dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2013
share rss forum feed


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit

1 recommendation

reply to Woody79_00

Re: ports not stealth

Click for full size
ICMP ..... on my device, does NOT make any differences
In some level, agreed with your point of view & SPI take care with the bad ICMP ........
The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow.


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state
reply to Jasu
Seems wise Jasu

I want to add also that ICMP in itself, is not a security risk like many claim. In fact, I would wager most but NOT ALL who block ICMP don't really understand or know why they are blocking other then "Someone said its good security"

For example, there are 4-5 really useful ICMP that shouldn't be blocked...infact, blocking them just lowers the efficiency of your network and just makes your routers work harder for little to no benefit.

Internet Control Message Protocol

ICMP Echo Request
ICMP Echo Reply
ICMP Destination Host Unreachable
ICMP Time Exceeded
ICMP Source Quench (Optional nowdays, but still applicable in some cases)

ICMP Destination Host Unreachable is essential in PMTUD - Path MTU Discovery to work properly and efficiently.

Im not saying just carte blanch allow ICMP through, but ping and some other parts of ICMP are useful to respond to as they help your network flow better, and don't compromise your security. As long as you use NMAP and your ports are filtered and closed, I think you would be just fine.

I have found i get much less internet noise on my WAN's when showing closed ports and ICMP I listed above...scanner scan me one time and go away instead of just scnaning over, and over, and over until they realize im stealth and leave..i prefer a 1 scan and move on over 5-6 scans...just my 2 cents!
--
Tech Tips

Jasu

join:2010-01-09
Finland

1 recommendation

reply to mackey
I would start scanning ports like 22,80,139,443 which are quite often open. Automated attacks try to find specific exploits which means usually a well known port number (running http in port 81 is possible but difficult to use). An attacker wanting to attack specific network or company can run the port scans in parallel thus avoiding the long waiting because of timeouts.

A complete lack of response does not mean that there is no host. The last router on the route should return ICMP host unreachable, but yes, many ISP are filtering these or not sending these ICMP messages at all.

The only real benefit of stealth that I can think of, is that saying no to a packet flood takes more resources than ignoring the packets. However stealthing makes any troubleshooting really painful. What I'm doing is to respond but if DoS attack is discovered, just drop the packets from the flooders.

Frodo

join:2006-05-05
kudos:1

1 edit

1 recommendation

reply to ariez
I also forwarded TCP 111 & 369 to the PC. Showing stealth at PCflank and GRC.
Stopped the windows firewall, and both scanners showed "closed".
Put 2 netcat listeners on 111 & 369 and both port scanners showed "open".
Restarted Windows firewall - both port scanners back to stealth. Unable to find a discrepancy between PCflank and GRS.

--edit
When shutting down the netcat listeners, I did find a discrepancy. The listeners logged a connection from PCflank but not GRC.

So try again. PCflank has two types of scans, "TCP connect scanning (standard)" and "TCP SYN scanning". I had initially tried the connect scanning, and that is when the connection was logged. The Syn scanning doesn't cause netcat to log a connection. So, to compare apples with apples, it would be necessary to use the TCP Syn scanning at PCflank to compare with GRC.

Still, after using the TCP syn scanner, didn't find a discrepancy between GRC and PCflank.


TopShelf

join:2010-06-25

1 recommendation

reply to TheWiseGuy
said by TheWiseGuy:

OK, so you know the packets are not reaching you. Last step try another scanner to check if your ISP is intercepting the packets.

PCflank's advanced scanner will allow you to specify the ports

»www.pcflank.com/scanner1.htm

I tested several Ports at PCFlank and confirmed by forwarding the port and using wireshark I was receiving the packets. Hopefully this will allow you to see if you get the same results for Ports 111 and 369. If they show up as stealth you know that your ISP is not blocking those ports and GRC's scanner is not working correctly.

Thanks for the link! I repeated the tests I originally performed @ Shields Up. PC Flank reports stealth on all four computers for those two ports. Shields Up STILL! reports closed.

I'm off to download Wireshark and to see what's going on with those two ports. I'll let you know what I find.....or don't find.

--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.

Frodo

join:2006-05-05
kudos:1

1 recommendation

reply to TopShelf
said by TopShelf:

Ports 111 & 369 should have shown as stealth on those two computers because I have a software firewall (NIS) in addition to the router.

Unless the modem is in "bridged" mode, the modem itself could have responded to the probe. In my case, since I can't bridge my modem/router, the probe tests the modem, not the PC. The test indicated "stealth" for 111 and 369.

I trust the probe (since I agree with the results).


planet

join:2001-11-05
Oz
kudos:1
reply to TopShelf
I just did a common ports scan at grc.com and all ports stealthed. To OP, my hunch is your ISP is shortstopping those ports so the packets aren't reaching you to show stealthed. Drop your ISP an email and inquire.

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3

1 recommendation

reply to TopShelf
OK, so you know the packets are not reaching you. Last step try another scanner to check if your ISP is intercepting the packets.

PCflank's advanced scanner will allow you to specify the ports

»www.pcflank.com/scanner1.htm

I tested several Ports at PCFlank and confirmed by forwarding the port and using wireshark I was receiving the packets. Hopefully this will allow you to see if you get the same results for Ports 111 and 369. If they show up as stealth you know that your ISP is not blocking those ports and GRC's scanner is not working correctly.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


TopShelf

join:2010-06-25
reply to ariez
I've come to the conclusion that Shield's Up is broken or Steve's trying to sell something.

I took two computers (in separate, individual tests) completely off the router. Ports 111 & 369 should have shown as stealth on those two computers because I have a software firewall (NIS) in addition to the router. Those two ports weren't stealth, they were closed. Two other computers that never see the internet were connected directly to the internet and the only firewall was the one provided by Windows. I'll be damned if those two ports showed as closed instead of stealth.

Like I said before, I've really no opinion one way or the other if a port is stealth or closed. Either state is good.

I no longer trust Shield's Up.
--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to Parad0X787
said by Parad0X787:

{{{SMILE }}} ..... just geo-location my ISP !!!

Your provider offers CGN, yes? How do you like their "Intranet"?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit
reply to NormanS
{{{SMILE }}} ..... just geo-location my ISP !!!


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to Parad0X787
said by Parad0X787:

My own opinion all devices protection best to go with STEALTH mode Here are my result settings:

And your router logs show no port probes?

YOUR INTERNET CONNECTION has NO reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.

Just having an IP address, by the very nature of TCP/IP connections, is a unique identifier. And if your IP address is dynamically assigned, the odds are favorable that a previous assignee gave some geo-location service a clue.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to mackey
And so what if they scan it again? And why do you assume they wouldn't bother scanning the remainder as well, despite there being no response? The performance impact of "stealth" to a scan is negligible to non-existent. What's he gonna do? He can scan and ping to his heart's content but he's not going to hack that host.

Please, again, remember that port scan results may not paint an accurate picture of a target's network. Upstream devices can and do either drop silently or send reset responses on behalf of the hosts behind them. Thus, until you find an open port and interact with it, you still aren't certain of anything. (Hell, even when you find a service to poke at, you can't be absolutely certain you're interacting directly with the host running that service)
--
Oh, Opera, what have you done?


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 edit

5 recommendations

reply to mackey
said by mackey:

Oh? Please explain how letting an attacker know there's an active host at an address helps security.


1) "Enamour with stealth is inversely related to knowledge of TCP/IP" - me
2) "Misunderstanding security threats makes you less safe" - me

edit to add:

3) "Worry about the things not in your logs, not the things that are" - me


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

reply to ariez
STEALTH term was first use by USAF, and now many military carrier build with this anti radar tech.
My own opinion all devices protection best to go with STEALTH mode Here are my result settings:
YOUR INTERNET CONNECTION has NO reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.
When present, reverse DNS is supported by Internet service providers. But no such lookups are possible with your current Internet connection address (XX.XXX.XXX.XXX). That's generally a good thing.........BTW, still I could established 3 hand_shake connection also remember to turn OFF your “PLUG & PRAY” !!!


mackey
Premium
join:2007-08-20
kudos:14

1 recommendation

reply to Woody79_00
said by Woody79_00:

Since when is a port that responds "Closed" a port that's actively accepting connections?

When did I ever say it was? Did you not read the last part I wrote: For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again. Seriously. My point is that having a machine respond with a RST tells an attacker there is an active machine there (whereas "stealth" cannot be distinguished from no machine at that address) allowing them to focus more effort there.

And why do people keep mentioning Steve Gibson? I haven't heard anything about him in years.

/M


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

2 recommendations

reply to mackey
said by mackey:

said by sivran:

There being an "active host" at a particular address is a foregone conclusion.

What? It is most definitely NOT a foregone conclusion!

If the company decided a RST is just as good as "stealth" and thus the hole in the firewall allows everything to that IP through, the attacker then gets a RST for that port he scanned and thus knows there is an active computer there and it's not one of the 111 unused addresses.

/M

I just want to focus on this one part:

1. Since when is a port that responds "Closed" a port that's actively accepting connections? When in fact a port that responds Closed is the exact opposite of that...its saying the port is not accepting connections period.

2. Since when is a port responding "Closed" a hole in the firewall letting things through? Ports that respond closed are not accepting connections on those ports, so they are not letting anything through.

Perhaps I am not following or understanding your line of reasoning, but in the last 20 years I have learned to take what Steve Gibson says with a grain of salt...Stealth is more of a marketing term then anything else.

Stealth has pros and cons just like Closed, the fact is both Closed and Stealth are "Filtered Ports". Neither is accepting connections, the only difference is one drops silently, the other says" Were not accepting connections go away"

Some choose to run Closed instead of Stealth because it suits a particular scenario....Stealth isn't the right setup for all situations.

For example Google responds to pings, Microsoft doesn't...does that make Google any less secure? Nope.

As i said, perhaps I misunderstand what your trying to say, and if i do, my apologies. Look forward to your response, hope your having a great day!
--
Tech Tips


mackey
Premium
join:2007-08-20
kudos:14
reply to sivran
said by sivran:

There being an "active host" at a particular address is a foregone conclusion.

What? It is most definitely NOT a foregone conclusion!

Lets say a company has a /24 but they only currently have, say, 143 computers active (workstations+servers). An attacker then scans a single port on every host in that /24. The company has a firewall that blackholes (stealth) all IPs except for the servers they make available to employees in the field or who are working from home. If the attacker does not get a reply to the scan (it's stealth) how do they know if that particular IP is an active computer that's firewalled but may be listening on a different port or one of the 111 unused addresses? If the company decided a RST is just as good as "stealth" and thus the hole in the firewall allows everything to that IP through, the attacker then gets a RST for that port he scanned and thus knows there is an active computer there and it's not one of the 111 unused addresses. For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again.

/M


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to mackey
There being an "active host" at a particular address is a foregone conclusion. So can you explain how "stealth" helps? Bearing in mind that a reset can come from any device upstream, sent on behalf of the destination, it does not necessarily mean anything. And where does profiling a reset get you? Nowhere -- since a closed port is just as exploitable as a filtered one.

I think TheWiseGuy See Profile is right in that it's a matter of personal preference. Myself I think it's preferable to be uniform, with every port the same, but I'm not going to worry--and it's not worth worrying--over a few ports that show closed when I was going for filtered, or vice versa. Those ports are still safe from network intrusion.
--
Oh, Opera, what have you done?

Jasu

join:2010-01-09
Finland

2 recommendations

reply to NormanS
TCP RST should be a response from the host. Routers on a route should use ICMP if the they are blocking the packets. When you are using Telnet, TCP RST causes "connection refused" error while stealth (no responses) causes a long wait and "connection timed out" error.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to mackey
said by mackey:

Oh? Please explain how letting an attacker know there's an active host at an address helps security.

How does a TCP RST response indicate the host is, "active". An "Open" result would indicate an "active" host. Using Telnet to attempt to connect will show if there is an "active" host. If there is no service "listening", the host isn't "active".
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
reply to Woody79_00
There are even longer threads that occurred even before that thread. Yes it has been discussed here many many times and in great depth.

My viewpoint is that there is a reasonable argument for both positions, that there are advantages/disadvantages to not giving out any information (stealth) by dropping packets and there are advantages/disadvantages to following standard TCP/IP practices and sending RSTs but that which is better really must be an individual preference since as I stated which is better is Debatable"
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

1 recommendation

reply to TheWiseGuy
this argument has been raised before...i refer to this thread.

»Place your bets - Closed vs Stealthed

I think the difference between closed and stealth is negligible. as long as the ports are filtered and services are not listening on those ports, then i think its fine. Of course, Stealth or Closed, still gotta keep firmware updated on the firewall itself.

I always say, "The lack of a response is a response in itself" sometimes, its best to hide in plain sight...respond to their probes with a closed message and they go away....After all, it is possible to discover a stealth-ed machine as outlined in that thread.

again though, I don't think its something to bicker over, both are secure enough for most purposes. It just really comes down to personal preference and what your more comfortable with....I have ran closed systems for years without issue, same with stealth....it just depends on which im most comfortable with for which scenario.
--
Tech Tips

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3

1 recommendation

reply to sivran
said by sivran:

said by mackey:

getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

You've been reading too much Steve Gibson.

Interesting, since Hacking Exposed which was considered a classic 10 years ago well before Gibson, said one of the first things you need to do when trying to access a network was map the network and the IPs by scanning. That included using signatures from any responses to determine the device responding. IIRC and I have not used it in years NMAP was designed to attempt to try and determine the Operating System by the responses so you would know what attacks might work.

Even the responses from different ICMP packets have been studied to see the patterns from different types of systems.

So while many people in this forum like to spout off that closed is as good as stealth IMO it is a debatable claim. I guess I do not understand TCP/IP.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


mackey
Premium
join:2007-08-20
kudos:14

1 recommendation

reply to sivran
Oh? Please explain how letting an attacker know there's an active host at an address helps security.

/M


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to mackey
said by mackey:

getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

You've been reading too much Steve Gibson.
--
Oh, Opera, what have you done?


mackey
Premium
join:2007-08-20
kudos:14

1 recommendation

reply to NormanS
said by NormanS:

Some say a "Closed" response invites closer scrutiny from hostile scanners. In my personal experience, this is not true.

Really this depends on the value of the target being scanned or why the scan is being performed. For a home user they're most likely being scanned by a script kiddie looking for another drone for their botnet and thus if the 1 vulnerability they're looking for isn't there they'll move on to the next IP. However if it's a high-value target (say a large corporation or gov't agency) who's being specifically targeted (they're not just a random computer on the internet), getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

/M

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3

2 recommendations

reply to TopShelf
The Linksys appears to have a Log facility under the administration tab. You could enable the incoming log portion and check to see what packets are logged. As mentioned it may be that those ports are being intercepted by the ISP but that would be much more common for the original posters netbios ports. Once you set up logging you can run the test or just test those ports and see which packets the router receives from grc. If you do not see incoming from grc for those ports and you want to go further you could forward port 111 to your computer and run wireshark to see if the packets reach your computer.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to TopShelf
The scan may have been intercepted at a point upstream from you.
--
Oh, Opera, what have you done?


TopShelf

join:2010-06-25
reply to TheWiseGuy
said by TheWiseGuy:

Technically a closed port does respond to a port scan, it does it with a RST, ie there is no program listening. A stealthed port does not respond at all.

I've no opinion regarding stealth or closed. Either state is acceptable to me. However, the "All Service Ports" @ GRC.com shows stealth for all except for two ports showing as closed. How does one go about finding out why Port 111 (sunrpc) and Port 369 (rpc2portmap) are showing as closed as opposed to stealth? I have the wireless portion of my Linksys E900 turned off. I'm just curious why these two ports report as being closed. Any ideas or insights are appreciated.
--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.