 MichaelPremium
join:2001-05-06
Canada | reply to OzarkMan$
Re: Closed vs Stealthed Ports I am assuming you are writing that you do not "exist" because you are stealthed. But what about Joseph's point that a stealthed computer does in fact convey information due to the lack of response?
I am thinking along the lines that when information is conveyed that an IP address is stealthed but in use, that IP address might just be a more interesting target than an IP address that reflects all ports are closed.
The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me. |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Michael:
. . . . The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.
For the sake of completeness, I should add that the last good discussion (that I've seen) of what this "no information" solution conveys was in the USENET NNTP newsgroup comp.security.firewalls . I'll try to track down the thread later today.
--
Regards, Joseph V. Morris |
|
 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to Michael
This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information.
It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).
A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:)
Better still, firewalls could be configured to allow the user to decide how it is to respond. Response to SYN packet scan (select one):
[_] Stealth/Filtered (no response)
[_] Closed (RST packet)
[_] Pseudo-Open [port closed] (SYN,ACK packet)
[_] Destination Port Unreachable (ICMP 3,3 packet)
[_] Destination Host Unreachable (ICMP 3,1 packet) Now THAT would be an interesting firewall!:) |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by R2:
. . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . .
Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:)
Ahhh!!! Great minds and all that! 
--
Regards, Joseph V. Morris |
|
