Closed vs Stealthed Ports - Security | DSLReports Forums (Page 4)

Author	All Replies
dave Premium,MVM join:2000-05-04 not in ohio kudos:7 Reviews: ·Verizon FiOS ·Verizon Online DSL	reply to jvmorris Re: Closed vs Stealthed Ports said by jvmorris: If I were scanning (maliciously) and hit a definitely closed port, I'd pack it in and forget about that IP address myself because there's apparently some sort of protection there I don't seem to be on the same page as you. Leave firewalls out of it. Assume an unprotected system. If I try and connect to TCP port 999 on some system, I might get a response back that says "refused because no program has that port open", i.e., the port is closed. This should tell me nothing about what havoc I might be ab;e to wreak by connecting to port 80 (which has an unpatched copy of IIS on the other side). Am I confused about what you mean by "closed" here?
	to forum · permalink · 2002-06-06 20:53:10 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	reply to dave So then why have a firewall at all? If a firewall is less secure than just having a closed port why don't we just have closed ports? -- AL
	to forum · permalink · 2002-06-06 20:53:39 ·

SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA Host: Networking Virtual Private Ne.. Netgear ZyXEL	A firewall that actively monitors all connections and rejects unwanted probes with a RST is very different to a computer without firewall, even if it looks the same from the outside. The security comes from within, not from the outside appearance. -- Where is the world is LA/OC ?
	to forum · permalink · 2002-06-06 21:07:52 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to SYNACK said by SYNACK: (As mentioned before, this is my definition of a stealth firewall, the RST response hides the actual presence of the firewall. ). I always liked this statement. This gets right to the point about the relatively stupid use of the word "stealth" to describe a port's response. I purposefully did not mention the person who I believe coined the term -- I knew someone would.;) "Stealth" can be used to describe the computer itself, it can be used to describe a type of port scan, or (as SYNACK does) it can be used to describe a firewall. But using the term to describe a port's response is simply illogical. I completely agree that the term was created to get people interested in acquiring a firewall. That's about it. Ports can have 3 responses registered by a scanner: Open, Closed, or No Response. There is no "stealth" response. It seems to me that the non-responding computers just generate more attempts to be attacked -- waiting for the moment when your defenses might be down. Based on the information presented here, a closed response seems more logical. However, an `ICMP Host/Port Unreachable` response might be even more likely to squelch probings. THAT might represent the TRUE "Stealth" response!!;) The perfect firewall could give the user a choice of what response it sends to a SYN probe. Or humorously, you could set it up to randomly vary the responses -- and confuse the he// out of the scanner.:) ________________ This thread moves faster than I type... Dave is right -- a computer without a firewall gives a Closed response -- hence SYNACK's comments about a "Stealth" firewall pretending it is not there. Firewalls do MORE that just provide a "stealth" port scan -- however, the push to market the software firewall sadly seemed to make this one of the most important issues...:( [text was edited by author 2002-06-06 21:14:35]
	to forum · permalink · 2002-06-06 21:09:17 ·
dave Premium,MVM join:2000-05-04 not in ohio kudos:7 Reviews: ·Verizon FiOS ·Verizon Online DSL	reply to Sentinel said by Al Otero: So then why have a firewall at all? If a firewall is less secure than just having a closed port why don't we just have closed ports? Basically for the same reason I don't lock every door in my house - you get stopped, in theory, at the front door. Meanwhile, on the other side of the front door, I like to actually use my house. I've got MS-style file sharing enabled on this system. I want to use it; I don't want you to use it. Therefore, there's a firewall in your way. I find all this emphasis on 'ports' on the PC to be quite strange, actually. It leads to odd questions like 'how do I close a port?' -- well, just don't run the program that would open that port. Whether or not port 999 is exploitable depends not at all on 'port 999' but solely on the program that's accepting connections on port 999. A better focus, in my opinion, would be: what programs may be running, are they exploitable, and are they screened by firewall from the outside world?
