Re: Closed vs Stealthed Ports

Author	All Replies
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to Michael Re: Closed vs Stealthed Ports This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed). A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:) Better still, firewalls could be configured to allow the user to decide how it is to respond. Response to SYN packet scan (select one): [_] Stealth/Filtered (no response) [_] Closed (RST packet) [_] Pseudo-Open [port closed] (SYN,ACK packet) [_] Destination Port Unreachable (ICMP 3,3 packet) [_] Destination Host Unreachable (ICMP 3,1 packet) Now THAT would be an interesting firewall!:)
	to forum · permalink · 2002-06-06 09:44:31 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	said by R2: . . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . . Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:) Ahhh!!! Great minds and all that! -- Regards, Joseph V. Morris
	to forum · permalink · 2002-06-06 12:57:41 ·

Broadband Tech > Security > Security > Closed vs Stealthed Ports