gkweb
join:2003-06-09
76800
1 edit | reply to MxxCon
Re: Place your bets - Closed vs Stealthed
That you send TCP/UDP or ICMP packets makes no difference, if you don't exist, the last router should send back an "host unreachable" ICMP message.
That's why indeed "FILTERED" is probably more right than "stealth", because that's what you do, filtering (drop).
The absence of any message clearly shows you are there, dropping packets. "Stealth" is misleading in the way it could mean invisible.
The advantages of stealth are not to make you invisible, but rather to allow you to mitigate reflective attacks and in few cases to save upstream bandwidth. Also, security scanners such as nmap need at least one open port and one closed port to guess your OS. If you are running a server (some IM software or P2P are acting like servers) and you are not sending back responses from closed ports, it may help to prevent giving away too much information about your OS.
Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com
*member of ASAP : Alliance of Security Analysis Professionals* |
|
MxxCon
join:1999-11-19
Brooklyn, NY
clubs:  
| reply to jbob
said by jbob  :Not true. A response from a non-existant IP should be "Destination unreacheable" whereas there is NO response from a "Filtered" IP port. that is incorrect because "Destination Unreachable" is an ICMP error message, where as port scans are either TCP or UDP.
--
[Sig removed by Administrator: Signature can not exceed 20GB] |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
| reply to MxxCon
said by MxxCon :said by rotty97 :Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist. if all of your ports are FILTERED(i hate 'stealthed' term), it will appear exactly the same as non-existing ip, so 'a hacker' will not get a different response because he will not get a response at all. Not true. A response from a non-existant IP should be "Destination unreacheable" whereas there is NO response from a "Filtered" IP port. Or something like that!  If one is paying attention that of course means something is there, it's just not answering. In that sense "Filtered" makes more sense than "Stealthed!" |
|
MxxCon
join:1999-11-19
Brooklyn, NY
clubs:
| reply to rotty97
said by rotty97 :Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist. if all of your ports are FILTERED(i hate 'stealthed' term), it will appear exactly the same as non-existing ip, so 'a hacker' will not get a different response because he will not get a response at all.
--
[Sig removed by Administrator: Signature can not exceed 20GB] |
|
rotty97
join:2005-06-30
Australia
| reply to gkweb
Apprarently the response a hacker gets from a "Stealthed" port is different then a response you get from an IP that doesn't exist. So stealthing a port is just as good as having it closed. The hacker knows your their but can't do much with you unless you have unsecure apps listening on the internet.
cheers, rotty |
|
gkweb
join:2003-06-09
76800
| reply to Link Logger
Hello,
As I said in the other topic, I think that close will attract less attention than stealth (because stealth means you do not have an answer, so you retry again instead of moving away).
Anyway, I think that at the end you will just prove one advantage of "close", the same way that "stealth" has it's own advantages too. I'm not sure how could this test trash one or the other, no matter the result.
Regards,
gkweb.
--
Firewall tester : »www.firewallleaktester.com
*member of ASAP : Alliance of Security Analysis Professionals* |
|
