jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
|  Closed vs Stealthed Ports
A while back, Randy Bell and I got into a discussion of just how important stealthing really was (errr, is). As I recall, the discussion was precipitated by the PC Flank Stealth test. It had seemed to me for some time that some people were literally choosing software firewalls almost exclusively on the basis of how well they did on the PC Flank Stealth Test.
I might as well confess here and now that I've always been a bit skeptical about the advantages of stealthing. I certainly would not make it a predominant criteria in selecting a personal software firewall under any circumstances.
I think it might be worthwhile to initiate a thread on the real pros and cons of stealthing.
So, to kick off the discussion, I thought I'd throw in my two cents worth. First, I have often contended that stealthing (with its "no answer" solution) can actually generate more nuisance traffic than a simple closed response. To be sure, this redundant traffic is unlikely to overload the Internet or even result in a Denial of Service impact on your own machine. What it can do, however, is distract a user by leading them to spend an inordinate amount of time trying to figure out why all the traffic is being generated as the offending remote application continues to pound away at your IP address in the vain hope that something will magically appear on the IP address you are using. This clearly happened with the Code Red worms of last summer. Depending on the Code Red variant, it would pound a stealthed IP address/port anywhere from three to about ten times as much as it would a non-stealthed, but closed IP address. (And let's not forget the unfortunate cable users who got hit with the ARP flood of Code Red II, in particular -- that was a pretty good, but apparently unintended denial of service attack against these individuals.) And apparently, if Steve Friedl is correct, KaZaA will just continue to pound away mindlessly forever! Now, again, this is more or less a subjective impression on my part. I don't have any real way to scientifically test it, but I was wondering if anyone out there might have some solid data on this effect?
Next point: What's the real advantage of stealthing actually supposed to be? As I understand it, the argument goes something like this: If you're Stealthed, the bad guys won't even know you're there; if you're closed, they know you're there, but they can't get in anyway. (I might add that I'm not convinced that the first part of this assertion is even correct. The very absence of a response conveys information.) So, what's so bad about just being closed? Is someone going to pound away on your closed port? I don't think so. In the first place, it would be pointless; most of us don't raise and drop firewalls every few minutes or hours. Secondly, that pounding away against a closed (as opposed to closed and stealthed) port is pretty much evidence of a deliberate intrusion attempt by someone rather clueless.
"Yes, but ...", the Stealth proponent tends to respond, "if they know you're there, then they'll go looking for some other way to get in!" But is this really true, especially today? I think not. You see, after that original discussion with Randy, I completely unstealthed my system. In other words, anyone probing me will find closed ports, not stealthed ports. In the past ten days, I have seen not one port scan after an unsolicited single port probe has hit this box. (I'm excluding the port scans that my ISP runs periodically to ensure I'm not running any proscribed internet servers.)
So, really guys, what are the advantages of running Stealthed? Is my experience of the past ten days just a fluke?
--
Regards, Joseph V. Morris |
|
OzarkMan$
join:2000-12-22
Ozark Mtns.
| quote:
stealthing (with its "no answer" solution) can actually generate more nuisance traffic than a simple closed response.
Simply put for me....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also  |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| said by OzarkMan:
....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also
Well, I want to follow up on your solution for Halloween, but perhaps we'd best do that via IM! 
But, more to the point, the first part of your statement is not quite true. A lot of stealthed ZA users were certainly 'bothered' by the ARP flood associated with Code Red last year. I think Robert Wycoff, over in the GRC newsgroups, was effectively knocked offline for about three days, as a matter of fact.
--
Regards, Joseph V. Morris |
|
Michael
Premium
join:2001-05-06
Canada
| reply to OzarkMan$
I am assuming you are writing that you do not "exist" because you are stealthed. But what about Joseph's point that a stealthed computer does in fact convey information due to the lack of response?
I am thinking along the lines that when information is conveyed that an IP address is stealthed but in use, that IP address might just be a more interesting target than an IP address that reflects all ports are closed.
The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| said by Michael:
. . . . The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.
For the sake of completeness, I should add that the last good discussion (that I've seen) of what this "no information" solution conveys was in the USENET NNTP newsgroup comp.security.firewalls . I'll try to track down the thread later today.
--
Regards, Joseph V. Morris |
|
Sentinel
Premium
join:2001-02-07
Florida
| reply to jvmorris
I think the best way to put it is...
It is harder for a bad guy to pick the lock on your door when he is not quite sure where the door is or if the door even exists. It is still possible for people to find you even when you are stealth because your IP address goes everywhere. If you log into a chat room or visit a web site they have your IP address so they know a PC is there, even if it does not respond.
