dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
49758
share rss forum feed


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

Closed vs Stealthed Ports

A while back, Randy Bell and I got into a discussion of just how important stealthing really was (errr, is). As I recall, the discussion was precipitated by the PC Flank Stealth test. It had seemed to me for some time that some people were literally choosing software firewalls almost exclusively on the basis of how well they did on the PC Flank Stealth Test.

I might as well confess here and now that I've always been a bit skeptical about the advantages of stealthing. I certainly would not make it a predominant criteria in selecting a personal software firewall under any circumstances.

I think it might be worthwhile to initiate a thread on the real pros and cons of stealthing.

So, to kick off the discussion, I thought I'd throw in my two cents worth. First, I have often contended that stealthing (with its "no answer" solution) can actually generate more nuisance traffic than a simple closed response. To be sure, this redundant traffic is unlikely to overload the Internet or even result in a Denial of Service impact on your own machine. What it can do, however, is distract a user by leading them to spend an inordinate amount of time trying to figure out why all the traffic is being generated as the offending remote application continues to pound away at your IP address in the vain hope that something will magically appear on the IP address you are using. This clearly happened with the Code Red worms of last summer. Depending on the Code Red variant, it would pound a stealthed IP address/port anywhere from three to about ten times as much as it would a non-stealthed, but closed IP address. (And let's not forget the unfortunate cable users who got hit with the ARP flood of Code Red II, in particular -- that was a pretty good, but apparently unintended denial of service attack against these individuals.) And apparently, if Steve Friedl is correct, KaZaA will just continue to pound away mindlessly forever! Now, again, this is more or less a subjective impression on my part. I don't have any real way to scientifically test it, but I was wondering if anyone out there might have some solid data on this effect?

Next point: What's the real advantage of stealthing actually supposed to be? As I understand it, the argument goes something like this: If you're Stealthed, the bad guys won't even know you're there; if you're closed, they know you're there, but they can't get in anyway. (I might add that I'm not convinced that the first part of this assertion is even correct. The very absence of a response conveys information.) So, what's so bad about just being closed? Is someone going to pound away on your closed port? I don't think so. In the first place, it would be pointless; most of us don't raise and drop firewalls every few minutes or hours. Secondly, that pounding away against a closed (as opposed to closed and stealthed) port is pretty much evidence of a deliberate intrusion attempt by someone rather clueless.

"Yes, but ...", the Stealth proponent tends to respond, "if they know you're there, then they'll go looking for some other way to get in!" But is this really true, especially today? I think not. You see, after that original discussion with Randy, I completely unstealthed my system. In other words, anyone probing me will find closed ports, not stealthed ports. In the past ten days, I have seen not one port scan after an unsolicited single port probe has hit this box. (I'm excluding the port scans that my ISP runs periodically to ensure I'm not running any proscribed internet servers.)

So, really guys, what are the advantages of running Stealthed? Is my experience of the past ten days just a fluke?
--
Regards, Joseph V. Morris



OzarkMan$

join:2000-12-22
Ozark Mtns.

quote:
stealthing (with its "no answer" solution) can actually generate more nuisance traffic than a simple closed response.
Simply put for me....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

said by OzarkMan:
....if I don't exist I can't be bothered. I apply this same theory when it comes to Halloween also
Well, I want to follow up on your solution for Halloween, but perhaps we'd best do that via IM!

But, more to the point, the first part of your statement is not quite true. A lot of stealthed ZA users were certainly 'bothered' by the ARP flood associated with Code Red last year. I think Robert Wycoff, over in the GRC newsgroups, was effectively knocked offline for about three days, as a matter of fact.
--
Regards, Joseph V. Morris


Michael
Premium
join:2001-05-06
Canada
reply to OzarkMan$

I am assuming you are writing that you do not "exist" because you are stealthed. But what about Joseph's point that a stealthed computer does in fact convey information due to the lack of response?

I am thinking along the lines that when information is conveyed that an IP address is stealthed but in use, that IP address might just be a more interesting target than an IP address that reflects all ports are closed.