	to forum · permalink · 2002-06-06 21:13:48 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	reply to jvmorris said by jvmorris: Ya know, I'm starting to get jealous here! I take an entire screen to express an idea and one of you comes along and wraps the whole concept up in two lines! And I'm jealous of the way you explain concepts in such detailed ways! It's all great and good to be able to wrap a concept in 2 lines, but it doesn't make us understand the concept, does it? I can't explain concepts in detail, but I can understand concepts when they're explained to me in detail! -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 21:27:21 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	reply to Sentinel said by Al Otero: But if a port is stealth it is still closed. And not only that, it most likely closed due to a firewall, is it not? A closed port is the same but just could be closed due to not being open. Al, I think you're looking at this from the perspective of a potential 'victim'. The 'cracker', on the other hand, is looking at this from the perspective of a potential exploiter. There's a finite IP address space (large, to be sure, but still finite). If 'stealth' actually is indistinguishable from 'no computer on this IP address--at the moment', then I (assuming my role as a 'cracker') might continue to check the IP address/port combination in anticipation that something would eventually turn up there. For the skiddies, in particular, this would show up as a 'slow scan' and a stealthed user (i.e., you) would be unlikely to pick it out unless they were using a third-part firewall event log analyzer with extended functionality (and specifically something that could pick out repeated probes from a particular remote IP address over a period of many days). quote: I guess what I am trying to say is, if I were a hacker and I saw a stealth port it would not tempt me any more than if I saw a closed port. As a matter of fact if I saw a stealth port it would likely deter me more since it is probably stealth due to a firewall. Whereas a user who has no firewall is likely to have closed ports. But this is precisely the problem! You don't see a stealthed port saying "Hi, I'm stealthed!" You see nothing at all and are left to draw your own conclusions as to the significance of this non-report. On the other hand, if you see that the IP address is active but closed, you (as a cracker) know precisely that. (And, if you're smart, you don't pursue the issue further.) quote: I would probably pass on both the stealth and closed ports and try to find something open, . . . . Oh, well, who wouldn't?!! But there's a flip side here: The more the 'cracker' does to scan for an open port on the internet at large, the more likely their activities are to be detected, if only by something like MyNetWatchman or dShield. That's good for us; and bad for them. quote: . . . . but if I were to choose between trying to hack a closed port or a stealth port I would try the closed one thinking that the stealth one was probably stealth due to a firewall which I would not want to come up against. Does any of this make any sense? Yes, it makes sense, but if I were a cracker I wouldn't do this. If a port (at a particular IP address) is definitely closed, that would largely imply to me the presence of a NAT/router, a firewall, or a proactive IDS -- and any of these in turn implies the existence of a logging facility that's likely to catch me with my hand in the cookie jar. On the other hand, if I really couldn't tell the difference between a 'stealthed' port and a non-existent port on a particular IP address (which may or may not be in use), I might well continue to probe other ports on that IP address -- if only to establish (as R2 previously described) whether or not there's a machine at that address. So, effectively, even in this situation, it's a draw and consequently (at least in my opinion), there's no particular advantage to running 'stealthed' instead of simply 'closed'. And, as I've previously commented, it's completely possible to appear as 'stealthed' without using any firewall whatsoever. -- Regards, Joseph V. Morris
	to forum · permalink · 2002-06-06 21:32:41 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	said by jvm: If a port (at a particular IP address) is definitely closed, that would largely imply to me the presence of a NAT/router, a firewall, or a proactive IDS... Not necessarily. The typical response of a port without a firewall in front of it that is not actively "listening" is CLOSED. So finding a 'definitely closed port' does not have to imply a firewall or other device. But, finding that a known active IP address is 'not responding' does imply a firewall is being used. This gets partially back to 'absence of response' verses 'response of absence'. If you JUST went to a web site, that site KNOWS your IP address is active. If a person from that site then tries to SYN probe your IP address and gets no responses (eh, stealth), then the person can infer that you have a firewall. If he gets several 'closed' responses, he