It is kind of like a random burglar or a thief who knows you. A random hacker who is just scanning IP addresses will likely skip you if you are stealth because it appears as though you are not there.
A hacker that knows you are there, knows you are there. Therefore stealth does not give any additional security in this case.
Consider a burglar just walking down the street looking for an empty house. If you have a car in your driveway and a light on could you be home? Maybe. Maybe not. He is not sure. This is stealth.
Consider a burglar that is a friend of you son. He knows when you are home and he knows what goods you have in the house. This is not stealth.
Are you any more secure being stealth as in the first scenario above? No. The door is the same the locks are the same. The difference is that in the first scenario you add the element of chance to the mix. It makes it a little harder for the hacker to pick a target. Are you more secure? No. You are just lowering your chances of becoming a target. That's all.
--
AL |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Michael
This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information.
It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).
A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:)
Better still, firewalls could be configured to allow the user to decide how it is to respond.Response to SYN packet scan (select one):
[_] Stealth/Filtered (no response)
[_] Closed (RST packet)
[_] Pseudo-Open [port closed] (SYN,ACK packet)
[_] Destination Port Unreachable (ICMP 3,3 packet)
[_] Destination Host Unreachable (ICMP 3,1 packet) Now THAT would be an interesting firewall!:) |
|
Time Out$
Premium
join:2002-04-28
North Myrtle Beach, SC
|  reply to jvmorris
You decide !
I am not going to argue the point of stealth vs. closed..but I hope some of you can read this link and it's thread. It does not exist anymore in the real world for it has been "hidden"..but google may have it a while longer.
This is a conversation between people on how to hack through those firewalls.
»216.239.51.100/search?q=cache:iW···nl/forum |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to jvmorris
Re: Closed vs Stealthed Ports
I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. Steve Gibson includes examples of typical port scanners used by hackers on his GRC website, and it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.
I still like the idea of being stealth. Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP.
I have a PPPoE DSL connection which dynamically assigns a new IP when I dialup using the WinPoET dialer. The WinPoET software uses a virtual software dialup adapter that emulates a real dialup, so the WinPoET connection appears on my system just like an ordinary dialup connection. And as with a dialup connection, my IP is dynamically assigned when I dialup (logon).
So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today |
|
Sentinel
Premium
join:2001-02-07
Florida
| I agree R2. A firewall that would really make it look like this was an IP address that was "not in use" would be the best idea.
I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". Your still there and if people know you are there they look harder to see you.
Much like camouflage, when you know something is there but it is hidden, and you look hard to see it, all of a sudden you see it! Plain as day and you wonder how come you didn't see it before. Does that mean you should not use camouflage? Does that mean camouflage is useless? Not at all. It just means that camouflage is good for deception but does not increase the actual security.
Stealth does not make the lock stronger. It just makes the lock blend in to the background more so it does not stick out so much begging to be picked. But if one knows the lock is there, stealth or not, he can see it.
--
AL |
|
OzarkMan$
join:2000-12-22
Ozark Mtns.
| reply to jvmorris
quote:
the first part of your statement is not quite true
Sure it's true Joseph since I base my thinking on the same facts R2 shared in his initial post. I also agree with the premise that Stealth is over-rated. In fact with my surfing habits, download management, I'm quite content for now BUT am always concerned about the traffic that I don't know about. |
|
MeeToo7
You Too?
Premium
join:2000-10-18
Ardmore, PA
clubs:
| reply to jvmorris
As the hackers in the link TimeOut posted demonstrate, they are not as interested in getting past through a firewall as they are going around it, by means of other executable programs.
said by hacker:
You can get past firewalls quite easily apparently... you haven't been reading secureroot lately, have you? Easiest way is use the services that are allowed by the firewall, like email, internet - Outlook & IE particularly have some well documented holes that allow you to upload your code & execute it directly on the victim's machine without them having to click on anything. Beyond that other email clients & browsers have similar, if less documented holes, as do just about any application. You just see which applications the firewall is allowing & use them, rather than try to beat the firewall directly. You can also piggyback code on a socket that's already open - tunnelling from the outside as it were... and various other tricks which I have only read about & never tried.
So IMO, showing ports closed through firewall instead of stealthing them is less trouble in the long run, and just as secure (or more to the point, insecure, as there's no such thing as completely secure).
But with either case of stealth or closed ports, one needs to apply other security measures and habits, such as using AV and updating them regularly, applying patches regularly, and securing browsers and other internet access apps out of their defaults. One should not get the false sense of security with being stealth and thinking one is invisible, which might lead to lax security habits and implementations.
