dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
22

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to jvmorris

Premium Member

to jvmorris

Re: Closed vs Stealthed Ports

I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. Steve Gibson includes examples of typical port scanners used by hackers on his GRC website, and it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.

I still like the idea of being stealth. Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP.

I have a PPPoE DSL connection which dynamically assigns a new IP when I dialup using the WinPoET dialer. The WinPoET software uses a virtual software dialup adapter that emulates a real dialup, so the WinPoET connection appears on my system just like an ordinary dialup connection. And as with a dialup connection, my IP is dynamically assigned when I dialup (logon).

So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

I agree R2. A firewall that would really make it look like this was an IP address that was "not in use" would be the best idea.

I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". Your still there and if people know you are there they look harder to see you.

Much like camouflage, when you know something is there but it is hidden, and you look hard to see it, all of a sudden you see it! Plain as day and you wonder how come you didn't see it before. Does that mean you should not use camouflage? Does that mean camouflage is useless? Not at all. It just means that camouflage is good for deception but does not increase the actual security.

Stealth does not make the lock stronger. It just makes the lock blend in to the background more so it does not stick out so much begging to be picked. But if one knows the lock is there, stealth or not, he can see it.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Randy Bell

MVM

to Randy Bell
said by Randy Bell:
I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. . . .
Thank you, Randy. I was a bit reluctant to characterize the argument of Stealth proponents in my original posting because I felt I might do so in a somewhat slanted fashion. It's much better to have a statement from someone who agrees with it.

But here's the problem as I see it with this argument. Just for purposes of argument, I would estimate that something like 95% of the people who even know what the terms 'Stealth' refers to (in this context) either have used, are using, or at least know about software firewalls, hardware firewalls, or IDSs. An additional 4%, say, may be using nothing more than a hardware or software NAT/router that supports stealthing. Perhaps 1% then of people who recognize the term Stealth use none of the above. And that's where the entire 'benefits' of stealthing seem (to me) to fall apart. Almost all of these firewalls, routers, and IDSs can be configured to log port scans (assuming, of course, that the targeted ports are blocked to unsolicited inbound probes). And they stick out like a sore thumb. Every ISP (with which I am familiar) would take these logged events as prima facie evidence of a hostile intrusion attempt. (Maybe Lawrence Baldwin might care to elaborate on whether that's true or not.) And, just to be sure we're on the same page, when I say "port scan", I'm talking about a single remote IP address scanning multiple local ports in a relatively short period of time. You can nail anyone who's stupid enough to do this in practically no time at all. If you do run stealthed and get only the one probe, you really can't tell what it is; at that point, you really need a service like MyNetWatchman or dShield to collate events in order to determine if someone is up to no good, and even these services can only pick out some one who's scanning the internet willy-nilly. (I've got an absolutely hilarious example of some skiddy who kept poking me over in GRC about a year ago. He's no longer with us.)
quote:
. . . . it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.
Oh, it's easy as hell! (And even easier to catch 'em if they do it. )
quote:
. . . . Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP
Actually your port 1214 thread was what precipitated this more generic query. Still, I think Steve Friedl may well be right; if you'd been running non-Stealthed, you might have actually seen considerably fewer of those port 1214 probes in your logs.

And incidentally, as Steve, jaykaykay, and a couple of other folks pointed out, you shouldn't need to disable ZA to un-stealth; you'd only need to disable the stealthing.
quote:
. . . . So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today
Oops, before I forget -- Randy, I'm not trying to be argumentative here so much as to simply elicit some substantive discussion of the general pros and cons of stealthing versus simply running with closed (or BLOCKed, if you prefer) ports. Didn't want you to take my comments above the wrong way.
jvmorris

jvmorris to Sentinel

MVM

to Sentinel
said by Al Otero:
. . . .I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". . . .
Yeah, I think you've got a point there. The phrase 'stealth' is catchy, but sometimes it misleads people as to exactly what it's being used to represent.
. . . .

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to jvmorris

Premium Member

to jvmorris
said by jvmorris:
Didn't want you to take my comments above the wrong way.
No problem. I wonder why all the testing sites make such a big deal about stealth, then? Is that just marketing and hype, or do the testing sites really think that stealth is better? I include, of course, Symantec's Security Check, from the makers of your beloved NIS -- they seem to value stealth, because you cannot get a good score from their security check unless you're stealthed.

