Re: Closed vs. Filtered in Security http://www.dslreports.com/forum/r7615482 en Sun, 29 Nov 2009 19:37:30 EDT Sun, 29 Nov 2009 19:37:30 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7627418 reaver221 : I could very well be wrong, but wouldn't 'stealth' help to defeat accurate OS detection?

For example, nmap supposedly needs to get responses from both closed and open ports to do a good job of detecting a target host's OS, because 'stealth' = less OS specific packets to fingerprint.

I didn't get a chance to read much of the thread that Randy linked to, so this could've already be talked about. :)
[text was edited by author 2003-08-08 19:30:44]
]]> http://www.dslreports.com/forum/remark,7627418 Fri, 08 Aug 2003 19:29:06 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7626563 catahoula7 :
said by Reverend Ike See Profile:


Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't answer, the phone rings and rings. Closed is like an answering machine with an auto-response "There is nobody at home" which doesn't accept incoming messages. In either case, the autodialer just moves on. But when the autodialer starts a new cycle, it will call the same number again, just in case someone might answer next time.

On paper, it seems slightly more desirable to have your ports stealthed rather than closed. But in the real world, with zombie machines and lightning-fast port scanners, I don't think it makes any difference. Nobody is going to sit around and keep hammering one port just because it is "closed" rather than "stealthed", when there are millions of open ports waiting on millions of other machines ... :)


Excellent! A very clear analogy.

Thank you.
--
--Catahoula Hound Dawg]]> http://www.dslreports.com/forum/remark,7626563 Fri, 08 Aug 2003 17:55:53 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7625541 R2 : Well said.]]> http://www.dslreports.com/forum/remark,7625541 Fri, 08 Aug 2003 16:00:46 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7624659 Reverend Ike :
I think the critical question is whether the person ("hacker") sending the packets actually cares whether a port is "closed" or "stealth". IMHO, I doubt it. If a port is stealthed, does the hacker put it on a "don't bother" list and never try that port again? Of course not. He has no way of knowing that a stealthed port won't be an open port an hour or a day or a week from now. Same thing with a closed port. For the moment, all he cares about is "open" or "other". If it's open, he tries to break in, if it's other, he moves on to the next port or next IP address.

Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't answer, the phone rings and rings. Closed is like an answering machine with an auto-response "There is nobody at home" which doesn't accept incoming messages. In either case, the autodialer just moves on. But when the autodialer starts a new cycle, it will call the same number again, just in case someone might answer next time.

On paper, it seems slightly more desirable to have your ports stealthed rather than closed. But in the real world, with zombie machines and lightning-fast port scanners, I don't think it makes any difference. Nobody is going to sit around and keep hammering one port just because it is "closed" rather than "stealthed", when there are millions of open ports waiting on millions of other machines ... :)]]> http://www.dslreports.com/forum/remark,7624659 Fri, 08 Aug 2003 14:21:45 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7622521 R2 :
said by catahoula7 See Profile:
So the "closed" state would be the most idea(l) then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.

It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
It depends on how you look at it...

I believe the term "stealth", was coined or at least put into THIS general use by GRC. Previously, the term "stealth" refered to the TYPE of port scan being done. Regardless, at this point in time we have to accept that many people are going to use the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting computer.

If someone is probing your ports and every single probe is not returned, then your computer is relatively "invisible" -- meaning that the prober does not know for sure if your computer is on the Internet or not. You could simply have your computer turned off or unplugged it -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall.
______________________________

An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated above.

However, when I tried to probe non-existent IP addresses (e.g., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back any ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with 4 TCP/IP SYN packets, I got no reponse at all.

If I probe port 80 at DSLR, I get an OPEN response (open = SYN/ACK) -- see above. If I probe port 81 at DSLR, I get a CLOSED response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if you will. I get the same response (NONE) when I probe port 1234 here that I do when I probe any port at the non-existant sites.

That being said, I then tried a simple ping of those addresses, and I found this:

Pinging 123.123.123.123 with 32 bytes of data:

Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.

Ping statistics for 123.123.123.123:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS\Desktop>ping 111.111.111.111

Pinging 111.111.111.111 with 32 bytes of data:

Request timed out.
Reply from 65.123.254.57: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 111.111.111.111:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Which -- I believe -- just so happens to prove MeDuZa's point!:) Even though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all...

Therefore, perhaps with extensive probing one could figure out with some partial degree of certainty that the computer has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely certain....
[text was edited by author 2003-08-08 10:39:29]
]]> http://www.dslreports.com/forum/remark,7622521 Fri, 08 Aug 2003 10:35:32 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7617340 Randy Bell :
said by gwion See Profile:
The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no firewall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are the common case and are only shown when most of the scanned ports are in the filtered state.
Precisely what R2 See Profile stated, thanks gwion See Profile.

