Traxless

:

This type of "research" is immensely valuable for those of us who lack the technical skill to problem-solve security matters like this. And I am very grateful to Blake (Link Logger). Thanks you very much for your continued contributions and assistance on these kind of issues.

Ed

Its very simple. Get a decent firewall and don't open it inwardly for servers unlerss you really have to.

Theres not a lot else to know.... add a virus and spyware scanner and you'll never get a virus or get hacked.

It's not rocket science.
--
"Show me just what Muhammad brought that was new and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Emperor Manuel II Paleologos]]> http://www.dslreports.com/forum/remark,17081039 Fri, 13 Oct 2006 12:45:46 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17081024 nemo1966 : My question would be, why?

The process has been tried many times and the question answered.

A stealthed port attracts NO attention because the attacker never knows its there.

A closed port should atttract no more attention, however sometimes does because the attacker knows a PC resides on that IP and may focus his attentions on others ports or perhaps target it for a DDOS attack etc.
--
"Show me just what Muhammad brought that was new and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Emperor Manuel II Paleologos]]> http://www.dslreports.com/forum/remark,17081024 Fri, 13 Oct 2006 12:43:28 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080925 Traxless : This type of "research" is immensely valuable for those of us who lack the technical skill to problem-solve security matters like this. And I am very grateful to Blake (Link Logger). Thanks you very much for your continued contributions and assistance on these kind of issues.

Ed]]> http://www.dslreports.com/forum/remark,17080925 Fri, 13 Oct 2006 12:24:52 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080846 gkweb : That you send TCP/UDP or ICMP packets makes no difference, if you don't exist, the last router should send back an "host unreachable" ICMP message.

That's why indeed "FILTERED" is probably more right than "stealth", because that's what you do, filtering (drop).
The absence of any message clearly shows you are there, dropping packets. "Stealth" is misleading in the way it could mean invisible.

The advantages of stealth are not to make you invisible, but rather to allow you to mitigate reflective attacks and in few cases to save upstream bandwidth. Also, security scanners such as nmap need at least one open port and one closed port to guess your OS. If you are running a server (some IM software or P2P are acting like servers) and you are not sending back responses from closed ports, it may help to prevent giving away too much information about your OS.

Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com

*member of ASAP : Alliance of Security Analysis Professionals*]]> http://www.dslreports.com/forum/remark,17080846 Fri, 13 Oct 2006 12:10:57 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080748 mysec :

said by Link Logger

:

I would be highly amazed if I lost this system to some evil hacker, closed is closed and is in effect the same as banging your head against a brick wall (stealthed) as banging your head against a locked steel door (closed, ...

Of course! And you may remember we discussed this a bit last year, and I ran for four days on a Win2K system with all ports closed except 135. I left the firewall enabled but all inbound traffic permitted, so that I could log everything.

I was arguing that the average home system doesn't even need a firewall if everything is configured properly - which, of course, I do not advocate unless the user is completely sure that the system is tight.

Closed Port Test

-rich]]> http://www.dslreports.com/forum/remark,17080748 Fri, 13 Oct 2006 11:50:34 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080618 MxxCon :

said by jbob

:

Not true. A response from a non-existant IP should be "Destination unreacheable" whereas there is NO response from a "Filtered" IP port.

that is incorrect because "Destination Unreachable" is an ICMP error message, where as port scans are either TCP or UDP.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17080618 Fri, 13 Oct 2006 11:24:29 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080534 antiserious :
... I voted 'not significantly' ... unless someone is specifically hunting your IP I just don't think they'll waste a lot of time on either type target when there's so much 'low-hanging fruit' available elsewhere ...

... I know this discussion rages from time to time, I just don't know if it ever changes anyone's mind, or if I should care ...

--
... " how can we miss you if you won't GO AWAY ! " ...]]> http://www.dslreports.com/forum/remark,17080534 Fri, 13 Oct 2006 11:12:54 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080513 aefstoggaflm : * With sarcasm *

Where can I place my bet? Also how much has everyone else bet? Hey wait a minute, I thought betting illegal.