would likely assume you do NOT have a firewall. Again I point to SYNACK's adept description of a 'stealthed' firewall reporting the port is closed instead of 'stealth'. __________________________ But I agree, the benefits of running 'stealth' seem to be over-exaggerated. But in my opinion, the benefits of a firewall in general are over-exaggerated!:) If the baseline state is for your computer to keep its ports CLOSED, then you are safe from this type of direct-access attack. Unless something specifically opens a port (e.g., some process is actively listening at the port), your computer is closed to an attack. Rather than focusing on "stealthing" ports, real security lies in keeping errant programs off your computer in the first place. If there is no errant program opening and listening on a port, then you are not very vulnerable, now are you? Or is my view too simplistic??? [text was edited by author 2002-06-06 21:54:40]
	to forum · permalink · 2002-06-06 21:41:58 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	reply to dave said by dave: I've got MS-style file sharing enabled on this system. I want to use it; I don't want you to use it. Therefore, there's a firewall in your way. I find all this emphasis on 'ports' on the PC to be quite strange, actually. It leads to odd questions like 'how do I close a port?' -- well, just don't run the program that would open that port. Whether or not port 999 is exploitable depends not at all on 'port 999' but solely on the program that's accepting connections on port 999. A better focus, in my opinion, would be: what programs may be running, are they exploitable, and are they screened by firewall from the outside world? I think an exception would be the netbios port, 139. If left bound to TCP/IP, whether we're running apps or not, we're making our file sharing accessible to the WAN (internet), aren't we not? So in effect this is an instance of physically closing a port, as opposed to leaving a port closed by not running an app that uses a certain port. Please correct me if I'm wrong. -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 21:54:27 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	reply to dave said by dave: . . . .I don't seem to be on the same page as you. Leave firewalls out of it. Assume an unprotected system. But, Dave, that's precisely what I don't want to do! As I previously stated, probably 99% of people who even know what 'stealth' means (in this context) are at least running a firewall, an IDS, or a NAT router. My question is: What does stealthing do for these people that is not done by simply closing their ports to unsolicited inbound communications? quote: If I try and connect to TCP port 999 on some system, I might get a response back that says "refused because no program has that port open", i.e., the port is closed. Actually, I'm rather glad you brought that particular example up. If, for example, I check Simovitz' list of default Trojan ports for TCP Port 999 (»www.simovits.com/trojans/trojans.html), I find Chat Power, Deep Throat, ForePlay and WinSatan listed. Can you explain to me why I would be any safer with a 'stealthed' functionality on this port than I would be with a firewall that simply 'BLOCKS' unsolicited inbound TCP probes to this port in this instance? quote: This should tell me nothing about what havoc I might be able to wreak by connecting to port 80 (which has an unpatched copy of IIS on the other side). Correct. However, is your firewall with NO stealthing capability enabled permitting unsolicited inbound access to this port? If it is, I rather doubt that having a 'stealthing' functionality is making any difference. Typically, 'stealthing' only works on ports that are not already listening. Which brings us back to utilities outside the range of the 'traditional' firewall applications, anyway. quote: Am I confused about what you mean by "closed" here? R2 has provided a simple, concise definition of 'closed' earlier in the thread. Unfortunately, it's a bit difficult to get a definitive definition of 'stealthed' for the simple reason that it's a non-standard response. -- Regards, Joseph V. Morris
	to forum · permalink · 2002-06-06 21:56:06 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to MeeToo7 said by MeeToo: If left bound to TCP/IP, whether we're running apps or not, we're making our file sharing accessible to the WAN (internet), aren't we not? Well, define "running apps"?;) I suspect that binding NetBIOS to TCP/IP does in fact cause a "running process" to listen on port 139. For the sake of keeping the definitions as clear as possible: TCP SYN Scan: "OPEN" = Returns a SYN,ACK packet. (Some process listening on that port assumedly is agreeing to connect with the 'intruder'.) "CLOSED" = Returns a RST packet -- or more correctly, a RST,ACK packet. (The computer acknowledges the SYN packet, but then tells the intruder to "go away".) "FILTERED", "BLOCKED", or "STEALTH" (uck!) = Returns no packet -- no response. (This is in some ways not a typical thing for an IP address to do -- which is why this is not the same as a 'response of absence'. This implies that the IP address is active, but the computer is not connected to the Internet -- or it is "firewalled".) [text was edited by author 2002-06-06 22:07:11]