[text was edited by author 2003-08-07 19:57:30]
]]> http://www.dslreports.com/forum/remark,7617340 Thu, 07 Aug 2003 19:47:09 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7617188 gwion : I think he may be using "filtered" as used as a term of art by nMap and nMap inspired port scanners, perhaps? An nMap scan might return something like:

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap )
Interesting ports on 195.98.xxx.xxx:
(The 1601 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
22/tcp open ssh
113/tcp closed auth

From the nMap man page, »www.insecure.org/nmap/data/nmap_manpage.html :

The result of running nmap is usually a list of interest­
ing ports on the machine(s) being scanned (if any). Nmap
always gives the port's "well known" service name (if
any), number, state, and protocol. The state is either
"open", "filtered", or "unfiltered". Open means that the
target machine will accept() connections on that port.
Filtered means that a firewall, filter, or other network
obstacle is covering the port and preventing nmap from
determining whether the port is open. Unfiltered means
that the port is known by nmap to be closed and no fire­
wall/filter seems to be interfering with nmap's attempts
to determine this. Unfiltered ports are the common case
and are only shown when most of the scanned ports are in
the filtered state.
--
I'm not good,
I'm not nice,
I'm just right.
I'm the Witch.
You're the world. ]]> http://www.dslreports.com/forum/remark,7617188 Thu, 07 Aug 2003 19:30:32 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7617142 catahoula7 :
said by Marilla See Profile:
"stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
[..]

"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)...
[..]
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall.


I get them backwards too sometimes ! lol

So the "closed" state would be the most idea then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.

It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
--
--Catahoula Hound Dawg]]> http://www.dslreports.com/forum/remark,7617142 Thu, 07 Aug 2003 19:24:45 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7616281 MeDuZa : The frequently used association of STEALTH with INVISIBLE is snake oil.
In case you wouldn't be there the nearest router located at your provider would respond with
"ICMP-Host unreachable"
No answer means that you are there and the requests have been dropped by a packet filter(FW)

REJECT means an active refuse of a connection attempt with a special ICMP message.
DENY means to throw away the connection attempts. The inquiring computer gets a timeout in this case.]]> http://www.dslreports.com/forum/remark,7616281 Thu, 07 Aug 2003 17:52:18 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7615625 Randy Bell : In the context of the thread title: "closed vs filtered" -- I think R2 See Profile got it right:
said by R2 See Profile:
for TCP/IP ports:

Filtered = Stealth = no response at all is sent back to the requesting site.

Closed = a specific "port is closed" response is sent back to the requesting site.
I think the other interpretation is not consistent with what the thread author means in his thread title. JMHO, HTH ;-)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,7615625 Thu, 07 Aug 2003 16:41:11 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7615482 Marilla : "stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:

Open: Meaning a service is active and responding on that port.
Closed: Meaning communications are getting through to the host on the port in question, but that host has no daemons/services and is responding to that effect.
Stealth: Meaning the communication was simply dropped, and no response was sent at all.

"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)... but when a firewall "Rejects" a packet, that will result in a "Stealthed" result.. when a firewall "Deny", there may be a "Closed" response... As I said, I may have 'reject' and 'deny' backwards... but one simply sends the communication to the great packet bucket in the sky, but the other one sends a specific reply saying, "nothing to see here".

so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall.]]> http://www.dslreports.com/forum/remark,7615482 Thu, 07 Aug 2003 16:26:36 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7615409 catahoula7 :
said by R2 See Profile:


Filtered = Stealth = no response at all is sent back to the requesting site.

Closed = a specific "port is closed" response is sent back to the requesting site.


I thought "Reject" sent a response And "DENY" just dropped the packet.

Where did "stealth" come from anyway? I thought there was just the "Drop" and "Reject" flags?


--
--Catahoula Hound Dawg]]> http://www.dslreports.com/forum/remark,7615409 Thu, 07 Aug 2003 16:18:31 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7613724 R2 :
said by catahoula:
If i understand correctly, filtered and closed will give the same response to someone probing that port. Which is nothing. The packet will just silently be dropped and it will seem that there is no computer at the end.
Not exactly... for TCP/IP ports:

Filtered = Stealth = no response at all is sent back to the requesting site.

Closed = a specific "port is closed" response is sent back to the requesting site.]]> http://www.dslreports.com/forum/remark,7613724 Thu, 07 Aug 2003 13:19:40 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7611588 catahoula7 :
said by Maven See Profile:
Forgive me if this has been answered before, but I search Yahoo and the security FAQ yet came out empty. What is the difference between closed and filtered ports? If a computer has all it's ports closed, why would it not be fine?