[text was edited by author 2002-06-06 11:55:42] |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to jvmorris
I think that despite our disagreements, we essentially agree.:)
There are perhaps some benefits to being stealth -- but they are probably not great. If a hacker is using some automated scanner to pick up addresses and the scanner is designed to ignore 'stealthed' responses, then perhaps it is a good thing. Otherwise I am not sure it buys you much 'protection'.
Regardless, if someone knows your IP address and is specifically trying to attack you, then I don't think stealth vs. closed matters that much -- either way that door is closed.
As MeeToo points out -- and I firmly believe -- that VAST majority of attacks are not through the firewall but around it. Email attachments and <SCRIPT> in HTML remain the MAJOR threats. JMHO. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to R2
said by R2:
. . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . .
Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:)
Ahhh!!! Great minds and all that! 
--
Regards, Joseph V. Morris |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to jvmorris
The greatest benefit is marketing. "Stealth" sounds real hi-tech, secure, non-radar-reflecting, state-of-the-art. "Closed" is, just, well, closed. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by dave:
The greatest benefit is marketing.
This is a great deal of it. And security scans that give better scores to "stealthed" ports versus "closed" ports contribute to this hype as well - who wouldn't want a "better" score on a security test?
I believe that the benefits of stealth are seen in indirect proportion to really understanding how TCP/IP actually works.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| All to the point. Isn't the 'official' name for a non-responding port "Filtered"? That certainly doesn't have very good marketability.
But "Stealthed" -- now THAT sounds cool!:) I wonder who was first to coin the term "stealth" for a port. In previous years the scans were called "stealth" (e.g., a FIN scan) and the ports were "filtered". |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by R2:
But "Stealthed" -- now THAT sounds cool!:) I wonder who was first to coin the term "stealth" for a port.
Steve Gibson? |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to Randy Bell
said by Randy Bell:
I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. . . .
Thank you, Randy. I was a bit reluctant to characterize the argument of Stealth proponents in my original posting because I felt I might do so in a somewhat slanted fashion. It's much better to have a statement from someone who agrees with it.
But here's the problem as I see it with this argument. Just for purposes of argument, I would estimate that something like 95% of the people who even know what the terms 'Stealth' refers to (in this context) either have used, are using, or at least know about software firewalls, hardware firewalls, or IDSs. An additional 4%, say, may be using nothing more than a hardware or software NAT/router that supports stealthing. Perhaps 1% then of people who recognize the term Stealth use none of the above. And that's where the entire 'benefits' of stealthing seem (to me) to fall apart. Almost all of these firewalls, routers, and IDSs can be configured to log port scans (assuming, of course, that the targeted ports are blocked to unsolicited inbound probes). And they stick out like a sore thumb. Every ISP (with which I am familiar) would take these logged events as prima facie evidence of a hostile intrusion attempt. (Maybe Lawrence Baldwin might care to elaborate on whether that's true or not.) And, just to be sure we're on the same page, when I say "port scan", I'm talking about a single remote IP address scanning multiple local ports in a relatively short period of time. You can nail anyone who's stupid enough to do this in practically no time at all. If you do run stealthed and get only the one probe, you really can't tell what it is; at that point, you really need a service like MyNetWatchman or dShield to collate events in order to determine if someone is up to no good, and even these services can only pick out some one who's scanning the internet willy-nilly. (I've got an absolutely hilarious example of some skiddy who kept poking me over in GRC about a year ago. He's no longer with us.)
quote:
. . . . it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.
Oh, it's easy as hell! (And even easier to catch 'em if they do it. )
quote:
. . . . Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP
Actually your port 1214 thread was what precipitated this more generic query. Still, I think Steve Friedl may well be right; if you'd been running non-Stealthed, you might have actually seen considerably fewer of those port 1214 probes in your logs.
And incidentally, as Steve, jaykaykay, and a couple of other folks pointed out, you shouldn't need to disable ZA to un-stealth; you'd only need to disable the stealthing.
quote:
. . . . So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today
Oops, before I forget -- Randy, I'm not trying to be argumentative here so much as to simply elicit some substantive discussion of the general pros and cons of stealthing versus simply running with closed (or BLOCKed, if you prefer) ports. Didn't want you to take my comments above the wrong way.
--
Regards, Joseph V. Morris |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to Sentinel
said by Al Otero:
. . . .I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". . . .
Yeah, I think you've got a point there. The phrase 'stealth' is catchy, but sometimes it misleads people as to exactly what it's being used to represent.
. . . .
--
Regards, Joseph V. Morris |
|
