jallesPremium
join:2006-10-22
State College, PA | GRC Shields Up! reports TCP port 0&1 closed, others stealthI run Untangle for my router/firewall. It is a Unified Threat Manager that leverages open source linux tools to provide various services and filtering. They just updated to v10.0, which takes the debian kernel to 2.6.32
2 NIC's in an old Dell box running UT 10.0 lite, router mode (It holds the WAN IP address, and does NAT) behind a Motorola SBV5220 SURFboard cable modem on Comcast residential Xfinity Internet.
The first two ports (0,1) show up closed, while all the rest are reported as stealth.
At first I was ignoring it because Gibson talks about:
Personal firewalls are beginning to exhibit "adaptive behavior". The grid shown to the left starts off showing ports mostly closed with a few open (mostly blue with a few red cells). Then at some point it suddenly switches into "stealth mode". This can occur when a firewall "adapts" to the scanning IP and raises its defenses against just the attacker. This complicates the job of accurately checking a system's security. But these two ports show up consistently on multiple successive scans, and Untangle does not do adaptive behaviour. Then a couple of other people reported this behaviour on the Untangle forums, as a result of the Upgrade to the new version.
Of course TCP port '0' is really ambiguous.
What we get is:
0 Closed Your computer has responded that this port exists but is currently closed to connections.
So not really a problem, just not completely stealthy, according to GRC.
On the other hand, Nmap reports:
Nmap scan report for c-...comcast.net (My.IP.Address.x)
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
0/tcp filtered unknown
1/tcp filtered tcpmux
2/tcp filtered compressnet
Too many fingerprints match this host to give specific OS details
TCP ports 0,1 are marked as filtered, as are the rest of the first 1000.
This is with ICMP (ping) enabled on UT, and Nmap run from a machine using a different ISP.
Has anyone else seen this [(0,1) closed] kind of behaviour from Comcast? I do understand that this is nothing to lose sleep over, and I have posted on the grc newsgroup. But it has me curious - I am going to swap ISP's later today for a test. |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:3 | grc is fluff, move on with your life. Stealth is nothing more than smoke, and mirrors hiding a pile of steaming bullcrap. Before crap like zone alarm came out dropping packets was not standard, a closed response was, but it was companies trying to scare people into buying software like zone alarm "stealth" became a thing out of fear from consumers who thought they needed to have it. Move on with your life.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G. |
|
jallesPremium
join:2006-10-22
State College, PA
1 edit | yah, I know & agree - except that stealth is really nothing more than packets hitting the bit-bucket, and not intended behavior (according to the RFCs).
It just has me amused, at this time, so I am sniffing around. |
|
|
|
 Cartel
join:2006-09-13
Chilliwack, BC
kudos:2
1 recommendation | reply to jalles
»www.pcflank.com/index.htm
try those tests |
|
jallesPremium
join:2006-10-22
State College, PA | nice! now I can worry about what is leaking OUT... |
|
| reply to jalles
said by jalles:The first two ports (0,1) show up closed, while all the rest are reported as stealth. As said before, stealth / closed is a moot point... I'd be more worried if any traffic WERE trying to talk
on either port, especially TCP/0. From what I can find in the RFCs, TCP/0 is supposed to be reserved, but
I've had a few networks with traffic running around on it that I couldn't quite pinpoint.
Regards |
|
| Which is better to do testing? PCflank or GRC?
Or are there any other onlne security testing? |
|
 sivranOpera ex-patPremium
join:2003-09-15
Irving, TX
kudos:1 | There's gotta be a dozen sites like that, but I end up using GRC because it's easier to remember. I don't think there's anything inherently wrong with the tests, just all the hyperbole and fud surrounding them.
--
Oh, Opera, what have you done? |
|
 Phoenix22Death From AbovePremium
join:2001-12-11
SOG C&C Nrth | reply to BlitzenZeus
i thought the fella had retired, gibson, i mean |
|
| i like to listen to his podcasts on security, but i think the poor guy has a speech impediment problem. But a very smart fellow. |
|
 jimkyleBtrieve GuyPremium
join:2002-10-20
Oklahoma City, OK
kudos:2
 ·AT&T Southwest
| reply to jalles
said by jalles:stealth is really nothing more than packets hitting the bit-bucket Actually there's one rather significant difference between "stealthed" ports and closed ports, when someone tries to scan your system: If a port is stealthed, the scanner will time out on the attempt, which may take quite a while depending on the configuration at the scanning end, and may then repeat the attempt a number of times before giving up and moving on to the next port. If the port is closed, the scanner will move on immediately. This can make a quite significant impact on your traffic load, if your system is a target for many scanners.
Try running Wireshark for a while during a test scan with grc or other site of your choice to see just how much difference it can make.
--
Jim Kyle |
|
