Security → Re: ports not stealth

Really this depends on the value of the target being scanned or why the scan is being performed. For a home user they're most likely being scanned by a script kiddie looking for another drone for their botnet and thus if the 1 vulnerability they're looking for isn't there they'll move on to the next IP. However if it's a high-value target (say a large corporation or gov't agency) who's being specifically targeted (they're not just a random computer on the internet), getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

/M

You've been reading too much Steve Gibson.

Oh? Please explain how letting an attacker know there's an active host at an address helps security.

/M

Interesting, since Hacking Exposed which was considered a classic 10 years ago well before Gibson, said one of the first things you need to do when trying to access a network was map the network and the IPs by scanning. That included using signatures from any responses to determine the device responding. IIRC and I have not used it in years NMAP was designed to attempt to try and determine the Operating System by the responses so you would know what attacks might work.

Even the responses from different ICMP packets have been studied to see the patterns from different types of systems.

So while many people in this forum like to spout off that closed is as good as stealth IMO it is a debatable claim. I guess I do not understand TCP/IP.

this argument has been raised before...i refer to this thread.

»Place your bets - Closed vs Stealthed

I think the difference between closed and stealth is negligible. as long as the ports are filtered and services are not listening on those ports, then i think its fine. Of course, Stealth or Closed, still gotta keep firmware updated on the firewall itself.

I always say, "The lack of a response is a response in itself" sometimes, its best to hide in plain sight...respond to their probes with a closed message and they go away....After all, it is possible to discover a stealth-ed machine as outlined in that thread.

again though, I don't think its something to bicker over, both are secure enough for most purposes. It just really comes down to personal preference and what your more comfortable with....I have ran closed systems for years without issue, same with stealth....it just depends on which im most comfortable with for which scenario.

There are even longer threads that occurred even before that thread. Yes it has been discussed here many many times and in great depth.

My viewpoint is that there is a reasonable argument for both positions, that there are advantages/disadvantages to not giving out any information (stealth) by dropping packets and there are advantages/disadvantages to following standard TCP/IP practices and sending RSTs but that which is better really must be an individual preference since as I stated which is better is Debatable"

How does a TCP RST response indicate the host is, "active". An "Open" result would indicate an "active" host. Using Telnet to attempt to connect will show if there is an "active" host. If there is no service "listening", the host isn't "active".

TCP RST should be a response from the host. Routers on a route should use ICMP if the they are blocking the packets. When you are using Telnet, TCP RST causes "connection refused" error while stealth (no responses) causes a long wait and "connection timed out" error.

There being an "active host" at a particular address is a foregone conclusion. So can you explain how "stealth" helps? Bearing in mind that a reset can come from any device upstream, sent on behalf of the destination, it does not necessarily mean anything. And where does profiling a reset get you? Nowhere -- since a closed port is just as exploitable as a filtered one.

I think TheWiseGuy is right in that it's a matter of personal preference. Myself I think it's preferable to be uniform, with every port the same, but I'm not going to worry--and it's not worth worrying--over a few ports that show closed when I was going for filtered, or vice versa. Those ports are still safe from network intrusion.

What? It is most definitely NOT a foregone conclusion!

Lets say a company has a /24 but they only currently have, say, 143 computers active (workstations+servers). An attacker then scans a single port on every host in that /24. The company has a firewall that blackholes (stealth) all IPs except for the servers they make available to employees in the field or who are working from home. If the attacker does not get a reply to the scan (it's stealth) how do they know if that particular IP is an active computer that's firewalled but may be listening on a different port or one of the 111 unused addresses? If the company decided a RST is just as good as "stealth" and thus the hole in the firewall allows everything to that IP through, the attacker then gets a RST for that port he scanned and thus knows there is an active computer there and it's not one of the 111 unused addresses. For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again.

/M

I just want to focus on this one part:

1. Since when is a port that responds "Closed" a port that's actively accepting connections? When in fact a port that responds Closed is the exact opposite of that...its saying the port is not accepting connections period.