The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

said by Michael:
. . . . The fact that a completely stealthed machine does convey information back indicating that it's IP address is indeed active (even though all ports are stealthed) is quite fascinating to me.
For the sake of completeness, I should add that the last good discussion (that I've seen) of what this "no information" solution conveys was in the USENET NNTP newsgroup comp.security.firewalls . I'll try to track down the thread later today.
--
Regards, Joseph V. Morris


Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to jvmorris

I think the best way to put it is...

It is harder for a bad guy to pick the lock on your door when he is not quite sure where the door is or if the door even exists. It is still possible for people to find you even when you are stealth because your IP address goes everywhere. If you log into a chat room or visit a web site they have your IP address so they know a PC is there, even if it does not respond.

It is kind of like a random burglar or a thief who knows you. A random hacker who is just scanning IP addresses will likely skip you if you are stealth because it appears as though you are not there.

A hacker that knows you are there, knows you are there. Therefore stealth does not give any additional security in this case.

Consider a burglar just walking down the street looking for an empty house. If you have a car in your driveway and a light on could you be home? Maybe. Maybe not. He is not sure. This is stealth.

Consider a burglar that is a friend of you son. He knows when you are home and he knows what goods you have in the house. This is not stealth.

Are you any more secure being stealth as in the first scenario above? No. The door is the same the locks are the same. The difference is that in the first scenario you add the element of chance to the mix. It makes it a little harder for the hacker to pick a target. Are you more secure? No. You are just lowering your chances of becoming a target. That's all.
--
AL



R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
reply to Michael

This is correct. The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information.

It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).

A more interesting response from a firewall would be for it to return a ICMP "Destination Unreachable" packet (either code 1 or 3). This way instead of the "absence of response" that firewall is giving a "response of absence".:)

Better still, firewalls could be configured to allow the user to decide how it is to respond.

Response to SYN packet scan (select one):

[_] Stealth/Filtered (no response)
[_] Closed (RST packet)
[_] Pseudo-Open [port closed] (SYN,ACK packet)
[_] Destination Port Unreachable (ICMP 3,3 packet)
[_] Destination Host Unreachable (ICMP 3,1 packet)
Now THAT would be an interesting firewall!:)


Time Out$
Premium
join:2002-04-28
North Myrtle Beach, SC
reply to jvmorris

You decide !

I am not going to argue the point of stealth vs. closed..but I hope some of you can read this link and it's thread. It does not exist anymore in the real world for it has been "hidden"..but google may have it a while longer.

This is a conversation between people on how to hack through those firewalls.

»216.239.51.100/search?q=cache:iW···nl/forum



Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
reply to jvmorris

Re: Closed vs Stealthed Ports

I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. Steve Gibson includes examples of typical port scanners used by hackers on his GRC website, and it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.

I still like the idea of being stealth. Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP.

I have a PPPoE DSL connection which dynamically assigns a new IP when I dialup using the WinPoET dialer. The WinPoET software uses a virtual software dialup adapter that emulates a real dialup, so the WinPoET connection appears on my system just like an ordinary dialup connection. And as with a dialup connection, my IP is dynamically assigned when I dialup (logon).

So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

I agree R2. A firewall that would really make it look like this was an IP address that was "not in use" would be the best idea.

I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". Your still there and if people know you are there they look harder to see you.

Much like camouflage, when you know something is there but it is hidden, and you look hard to see it, all of a sudden you see it! Plain as day and you wonder how come you didn't see it before. Does that mean you should not use camouflage? Does that mean camouflage is useless? Not at all. It just means that camouflage is good for deception but does not increase the actual security.

Stealth does not make the lock stronger. It just makes the lock blend in to the background more so it does not stick out so much begging to be picked. But if one knows the lock is there, stealth or not, he can see it.
--
AL



OzarkMan$

join:2000-12-22
Ozark Mtns.
reply to jvmorris

quote:
the first part of your statement is not quite true
Sure it's true Joseph since I base my thinking on the same facts R2 shared in his initial post. I also agree with the premise that Stealth is over-rated. In fact with my surfing habits, download management, I'm quite content for now BUT am always concerned about the traffic that I don't know about.


MeeToo7
You Too?
Premium
join:2000-10-18
Ardmore, PA

reply to jvmorris

As the hackers in the link TimeOut posted demonstrate, they are not as interested in getting past through a firewall as they are going around it, by means of other executable programs.

said by hacker:

You can get past firewalls quite easily apparently... you haven't been reading secureroot lately, have you? Easiest way is use the services that are allowed by the firewall, like email, internet - Outlook & IE particularly have some well documented holes that allow you to upload your code & execute it directly on the victim's machine without them having to click on anything. Beyond that other email clients & browsers have similar, if less documented holes, as do just about any application. You just see which applications the firewall is allowing & use them, rather than try to beat the firewall directly. You can also piggyback code on a socket that's already open - tunnelling from the outside as it were... and various other tricks which I have only read about & never tried.
So IMO, showing ports closed through firewall instead of stealthing them is less trouble in the long run, and just as secure (or more to the point, insecure, as there's no such thing as completely secure).

But with either case of stealth or closed ports, one needs to apply other security measures and habits, such as using AV and updating them regularly, applying patches regularly, and securing browsers and other internet access apps out of their defaults. One should not get the false sense of security with being stealth and thinking one is invisible, which might lead to lax security habits and implementations.

[text was edited by author 2002-06-06 11:55:42]


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
reply to jvmorris

I think that despite our disagreements, we essentially agree.:)

There are perhaps some benefits to being stealth -- but they are probably not great. If a hacker is using some automated scanner to pick up addresses and the scanner is designed to ignore 'stealthed' responses, then perhaps it is a good thing. Otherwise I am not sure it buys you much 'protection'.

Regardless, if someone knows your IP address and is specifically trying to attack you, then I don't think stealth vs. closed matters that much -- either way that door is closed.

As MeeToo points out -- and I firmly believe -- that VAST majority of attacks are not through the firewall but around it. Email attachments and <SCRIPT> in HTML remain the MAJOR threats. JMHO.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to R2

said by R2:
. . . . The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. . . . .

Better still, firewalls could be configured to allow the user to decide how it is to respond. . . . .Now THAT would be an interesting firewall!:)
Ahhh!!! Great minds and all that!
--
Regards, Joseph V. Morris

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to jvmorris

The greatest benefit is marketing. "Stealth" sounds real hi-tech, secure, non-radar-reflecting, state-of-the-art. "Closed" is, just, well, closed.



Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by dave:
The greatest benefit is marketing.
This is a great deal of it. And security scans that give better scores to "stealthed" ports versus "closed" ports contribute to this hype as well - who wouldn't want a "better" score on a security test?

I believe that the benefits of stealth are seen in indirect proportion to really understanding how TCP/IP actually works.

Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1

All to the point. Isn't the 'official' name for a non-responding port "Filtered"? That certainly doesn't have very good marketability.

But "Stealthed" -- now THAT sounds cool!:) I wonder who was first to coin the term "stealth" for a port. In previous years the scans were called "stealth" (e.g., a FIN scan) and the ports were "filtered".



Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by R2:
But "Stealthed" -- now THAT sounds cool!:) I wonder who was first to coin the term "stealth" for a port.
Steve Gibson?


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to Randy Bell

said by Randy Bell:
I understand that hackers often use standard port scanners to do random port scans, looking for live IPs and open shares. Once the hacker determines he has a live IP, he can use the port-scanning program to investigate whether there are open shares on that IP. . . .
Thank you, Randy. I was a bit reluctant to characterize the argument of Stealth proponents in my original posting because I felt I might do so in a somewhat slanted fashion. It's much better to have a statement from someone who agrees with it.

But here's the problem as I see it with this argument. Just for purposes of argument, I would estimate that something like 95% of the people who even know what the terms 'Stealth' refers to (in this context) either have used, are using, or at least know about software firewalls, hardware firewalls, or IDSs. An additional 4%, say, may be using nothing more than a hardware or software NAT/router that supports stealthing. Perhaps 1% then of people who recognize the term Stealth use none of the above. And that's where the entire 'benefits' of stealthing seem (to me) to fall apart. Almost all of these firewalls, routers, and IDSs can be configured to log port scans (assuming, of course, that the targeted ports are blocked to unsolicited inbound probes). And they stick out like a sore thumb. Every ISP (with which I am familiar) would take these logged events as prima facie evidence of a hostile intrusion attempt. (Maybe Lawrence Baldwin might care to elaborate on whether that's true or not.) And, just to be sure we're on the same page, when I say "port scan", I'm talking about a single remote IP address scanning multiple local ports in a relatively short period of time. You can nail anyone who's stupid enough to do this in practically no time at all. If you do run stealthed and get only the one probe, you really can't tell what it is; at that point, you really need a service like MyNetWatchman or dShield to collate events in order to determine if someone is up to no good, and even these services can only pick out some one who's scanning the internet willy-nilly. (I've got an absolutely hilarious example of some skiddy who kept poking me over in GRC about a year ago. He's no longer with us.)
quote:
. . . . it's interesting to see how easy it is for a relatively non-technical hacker (not a sophisticated one) to scan and probe for open shares.
Oh, it's easy as hell! (And even easier to catch 'em if they do it. )
quote:
. . . . Just yesterday, I was getting a zillion hits on Kazaa port 1214, for which I created a thread here inviting others' comments, because this has never happened before. My solution was, rather than disabling my firewall, I just logged off and on again with my ISP
Actually your port 1214 thread was what precipitated this more generic query. Still, I think Steve Friedl may well be right; if you'd been running non-Stealthed, you might have actually seen considerably fewer of those port 1214 probes in your logs.

And incidentally, as Steve, jaykaykay, and a couple of other folks pointed out, you shouldn't need to disable ZA to un-stealth; you'd only need to disable the stealthing.
quote:
. . . . So I figure even if someone were to discover my IP, I can always change it and go back into stealth mode. I prefer the idea of being invisible on the internet, if at all possible. Yet I understand the point made here by jv, R2, and others regarding stealth. Steve Friedl seems to think that stealth is overrated too: »Hundreds of KAZAA Port 1214 Hits Today
Oops, before I forget -- Randy, I'm not trying to be argumentative here so much as to simply elicit some substantive discussion of the general pros and cons of stealthing versus simply running with closed (or BLOCKed, if you prefer) ports. Didn't want you to take my comments above the wrong way.
--
Regards, Joseph V. Morris


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to Sentinel

said by Al Otero:
. . . .I think the argument over stealth has more to do with the wording used. When people say stealth is good they always use the terms "invisible" or "can't be seen". I think a more accurate term would be "camouflaged". . . .
Yeah, I think you've got a point there. The phrase 'stealth' is catchy, but sometimes it misleads people as to exactly what it's being used to represent.
. . . .
--
Regards, Joseph V. Morris


Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
reply to jvmorris

said by jvmorris:
Didn't want you to take my comments above the wrong way.
No problem. I wonder why all the testing sites make such a big deal about stealth, then? Is that just marketing and hype, or do the testing sites really think that stealth is better? I include, of course, Symantec's Security Check, from the makers of your beloved NIS -- they seem to value stealth, because you cannot get a good score from their security check unless you're stealthed.


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to OzarkMan$

Hey, any chance we can have the old avatar back? I really liked it!

said by OzarkMan:
. . . .Sure it's true Joseph since I base my thinking on the same facts R2 shared in his initial post. I also agree with the premise that Stealth is over-rated. In fact with my surfing habits, download management, I'm quite content for now . . .
Darn! We both agree with R2! But you make an additional point above that may also be coloring my own perception, now that you bring it up. I suspect that your and my surfing habits and management procedures are not too dissimilar and that would influence my own personal experience.
quote:
. . . . BUT am always concerned about the traffic that I don't know about.
But this brings us to Steve Friedl's comment in Randy's thread about the Port 1214 probes (and MeeToo brings up essentially the same issue directly after you posted). Let me pick up on MeeToo's comments in a direct response to his posting.
--
Regards, Joseph V. Morris


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1

said by jvmorris:
Darn! We both agree with R2!
This is a clear sign that I am slacking off and not making my posts controversial enough...:(


MeeToo7
You Too?
Premium
join:2000-10-18
Ardmore, PA
reply to Randy Bell

said by Randy Bell:
I wonder why all the testing sites make such a big deal about stealth, then? Is that just marketing and hype, or do the testing sites really think that stealth is better?
My rule of thumb is to assume first a business into making money will use hype and catchy words. Then I look into their claims on unbiased sites, such as university research sites, professional discussion sites etc. DSLR is an unbiased site, and although not everyone is professional, enough are that we can get good answers and links to further our research.

I think most for-profit sites don't really think "stealth" (a catchy word for non-responding ports) is better, but will lead you to think it is IF their products has stealthing options. I would imagine the developers themselves know better, but marketting department have to put in their selling hype to sell their products.

Just like the "New and improved!" catch phrase used on every supermarket products these days. When you find out what's improved, many times it's just the box that poors better, or the product that smells better or has a nicer color. Is it really improved? No, but it sells better.
--
Help find a cure, join Team Helix


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to MeeToo7

Now, we're beginning to peel the lemon (or is it an artichoke?)!

said by MeeToo:
As the hackers in the link TimeOut posted demonstrate, they are not as interested in getting past through a firewall as they are going around it, by means of other executable programs.
I'd modify your statement above a bit, however: Hackers primarily rely on getting through a firewall using a PERMITTED communication (to either a client or server application) or by going around it (by using a parallel stack or WinSock, for example).

There are times when we (by which I mean us) don't do a really good job of explaining to novices exactly what a particular firewall does and what it doesn't do -- at least as the term 'firewall' is traditionally used. By failing to make these points clear, there's a false sense of security that a firewall (and especially a personal software firewall) can potentially evoke in the uninitiated.

A lot of novices, for example, don't understand that when you run a web browser (a client application), you have to allow responses to your requests for information. And a lot of browsers will accept inputs that could be malicious in their intent. The 'traditional' firewall doesn't inspect the response before accepting it -- you asked for it; you're going to get it, is the way the firewall looks at it. You'd need a full-capability IDS or stateful packet inspection firewall to do this and I have yet to see a single personal software firewall that really does this. (In the first place, it would raise havoc with throughput, and we've already got people complaining about the throughput constraints of even the most rudimentary packet inspection techniques that are typically provided by such firewalls using HTTP proxy servers.) The situation gets even worse for those end-users who insist on running a web server (a server application)--especially if it violates their ISP's ToS/AUP. (Which, of course, is why some ISPs scan their subscribers for such proscribed servers.) Hell, most novices don't yet understand the difference between a client app and a server app; they think you're asking them whether they're running an NT/2K/XP server box on the Internet! (And I could run a web server on this poor, pitiful Win 98 SE box that I'm using at the moment.)

In these instances, one is forced to rely on one of several options other than a 'traditional' firewall. • One relies on inbuilt security features of the internet-enabled application • One relies on 'sandboxing' memory-resident applications like Tiny Trojan Trap (as gwion emphasizes repeatedly), or • One relies on other security-related utilities, as you note below.
But let's get back to the subject at hand. It seems to me that many of the 'arguments' for stealthing are fallacious in the sense that they are comparing the benefits of stealthing (which really doesn't require a firewall at all, but the proponents don't typically tell you that) with the alternative of running with no Internet Security at all! They're (often) not really comparing running a secured firewall (all ports under firewall control and closed unless expressly permitted) with running a secured firewall that also allows stealthing. (Which, of course, is what I'm asking about.) Instead, these arguments tend to compare running a stealth-capable firewall against running no Internet Security utilities whatsoever.
quote:
. . . . So IMO, showing ports closed through firewall instead of stealthing them is less trouble in the long run, and just as secure (or more to the point, insecure, as there's no such thing as completely secure).
Agreed again. Indeed, your comment is inherently true on Windows 9x/ME boxes. And tweaking a Win NT/2K/XP system to even approach C2 security specs is likely to make the box unusable for the average end-user.
quote:
But with either case of stealth or closed ports, one needs to apply other security measures and habits, such as using AV and updating them regularly, applying patches regularly, and securing browsers and other internet access apps out of their defaults. One should not get the false sense of security with being stealth and thinking one is invisible, which might lead to lax security habits and implementations. . . .
Also agreed. We need to constantly remind people that even the most secure firewall available on the market is only one component of the arsenal upon which they should rely in order to secure their systems against subversion and damage.

Good points, thank you.
--
Regards, Joseph V. Morris


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to R2

said by R2:
I think that despite our disagreements, we essentially agree.:)
R2,
Oh, I don't think we're having disagreements or arguments as I read the thread so far. I think we're simply discussing differing experiences and perspectives. Perhaps I'm wrong, but I believe Steve Friedl (who posted subsequent to your post to which I'm responding here) is the first individual to post in this thread who's likely to be familiar with explicitly (and knowingly) running server apps on the Internet at large. The rest of us are more likely end-users running client apps like web browsers, e-mail readers and news readers.

quote:
. . . .If a hacker is using some automated scanner to pick up addresses and the scanner is designed to ignore 'stealthed' responses, then perhaps it is a good thing. Otherwise I am not sure it buys you much 'protection'.
Well, I would prefer to characterize the people to whom you are referring above as 'crackers' rather than 'hackers', but that's mostly due to my own personal experiences with people that view the term 'hacker' as a mark of distinction.
. . . .
--
Regards, Joseph V. Morris


nevertheless
Premium,VIP
join:2002-03-08
St Catharines, ON
kudos:4
reply to jvmorris

One of my issues with 'stealth' is that it's damaging to proper network functionality.

Stealthing your ports or your machine causes unnecessary delays on remote machines as they wait for their connection to you to time out. This is supposedly a benefit of the stealth stuff, but in practice for those actually using the network, it's a downright nuisance. A simple mistyped IP will cause me up to 30 seconds of waiting, where it normally would cause me a few milliseconds.

Apart from annoying user timeouts, by blocking out the pieces of the protocol that were specifically designed to facilitate proper network functionality and testing, they're making reliable testing of the network impossible.

In my daily work at a Cable ISP, I often come up with the problem of determining where the issue lies--our service, or the customer's machine. Most of the time it's a customer-side problem, yet I have no way of testing to see if the user is actually up--short of clearing the arp cache and seeing if his arp entry renews (9 times out of 10 it's a misconfigured firewall, or, worse, 2 firewalls at once). All of these at the client side are PEBKAC issues, of course, but they wouldn't be my problem if this useless concept wasn't so prevalent--it literally breaks The Internet. (IMO)

Closed port responses, ICMP echos etc. etc. are all part of the TCP/IP protocol for a reason, I am now unable to rely on these tools, because of this stealth phenomenon and it that's what really bothers me.

Anyway, thst's my 2 cents.
--
Some people think I'm an idiot. I disagree, but idiocy is subjective--so they may well be right. With this in mind, take everything I post with a grain of salt, eh?



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to Steve

said by Steve:
.... Steve Gibson?
Arrrggghhh! Steve, do you have any conception as to how difficult I found it to compose my original posting without mentioning Steve Gibson?

As far as I know, you are correct: Steve Gibson was the first individual to use the term 'stealth'.
--
Regards, Joseph V. Morris


Time Out$
Premium
join:2002-04-28
North Myrtle Beach, SC
reply to nevertheless

nevertheless..so glad someone brought that into this discussion...instead of you always on the "other side" getting beat up. You have my vote today.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to Randy Bell

said by Randy Bell:
. . . .Is that just marketing and hype, or do the testing sites really think that stealth is better? I include, of course, Symantec's Security Check, from the makers of your beloved NIS -- they seem to value stealth, because you cannot get a good score from their security check unless you're stealthed.
A question I can answer (but I'm not going to get specific, so there's no point in pressing me on the subject)! Every member of Symantec's NIS/NPF development team with whom I've ever corresponded considered 'stealth' as nothing more than marketing hype. Indeed, I detected a certain bitterness in some of the responses that I've had via e-mail. They seem to have felt somewhat compelled to provide 'stealth' capability in response to Steve Gibson's hoopla on the subject and were consequently forced to defer other enhancements that had already been scheduled for NIS/NPF. No one at Symantec is now going to publicly confirm what I've said above; so don't even bother asking.
--
Regards, Joseph V. Morris