Yes, that should be fine.
If i understand correctly, filtered and closed will give the same response to someone probing that port. Which is nothing. The packet will just silently be dropped and it will seem that there is no computer at the end.

OTOH, if the firewall is set to "deny" it drops the packets and notifies the probing host that the packet was rejected.
Which lets the probing computer know there is a machine at the other end.
--
--Catahoula Hound Dawg]]> http://www.dslreports.com/forum/remark,7611588 Thu, 07 Aug 2003 07:29:20 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7611170 Randy Bell :
said by Maven See Profile:
In my case, since the command netstat -an reports nothing unless running an internet application, I assume that running a firewall would be redundant. I am on WinME with NetBios disabled and not running file sharing.
Maybe sometimes little "redundant" so far as inbound traffic control; but not so far as outbound control. Without a firewall, you have no outbound control, over rogue programs or apps that might try to connect out to the Net. You also have no logging of traffic in/out of your box. This is why I usually recommend a software firewall, even for people who have a NAT router; since the router takes care of inbound traffic but has no effective outbound control. I too have a tight system with NetBEUI substituted for local networking, file sharing and NetBIOS uncoupled {unbound} from TCP/IP, etc. -- but I still use ZA on all boxes in my home network. HTH ;-)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,7611170 Thu, 07 Aug 2003 03:41:59 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7611115 Maven : Thanks for the replies.

Wow, that's quite the discussion Randy Bell See Profile. I've only read the first 2 pages, but I've picked up the gist of it so far - Stealth is overrated. It reminds me of the recent thread called "Uh Oh... You're not going to like this!" (»Uh Oh... You're not going to like this! , where there is an interesting discussion on whether firewalls are useful or not.

In my case, since the command netstat -an reports nothing unless running an internet application, I assume that running a firewall would be redundant. I am on WinME with NetBios disabled and not running file sharing.
[text was edited by author 2003-08-07 03:27:57]]]> http://www.dslreports.com/forum/remark,7611115 Thu, 07 Aug 2003 03:23:22 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7610925 Randy Bell : The classic discussion at DSLR was done in this old thread:

Closed vs Stealthed Ports
»Closed vs Stealthed Ports

but it is quite long, I warn you .. yet very informative and interesting.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,7610925 Thu, 07 Aug 2003 02:26:06 EDT Re: Closed vs. Filtered http://www.dslreports.com/forum/remark,7610877 Marilla : Someone may correct me on specifics... as nit-picky as I can be, I'm not always that great on exact wording... that said:

As far as I understand it, 'Closed' and 'Filtered' aren't really directly related...

Closed means that no daemon/service is configured to respond on the port in question on a specific host.

Filtered means that there is a firewall somewhere which is 'intercepting' and dropping communications for a port. Actually, you don't so much filter a PORT as you filter datagrams based on whatever the rules are... and it's entirely possible that the 'rules' can be "drop all packets for this port" or "drop all packets EXCEPT those for this port"

The reason I say they aren't neccesarily directly related is this: It's entirely possible for a port to be OPEN, yet filtered. In fact, that's one of the greatest reasons to have a firewall in the first place: To enable a service (such as file sharing) to be available on your private network, but to have connections from outside to that service 'filtered' such that they do not get through.

Or.. umm.. something like that!

So, to answer your last question: If ALL of the ports are truly closed, then it would seem there isn't really a need for them to be filtered, too... but.. there's justa little more, because I mentioned a THIRD possibility above: Dropped.

When a port is 'closed', say port 80, and I try to connect to a computer on that port, the computer in question usually sends back an instant reply saying, "Hey, I don't have any service running on that port!" That's the normal behavior on a 'closed' port.

When communications to that port are "filtered" or "dropped", though... that "there's nothing here" response never gets sent. This is usually what some online tests mean when they say a port is 'stealthed', and it is a little better than simply being 'closed', because it forces a port scan to wait for a timeout before it can declare the port responding or not.]]> http://www.dslreports.com/forum/remark,7610877 Thu, 07 Aug 2003 02:17:20 EDT Closed vs. Filtered http://www.dslreports.com/forum/remark,7610828 Maven : Forgive me if this has been answered before, but I search Yahoo and the security FAQ yet came out empty. What is the difference between closed and filtered ports? If a computer has all it's ports closed, why would it not be fine?]]> http://www.dslreports.com/forum/remark,7610828 Thu, 07 Aug 2003 02:06:51 EDT