	to forum · permalink · 2002-06-06 21:57:10 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	reply to R2 said by R2: Rather than focusing on "stealthing" ports, real security lies in keeping errant programs off your computer in the first place. If there is no errant program opening and listening on a port, then you are not very vulnerable, now are you? So are you saying people are better off running netstat instead of staring at their firewall logs? -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 21:58:35 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	reply to R2 said by R2: Well, define "running apps"?;) An open application. Is there another definition? quote: I suspect that binding NetBIOS to TCP/IP does in fact cause a "running process" to listen on port 139. It does, and not only that but does make one's HD wide open to the internet, as is wide open to one's LAN. And when unbound from TCP/IP, but bound to Netbiue, it listens to local IP. So I deduce from that that File Sharing is a "running process". [text was edited by author 2002-06-06 22:09:53]
	to forum · permalink · 2002-06-06 22:08:10 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to MeeToo7 said by MeeToo: So are you saying people are better off running netstat instead of staring at their firewall logs? YES!!:) I have no firewall log tracking or tracing program -- and the only reason I find myself looking at them is to verify whether or not some "port probe" actually did its job!!:)
	to forum · permalink · 2002-06-06 22:09:52 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	That was a supposed to be a hint to Randy...shhh But still, I should have said, "so are you saying people are better off running netstat instead of running a firewall at all and staring at the logs..." -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 22:13:47 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	reply to dave said by dave: said by Al Otero: So then why have a firewall at all? If a firewall is less secure than just having a closed port why don't we just have closed ports? Basically for the same reason I don't lock every door in my house - you get stopped, in theory, at the front door. Meanwhile, on the other side of the front door, I like to actually use my house. But, Dave, this is the 'classical' definition of a network firewall on your Internet gateway, not the "contemporary" definition that insists on outbound application control (and which can only be implemented using client-based software firewalls)! And even this has nothing to do with whether the hardware/software firewall can provide stealthing for unsolicited inbound communications! quote: I've got MS-style file sharing enabled on this system. I want to use it; I don't want you to use it. Therefore, there's a firewall in your way. Same here, but again this has little to do with whether there's stealthing functionality available on your internet firewall. (I think you may have missed the point of Al's query quoted above. It was sort of a rhetorical question, I think.) quote: I find all this emphasis on 'ports' on the PC to be quite strange, actually. It leads to odd questions like 'how do I close a port?' -- well, just don't run the program that would open that port. Whether or not port 999 is exploitable depends not at all on 'port 999' but solely on the program that's accepting connections on port 999. Yes, that's it in a nutshell. One simply shouldn't run internet-enabled server applications exposed to the Internet at large unless they've also got features in place to avoid exploitation of the listening port(s). And, for the most part, this functionality is not provided by firewalls, but rather by other security utilities or by the application itself. And (continuing to beat a dead horse), this has very little, if anything, to do with whether your 'firewall' provides a 'stealthing' functionality. quote: A better focus, in my opinion, would be: what programs may be running, are they exploitable, and are they screened by firewall from the outside world? Can't argue with that. -- Regards, Joseph V. Morris
	to forum · permalink · 2002-06-06 22:14:12 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to MeeToo7 I think you get my point despite your contrary responses! There IS something running that is listening on port 139. So your statement "whether we're running apps or not" does not entirely make sense to me... that's all. _____________________ As for "running no firewall at all" -- that depends. As stated above by several people, the utility of a firewall does not JUST lie in it's ability to "stealth" ports. However, sadly the people (person) who is likely the most responsible for the proliferation of firewalls made this one of the most visible points by creating port scanning web sites... [text was edited by author 2002-06-06 22:19:24]
	to forum · permalink · 2002-06-06 22:14:41 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	You're adding a lot in your edits R2, now you're confusing ME Threads can be hard to follow when many people join, and especially when they're moving fast like now. So I'll refrain from adding any further non-essential comments, as tempting as it can be to me -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 22:26:28 ·
MeeToo7 You Too? Premium join:2000-10-18 Ardmore, PA	reply to R2 said by R2: As for "running no firewall at all" -- that depends. As stated above by several people, the utility of a firewall does not JUST lie in it's ability to "stealth" ports. However, sadly the people (person) who is likely the most responsible for the proliferation of firewalls made this one of the most visible points by creating port scanning web sites... Agreed. And since you're on a roll at being more specific, we should also define the type of firewall we're talking about when saying "firewall". Not doing so adds to confusion for the average users, like me, IMO. And you're still refraining from naming Steve Gibson...go ahead, he is responsible, we've established that already So he did create a port scanning website, and many others have followed, including DSLR. I can't blame the man, what's done is done. He also probably did that out of honest good intentions. I'd like to know what Justin thinks of this entire thread, and whether he would still think a port scanning utility is a must on DSLR. -- Help find a cure, join Team Helix
	to forum · permalink · 2002-06-06 22:36:34 ·
Wildcatboy Premium,Mod join:2000-10-30 Toronto, ON kudos:2 Host: Security Product V.. Security	reply to jvmorris Love this thread. Thanks for starting it JV. We need more of these kinds of threads. I hope everybody is as confused as I am when it comes to the term Stealth in this thread because not all of us are talking about the same thing. The term is relevant to what we are trying to accomplish I guess. Let's say I'm trying to scan for open 27374 ports. If I get no response, it tells me: a) The computer may be off. b) The computer may have a firewall. c) The IP is not even assigned and it's sitting in some DHCP pool somewhere. In any case, I can't get what I want and I'll move on. Chances are I'll come back a couple of days later and try again and get the same result and move on again. But during all those attempts I'm spending time and I'm waiting 30 seconds each time to find that out. Now let's say i get a close response. It means the computer is on and there's no Sub 7 and I'll move on after a second or less. Is it better or worse? If you ask me it makes absolutely no difference except in the first scenario I'm causing the guy some inconvenience. Am I safer? Not really. But the fact that I get 10 scans instead of one doesn't make me more vulnerable either. Who cares how many time the guy scans me if I simply ignore it? He can't get in anyway. Now let's say our intruder is a bit more sophisticated and he's more interested in the fact that my computer is responsive than he is interested in my ports. The following scenario doesn't necessarily make me more vulnerable but it makes me useful for the hacker. I'll give you an example. Most of us have heard about decoy scans by NMAP. For those who don't know how it works, you pick up a bunch of IP addresses and use them as decoys and scan the victim using all of those IP addresses, that way your IP will be only one of let's say 10 addresses hitting the firewall and you make it really hard for the firewall admin to find out who is the actual culprit. Sure, you can figure it out by using router path tracing, response dropping, etc... but most admins never try it unless the damage is extensive. Now what's important is that if your decoys are not responsive, all your efforts are useless and you'll be easily detected. Why? Because how NMAP works is that it sends a SYN, using each of those IP addresses as the source IP and once it sees the ACK and before the connection is made, it will send an RST to close the connection. However it will only send one RST and that's for your IP address. It relies on other 9 IP address to send their own RST. This means that if those 9 other IPs are non-responsive, My IP will be the only one sending the RST and basically I'm sitting duck. So he would definitely need to find responsive computers to use as decoys and a Stealth computer is useless to him. Now being the devil's advocate that I am, I present you the other side of the coin. If I can find a few hundred Stealth computers, I can use them all as decoys and send lots of SYN packets to a computer using those IP addresses. The computer sends an ACK to every single one of them and since it will never receive an RST, it will hang and it can effectively be SYN flooded. So on this side of the coin, your Stealth computer could be used to harm others. -- You can catch the Devil, but you can't hold him long.
	to forum · permalink · 2002-06-06 22:49:43 ·

Broadband Tech > Security > Security > Closed vs Stealthed Ports

Re: Closed vs Stealthed Ports