* Back to serious *

For more info please see Security Now! with Steve Gibson, Episode 43 for June 8, 2006: Ports.

And also see, To stealth or not to stealth (aka:The Myth of Stealth)
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.]]> http://www.dslreports.com/forum/remark,17080513 Fri, 13 Oct 2006 11:09:32 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080451 TheWiseGuy : If you had DSL with an IP that changed, I would have said on average you would see more traffic with dropping packets since you would likely get hit with the previous residents P2P at some point.

NMap in the default mode will skip your IP if there is no reply, but if you set it to ignore host discovery it would still scan. Some worms also check to see if an IP responds.

My guess is that the difference in Downstream traffic will be negligible compared to your connection Bandwidth but Upstream traffic will be a lot less with dropped packets but probably still negligible compared to your bandwidth.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.]]> http://www.dslreports.com/forum/remark,17080451 Fri, 13 Oct 2006 10:56:34 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080385 jbob :

said by MxxCon

said by rotty97

:

Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist.

Not true. A response from a non-existant IP should be "Destination unreacheable" whereas there is NO response from a "Filtered" IP port. Or something like that! :D If one is paying attention that of course means something is there, it's just not answering. In that sense "Filtered" makes more sense than "Stealthed!"]]> http://www.dslreports.com/forum/remark,17080385 Fri, 13 Oct 2006 10:47:14 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080334 Link Logger :

said by TheWiseGuy

:

Do you have DSL or Cable?

At least 5mb cable, and the ISP does NOT filter ports.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17080334 Fri, 13 Oct 2006 10:38:36 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080278 MxxCon : actually i think if anything, having a closed port will make portscan go much faster(don't wait for timeout) so they'll be faster done with your ip and move on..

on the other hand, filtered ports is a 'zero effort' measure to slowdown their portscans.

and yet, if somebody is scanning large range of (fast)ips it's only sensible for them to configure a timeout value to a pretty aggressive value so not to waste time...at least that's what i would do.
wasting 30sec on an ip with filtered ports vs scanning 100 other ips.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17080278 Fri, 13 Oct 2006 10:30:02 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080246 MxxCon :

said by rotty97

:

Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist.

if all of your ports are FILTERED(i hate 'stealthed' term), it will appear exactly the same as non-existing ip, so 'a hacker' will not get a different response because he will not get a response at all.
--
[Sig removed by Administrator: Signature can not exceed 20GB]]]> http://www.dslreports.com/forum/remark,17080246 Fri, 13 Oct 2006 10:23:14 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080240 hpguru :

said by DocLarge

:

Now, a persistent hacker will take this as a challenge because now he knows the port is there; the goal would then would be to get in "even though" the port is closed.

I would think that would require a persistently stupid "hacker". :uhh:
--
Where's Jesus?
Dear Jesus!]]> http://www.dslreports.com/forum/remark,17080240 Fri, 13 Oct 2006 10:21:38 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17080151 TheWiseGuy : Do you have DSL or Cable?]]> http://www.dslreports.com/forum/remark,17080151 Fri, 13 Oct 2006 10:00:46 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079881 DocLarge : A "closed" port will attract more interest than "stealthed" in my opinion...

Simply put, if the port is stealthed (provided some jackhole isn't using some "George Jetson," Mystery Science Theater 3000 type device) then the port shouldn't even register to a scan/probe.

If the port is just simply closed, thise means it will respond (to an extent) to the probe, but still won't let you in. Now, a persistent hacker will take this as a challenge because now he knows the port is there; the goal would then would be to get in "even though" the port is closed. Think about, there are a lot of stealthed ports on a router by default if configured out of the box properly. If I were a hacker, why would I spend my time looking for ports that are stealthed when I can try and find a closed one to hack and then work my way through the infrastructure that way?

