| reply to jvmorris
Re: Closed vs Stealthed Ports quote:
stealthing (with its "no answer" solution) can actually generate more nuisance traffic than a simple closed response.
Simply put for me....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also  |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by OzarkMan:
....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also
Well, I want to follow up on your solution for Halloween, but perhaps we'd best do that via IM! 
But, more to the point, the first part of your statement is not quite true. A lot of stealthed ZA users were certainly 'bothered' by the ARP flood associated with Code Red last year. I think Robert Wycoff, over in the GRC newsgroups, was effectively knocked offline for about three days, as a matter of fact.
--
Regards, Joseph V. Morris |
|
 MichaelPremium
join:2001-05-06
Canada | reply to OzarkMan$
I am assuming you are writing that you do not "exist" because you are stealthed. But what about Joseph's point that a stealthed computer does in fact convey information due to the lack of response?
I am thinking along the lines that when information is conveyed that an IP address is stealthed but in use, that IP address might just be a more interesting target than an IP address that reflects all ports are closed.
The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me. |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Michael:
. . . . The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.
For the sake of completeness, I should add that the last good discussion (that I've seen) of what this "no information" solution conveys was in the USENET NNTP newsgroup comp.security.firewalls . I'll try to track down the thread later today.
--
Regards, Joseph V. Morris |
|
 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to Michael
This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information.
It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).
A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:)
Better still, firewalls could be configured to allow the user to decide how it is to respond. Response to SYN packet scan (select one):
[_] Stealth/Filtered (no response)
[_] Closed (RST packet)
[_] Pseudo-Open [port closed] (SYN,ACK packet)
[_] Destination Port Unreachable (ICMP 3,3 packet)
[_] Destination Host Unreachable (ICMP 3,1 packet) Now THAT would be an interesting firewall!:) |
|
| reply to jvmorris
quote:
the first part of your statement is not quite true
Sure it's true Joseph since I base my thinking on the same facts R2 shared in his initial post. I also agree with the premise that Stealth is over-rated. In fact with my surfing habits, download management, I'm quite content for now BUT am always concerned about the traffic that I don't know about. |
|
|
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to R2
said by R2:
. . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . .
Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:)
Ahhh!!! Great minds and all that! 
--
Regards, Joseph V. Morris |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to OzarkMan$
Hey, any chance we can have the old avatar back? I really liked it! said by OzarkMan:
. . . .Sure it's true Joseph since I base my thinking on the same facts R2 shared in his initial post. I also agree with the premise that Stealth is over-rated. In fact with my surfing habits, download management, I'm quite content for now . . .
Darn! We both agree with R2! But you make an additional point above that may also be coloring my own perception, now that you bring it up. I suspect that your and my surfing habits and management procedures are not too dissimilar and that would influence my own personal experience.
quote:
. . . . BUT am always concerned about the traffic that I don't know about.
But this brings us to Steve Friedl's comment in Randy's thread about the Port 1214 probes (and MeeToo brings up essentially the same issue directly after you posted). Let me pick up on MeeToo's comments in a direct response to his posting.
--
Regards, Joseph V. Morris |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | said by jvmorris:
Darn! We both agree with R2!
This is a clear sign that I am slacking off and not making my posts controversial enough...:( |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by R2:
said by jvmorris:
Darn! We both agree with R2!
This is a clear sign that I am slacking off and not making my posts controversial enough...:(
Well, it takes practice. I'm sure you'll get the hang of it -- eventually.
--
Regards, Joseph V. Morris |
|
