dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
32

Michael
Premium Member
join:2001-05-06
Canada

Michael to OzarkMan$

Premium Member

to OzarkMan$

Re: Closed vs Stealthed Ports

I am assuming you are writing that you do not "exist" because you are stealthed. But what about Joseph's point that a stealthed computer does in fact convey information due to the lack of response?

I am thinking along the lines that when information is conveyed that an IP address is stealthed but in use, that IP address might just be a more interesting target than an IP address that reflects all ports are closed.

The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by Michael:
. . . . The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.
For the sake of completeness, I should add that the last good discussion (that I've seen) of what this "no information" solution conveys was in the USENET NNTP newsgroup comp.security.firewalls . I'll try to track down the thread later today.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Michael

MVM

to Michael
This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information.

It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).

A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:)

Better still, firewalls could be configured to allow the user to decide how it is to respond.
Response to SYN packet scan (select one):

[_] Stealth/Filtered (no response)
[_] Closed (RST packet)
[_] Pseudo-Open [port closed] (SYN,ACK packet)
[_] Destination Port Unreachable (ICMP 3,3 packet)
[_] Destination Host Unreachable (ICMP 3,1 packet)
Now THAT would be an interesting firewall!:)

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by R2:
. . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . .

Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:)
Ahhh!!! Great minds and all that!