MeeToo7
You Too?
Premium Member
join:2000-10-18
Ardmore, PA

MeeToo7

Premium Member

said by Randy Bell:
I wonder why all the testing sites make such a big deal about stealth, then? Is that just marketing and hype, or do the testing sites really think that stealth is better?
My rule of thumb is to assume first a business into making money will use hype and catchy words. Then I look into their claims on unbiased sites, such as university research sites, professional discussion sites etc. DSLR is an unbiased site, and although not everyone is professional, enough are that we can get good answers and links to further our research.

I think most for-profit sites don't really think "stealth" (a catchy word for non-responding ports) is better, but will lead you to think it is IF their products has stealthing options. I would imagine the developers themselves know better, but marketting department have to put in their selling hype to sell their products.

Just like the "New and improved!" catch phrase used on every supermarket products these days. When you find out what's improved, many times it's just the box that poors better, or the product that smells better or has a nicer color. Is it really improved? No, but it sells better.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Randy Bell

MVM

to Randy Bell
said by Randy Bell:
. . . .Is that just marketing and hype, or do the testing sites really think that stealth is better? I include, of course, Symantec's Security Check, from the makers of your beloved NIS -- they seem to value stealth, because you cannot get a good score from their security check unless you're stealthed.
A question I can answer (but I'm not going to get specific, so there's no point in pressing me on the subject)! Every member of Symantec's NIS/NPF development team with whom I've ever corresponded considered 'stealth' as nothing more than marketing hype. Indeed, I detected a certain bitterness in some of the responses that I've had via e-mail. They seem to have felt somewhat compelled to provide 'stealth' capability in response to Steve Gibson's hoopla on the subject and were consequently forced to defer other enhancements that had already been scheduled for NIS/NPF. No one at Symantec is now going to publicly confirm what I've said above; so don't even bother asking.

MeeToo7
You Too?
Premium Member
join:2000-10-18
Ardmore, PA

MeeToo7

Premium Member

said by jvmorris:
They seem to have felt somewhat compelled to provide 'stealth' capability in response to Steve Gibson's hoopla on the subject and were consequently forced to defer other enhancements that had already been scheduled for NIS/NPF. No one at Symantec is now going to publicly confirm what I've said above; so don't even bother asking.

That certainly makes sense to me and I don't need any concrete proof to believe what you're saying. When you're selling a product and run into competition, the natural laws of business and capitalism demand that you respond that way. It's not unethical or immoral, it's just business

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by MeeToo:
. . . . That certainly makes sense to me and I don't need any concrete proof to believe what you're saying. When you're selling a product and run into competition, the natural laws of business and capitalism demand that you respond that way. It's not unethical or immoral, it's just business
MeeToo,
This is one of those "Yes, well, but ... " responses. Far too much of the publicly accessible information from Symantec is market-driven, so people tend to assume their developers have the same attitude.

I don't believe this is true, based on my correspondence with them over the past two years. As far as I can tell, most members of the Symantec development team for NIS/NPF saw the Atguard firewall technology as an ideal launching pad for a second-generation software-based personal firewall. And they don't like having their development agenda usurped by individuals outside the operation with a tremendous popular following who advocate 'solutions' to largely non-existent problems. (What, precisely, is the 'exploit' that exploits non-stealthed firewall-protected machines or the masquerade capability demonstrated by Steve Gibson's Leaktest? I don't know. I've never seen one documented -- and certainly not before Steve made such a big deal over these issues.)

I think they have (or at least had) very clear goals in mind (and in all honesty it's not as large a development team as some readers seem to assume). Even without the external 'nudges', there are a lot of things that these guys see as needing to be done. What are these other issues? I can only speculate and that wouldn't be fair to these guys, because I'm not a privileged correspondent with the team (and if I were, I certainly couldn't tell you anyway).

So, what's a guy to do if not rely on Steve Gibson or someone similar to identify 'deficiencies'? Well, one could always do what I do: Bitch; privately, via e-mail with the vendor of your choice. (This makes one incredibly popular with the vendor, at least in my experience. ) Some you win (eventually); some you lose, and some get deferred 'til the next release (or so). I liked R2's initial posting; I hope some of the vendors that frequent here read this thread and respond constructively to it.

callihn4
join:2002-01-10
Space

callihn4 to Sentinel

Member

to Sentinel
said by Al Otero:
I agree R2. But if one knows the lock is there, stealth or not, he can see it.
 Hey, that was well written. Until that last part if all your ports are in stealth mode and you deny ICMP unless they are watching you at the server end or sniffing your traffic they will get the same response as if the IP is unused and it should be common sense that you can not hide from those you are connecting to but you can control it. Perhaps a little imagination would be in order? If I put it in a box what ever you would like it to be and you know I put it there. Do you know where it is now? It's not in the box. But the point is why do you still wish to know where it is you have already seen you can not open it?