Jay]]> http://www.dslreports.com/forum/remark,17079881 Fri, 13 Oct 2006 09:04:22 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079604 rotty97 : Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist. So stealthing a port is just as good as having it closed. The hacker knows your their but can't do much with you unless you have unsecure apps listening on the internet.

cheers, rotty]]> http://www.dslreports.com/forum/remark,17079604 Fri, 13 Oct 2006 07:31:26 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079400 gkweb : Hello,

As I said in the other topic, I think that close will attract less attention than stealth (because stealth means you do not have an answer, so you retry again instead of moving away).

Anyway, I think that at the end you will just prove one advantage of "close", the same way that "stealth" has it's own advantages too. I'm not sure how could this test trash one or the other, no matter the result.

Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com

*member of ASAP : Alliance of Security Analysis Professionals*]]> http://www.dslreports.com/forum/remark,17079400 Fri, 13 Oct 2006 05:24:44 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079266 Link Logger :

said by SnowyOne

:

Is there any more danger to running closed vs stealth?
That would depend on what's running & who's running it. ;)

I would be highly amazed if I lost this system to some evil hacker, closed is closed and is in effect the same as banging your head against a brick wall (stealthed) as banging your head against a locked steel door (closed, you know its a door, but its not going to open so the effect is just the same as banging your head against the brick wall).

Blake
Edit -> added the 'locked' to the steel door]]> http://www.dslreports.com/forum/remark,17079266 Fri, 13 Oct 2006 03:05:44 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079252 Link Logger :

said by SpannerITWks

:

From your screenie you have Ports 135/139/445 open, so naturally i expect those to be probed and/or entered, with whatever consequences if nasties do get in !

You are right and as an example a lot of worms when they see TCP port 135 open try to fingerprint the OS via a scan to TCP port 5000 (UPNP), so just having 135 open would create more traffic just via these extra scans. So I configured the XP system to close the open ports, so this ought to be a fair fight now.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,17079252 Fri, 13 Oct 2006 02:58:02 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079237 SnowyOne :

said by Link Logger

:

Will 'closed' ports attract more 'attention' then 'stealthed' ports?

Well a closed port can't attract any less attention than a stealthed port, so given a wide enough test range, closed ports will by virtue of 'closer looks' draw extra attention.
Is there any more danger to running closed vs stealth?
That would depend on what's running & who's running it. ;)]]> http://www.dslreports.com/forum/remark,17079237 Fri, 13 Oct 2006 02:49:42 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079234 SpannerITWks : From your screenie you have Ports 135/139/445 open, so naturally i expect those to be probed and/or entered, with whatever consequences if nasties do get in !

I think that closed versus stealthed ports automatically create more attention by default, as they can be seen, whereas stealthed ports cannot. Whether this leads to any or continued scanning etc is another matter though.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,17079234 Fri, 13 Oct 2006 02:49:11 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079229 Link Logger : OK to make this even more fair you might have noticed that TCP ports 135, 139, and 445 were open, and of course that 'could' lead to more 'interest', so I whacked those services and now only closed ports exist so this should be a totally fair and unbiased fight. So hopefully we will find out who is talking turkey and eating crow and who isn't, remember to place your bets folks...

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

]]> http://www.dslreports.com/forum/remark,17079229 Fri, 13 Oct 2006 02:46:54 EDT Re: Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079184 koolman2 : Hmm... I say no, because a closed port is no good to a potential hacker.
--
huh?]]> http://www.dslreports.com/forum/remark,17079184 Fri, 13 Oct 2006 02:26:26 EDT Place your bets - Closed vs Stealthed http://www.dslreports.com/forum/remark,17079148 Link Logger : [poll]Will 'closed' ports attract more 'attention' then 'stealthed' ports?,Yes,No,Not Significantly[/poll]

OK so I've tossed a fully patched XP SP2 system to the wolves, having removed XP's firewall so I would have a pile of 'closed' ports so I can see just how much more if any extra attention the system gets then when I run a fully stealthed configuration later.

So what do you think the results will be and why?

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

Scan from GRC

]]> http://www.dslreports.com/forum/remark,17079148 Fri, 13 Oct 2006 02:10:29 EDT