2. Since when is a port responding "Closed" a hole in the firewall letting things through? Ports that respond closed are not accepting connections on those ports, so they are not letting anything through.

Perhaps I am not following or understanding your line of reasoning, but in the last 20 years I have learned to take what Steve Gibson says with a grain of salt...Stealth is more of a marketing term then anything else.

Stealth has pros and cons just like Closed, the fact is both Closed and Stealth are "Filtered Ports". Neither is accepting connections, the only difference is one drops silently, the other says" Were not accepting connections go away"

Some choose to run Closed instead of Stealth because it suits a particular scenario....Stealth isn't the right setup for all situations.

For example Google responds to pings, Microsoft doesn't...does that make Google any less secure? Nope.

As i said, perhaps I misunderstand what your trying to say, and if i do, my apologies. Look forward to your response, hope your having a great day!

When did I ever say it was? Did you not read the last part I wrote: For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again. Seriously. My point is that having a machine respond with a RST tells an attacker there is an active machine there (whereas "stealth" cannot be distinguished from no machine at that address) allowing them to focus more effort there.

And why do people keep mentioning Steve Gibson? I haven't heard anything about him in years.

/M

1) "Enamour with stealth is inversely related to knowledge of TCP/IP" - me
2) "Misunderstanding security threats makes you less safe" - me

edit to add:

3) "Worry about the things not in your logs, not the things that are" - me

And so what if they scan it again? And why do you assume they wouldn't bother scanning the remainder as well, despite there being no response? The performance impact of "stealth" to a scan is negligible to non-existent. What's he gonna do? He can scan and ping to his heart's content but he's not going to hack that host.

Please, again, remember that port scan results may not paint an accurate picture of a target's network. Upstream devices can and do either drop silently or send reset responses on behalf of the hosts behind them. Thus, until you find an open port and interact with it, you still aren't certain of anything. (Hell, even when you find a service to poke at, you can't be absolutely certain you're interacting directly with the host running that service)

I would start scanning ports like 22,80,139,443 which are quite often open. Automated attacks try to find specific exploits which means usually a well known port number (running http in port 81 is possible but difficult to use). An attacker wanting to attack specific network or company can run the port scans in parallel thus avoiding the long waiting because of timeouts.

A complete lack of response does not mean that there is no host. The last router on the route should return ICMP host unreachable, but yes, many ISP are filtering these or not sending these ICMP messages at all.

The only real benefit of stealth that I can think of, is that saying no to a packet flood takes more resources than ignoring the packets. However stealthing makes any troubleshooting really painful. What I'm doing is to respond but if DoS attack is discovered, just drop the packets from the flooders.

Seems wise Jasu

I want to add also that ICMP in itself, is not a security risk like many claim. In fact, I would wager most but NOT ALL who block ICMP don't really understand or know why they are blocking other then "Someone said its good security"

For example, there are 4-5 really useful ICMP that shouldn't be blocked...infact, blocking them just lowers the efficiency of your network and just makes your routers work harder for little to no benefit.

Internet Control Message Protocol

ICMP Echo Request
ICMP Echo Reply
ICMP Destination Host Unreachable
ICMP Time Exceeded
ICMP Source Quench (Optional nowdays, but still applicable in some cases)

ICMP Destination Host Unreachable is essential in PMTUD - Path MTU Discovery to work properly and efficiently.

Im not saying just carte blanch allow ICMP through, but ping and some other parts of ICMP are useful to respond to as they help your network flow better, and don't compromise your security. As long as you use NMAP and your ports are filtered and closed, I think you would be just fine.

I have found i get much less internet noise on my WAN's when showing closed ports and ICMP I listed above...scanner scan me one time and go away instead of just scnaning over, and over, and over until they realize im stealth and leave..i prefer a 1 scan and move on over 5-6 scans...just my 2 cents!

ICMP ..... on my device, does NOT make any differences
In some level, agreed with your point of view & SPI take care with the bad ICMP ........
The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow.