dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1689
share rss forum feed

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

reply to TopShelf

Re: ports not stealth

OK, so you know the packets are not reaching you. Last step try another scanner to check if your ISP is intercepting the packets.

PCflank's advanced scanner will allow you to specify the ports

»www.pcflank.com/scanner1.htm

I tested several Ports at PCFlank and confirmed by forwarding the port and using wireshark I was receiving the packets. Hopefully this will allow you to see if you get the same results for Ports 111 and 369. If they show up as stealth you know that your ISP is not blocking those ports and GRC's scanner is not working correctly.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



planet

join:2001-11-05
Oz
kudos:1
reply to TopShelf

I just did a common ports scan at grc.com and all ports stealthed. To OP, my hunch is your ISP is shortstopping those ports so the packets aren't reaching you to show stealthed. Drop your ISP an email and inquire.


Frodo

join:2006-05-05

1 recommendation

reply to TopShelf

said by TopShelf:

Ports 111 & 369 should have shown as stealth on those two computers because I have a software firewall (NIS) in addition to the router.

Unless the modem is in "bridged" mode, the modem itself could have responded to the probe. In my case, since I can't bridge my modem/router, the probe tests the modem, not the PC. The test indicated "stealth" for 111 and 369.

I trust the probe (since I agree with the results).


TopShelf

join:2010-06-25

1 recommendation

reply to TheWiseGuy

said by TheWiseGuy:

OK, so you know the packets are not reaching you. Last step try another scanner to check if your ISP is intercepting the packets.

PCflank's advanced scanner will allow you to specify the ports

»www.pcflank.com/scanner1.htm

I tested several Ports at PCFlank and confirmed by forwarding the port and using wireshark I was receiving the packets. Hopefully this will allow you to see if you get the same results for Ports 111 and 369. If they show up as stealth you know that your ISP is not blocking those ports and GRC's scanner is not working correctly.

Thanks for the link! I repeated the tests I originally performed @ Shields Up. PC Flank reports stealth on all four computers for those two ports. Shields Up STILL! reports closed.

I'm off to download Wireshark and to see what's going on with those two ports. I'll let you know what I find.....or don't find.

--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.

Frodo

join:2006-05-05

1 edit

1 recommendation

reply to ariez

I also forwarded TCP 111 & 369 to the PC. Showing stealth at PCflank and GRC.
Stopped the windows firewall, and both scanners showed "closed".
Put 2 netcat listeners on 111 & 369 and both port scanners showed "open".
Restarted Windows firewall - both port scanners back to stealth. Unable to find a discrepancy between PCflank and GRS.

--edit
When shutting down the netcat listeners, I did find a discrepancy. The listeners logged a connection from PCflank but not GRC.

So try again. PCflank has two types of scans, "TCP connect scanning (standard)" and "TCP SYN scanning". I had initially tried the connect scanning, and that is when the connection was logged. The Syn scanning doesn't cause netcat to log a connection. So, to compare apples with apples, it would be necessary to use the TCP Syn scanning at PCflank to compare with GRC.

Still, after using the TCP syn scanner, didn't find a discrepancy between GRC and PCflank.


Jasu

join:2010-01-09
Finland

1 recommendation

reply to mackey

I would start scanning ports like 22,80,139,443 which are quite often open. Automated attacks try to find specific exploits which means usually a well known port number (running http in port 81 is possible but difficult to use). An attacker wanting to attack specific network or company can run the port scans in parallel thus avoiding the long waiting because of timeouts.

A complete lack of response does not mean that there is no host. The last router on the route should return ICMP host unreachable, but yes, many ISP are filtering these or not sending these ICMP messages at all.

The only real benefit of stealth that I can think of, is that saying no to a packet flood takes more resources than ignoring the packets. However stealthing makes any troubleshooting really painful. What I'm doing is to respond but if DoS attack is discovered, just drop the packets from the flooders.



Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

Seems wise Jasu

I want to add also that ICMP in itself, is not a security risk like many claim. In fact, I would wager most but NOT ALL who block ICMP don't really understand or know why they are blocking other then "Someone said its good security"

For example, there are 4-5 really useful ICMP that shouldn't be blocked...infact, blocking them just lowers the efficiency of your network and just makes your routers work harder for little to no benefit.

Internet Control Message Protocol

ICMP Echo Request
ICMP Echo Reply
ICMP Destination Host Unreachable
ICMP Time Exceeded
ICMP Source Quench (Optional nowdays, but still applicable in some cases)

ICMP Destination Host Unreachable is essential in PMTUD - Path MTU Discovery to work properly and efficiently.

Im not saying just carte blanch allow ICMP through, but ping and some other parts of ICMP are useful to respond to as they help your network flow better, and don't compromise your security. As long as you use NMAP and your ports are filtered and closed, I think you would be just fine.

I have found i get much less internet noise on my WAN's when showing closed ports and ICMP I listed above...scanner scan me one time and go away instead of just scnaning over, and over, and over until they realize im stealth and leave..i prefer a 1 scan and move on over 5-6 scans...just my 2 cents!
--
Tech Tips



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit

1 recommendation

Click for full size
ICMP ..... on my device, does NOT make any differences
In some level, agreed with your point of view & SPI take care with the bad ICMP ........
The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow.