Maven
Premium
join:2002-03-12
Canada | Closed vs. Filtered
Forgive me if this has been answered before, but I search Yahoo and the security FAQ yet came out empty. What is the difference between closed and filtered ports? If a computer has all it's ports closed, why would it not be fine? |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Someone may correct me on specifics... as nit-picky as I can be, I'm not always that great on exact wording... that said:
As far as I understand it, 'Closed' and 'Filtered' aren't really directly related...
Closed means that no daemon/service is configured to respond on the port in question on a specific host.
Filtered means that there is a firewall somewhere which is 'intercepting' and dropping communications for a port. Actually, you don't so much filter a PORT as you filter datagrams based on whatever the rules are... and it's entirely possible that the 'rules' can be "drop all packets for this port" or "drop all packets EXCEPT those for this port"
The reason I say they aren't neccesarily directly related is this: It's entirely possible for a port to be OPEN, yet filtered. In fact, that's one of the greatest reasons to have a firewall in the first place: To enable a service (such as file sharing) to be available on your private network, but to have connections from outside to that service 'filtered' such that they do not get through.
Or.. umm.. something like that!
So, to answer your last question: If ALL of the ports are truly closed, then it would seem there isn't really a need for them to be filtered, too... but.. there's justa little more, because I mentioned a THIRD possibility above: Dropped.
When a port is 'closed', say port 80, and I try to connect to a computer on that port, the computer in question usually sends back an instant reply saying, "Hey, I don't have any service running on that port!" That's the normal behavior on a 'closed' port.
When communications to that port are "filtered" or "dropped", though... that "there's nothing here" response never gets sent. This is usually what some online tests mean when they say a port is 'stealthed', and it is a little better than simply being 'closed', because it forces a port scan to wait for a timeout before it can declare the port responding or not. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| The classic discussion at DSLR was done in this old thread:
Closed vs Stealthed Ports
»Closed vs Stealthed Ports
but it is quite long, I warn you .. yet very informative and interesting.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Maven
Premium
join:2002-03-12
Canada
| reply to Maven
Thanks for the replies.
Wow, that's quite the discussion Randy Bell  . I've only read the first 2 pages, but I've picked up the gist of it so far - Stealth is overrated. It reminds me of the recent thread called "Uh Oh... You're not going to like this!" (»Uh Oh... You're not going to like this! , where there is an interesting discussion on whether firewalls are useful or not.
In my case, since the command netstat -an reports nothing unless running an internet application, I assume that running a firewall would be redundant. I am on WinME with NetBios disabled and not running file sharing.
[text was edited by author 2003-08-07 03:27:57] |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by Maven :
In my case, since the command netstat -an reports nothing unless running an internet application, I assume that running a firewall would be redundant. I am on WinME with NetBios disabled and not running file sharing.
Maybe sometimes little "redundant" so far as inbound traffic control; but not so far as outbound control. Without a firewall, you have no outbound control, over rogue programs or apps that might try to connect out to the Net. You also have no logging of traffic in/out of your box. This is why I usually recommend a software firewall, even for people who have a NAT router; since the router takes care of inbound traffic but has no effective outbound control. I too have a tight system with NetBEUI substituted for local networking, file sharing and NetBIOS uncoupled {unbound} from TCP/IP, etc. -- but I still use ZA on all boxes in my home network. HTH 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
catahoula7
Catahoula
join:2002-12-30
| reply to Maven
said by Maven :
Forgive me if this has been answered before, but I search Yahoo and the security FAQ yet came out empty. What is the difference between closed and filtered ports? If a computer has all it's ports closed, why would it not be fine?
Yes, that should be fine.
If i understand correctly, filtered and closed will give the same response to someone probing that port. Which is nothing. The packet will just silently be dropped and it will seem that there is no computer at the end.
OTOH, if the firewall is set to "deny" it drops the packets and notifies the probing host that the packet was rejected.
Which lets the probing computer know there is a machine at the other end.
--
--Catahoula Hound Dawg |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| said by catahoula:
If i understand correctly, filtered and closed will give the same response to someone probing that port. Which is nothing. The packet will just silently be dropped and it will seem that there is no computer at the end.
Not exactly... for TCP/IP ports:
Filtered = Stealth = no response at all is sent back to the requesting site.
Closed = a specific "port is closed" response is sent back to the requesting site. |
|
catahoula7
Catahoula
join:2002-12-30
| said by R2 :
Filtered = Stealth = no response at all is sent back to the requesting site.
Closed = a specific "port is closed" response is sent back to the requesting site.
I thought "Reject" sent a response And "DENY" just dropped the packet.
Where did "stealth" come from anyway? I thought there was just the "Drop" and "Reject" flags?
--
--Catahoula Hound Dawg |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| "stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
Open: Meaning a service is active and responding on that port.
Closed: Meaning communications are getting through to the host on the port in question, but that host has no daemons/services and is responding to that effect.
Stealth: Meaning the communication was simply dropped, and no response was sent at all.
"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)... but when a firewall "Rejects" a packet, that will result in a "Stealthed" result.. when a firewall "Deny", there may be a "Closed" response... As I said, I may have 'reject' and 'deny' backwards... but one simply sends the communication to the great packet bucket in the sky, but the other one sends a specific reply saying, "nothing to see here".
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| In the context of the thread title: "closed vs filtered" -- I think R2 got it right: said by R2 :
for TCP/IP ports:
Filtered = Stealth = no response at all is sent back to the requesting site.
Closed = a specific "port is closed" response is sent back to the requesting site.
I think the other interpretation is not consistent with what the thread author means in his thread title. JMHO, HTH
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
MeDuZa
join:2003-06-13
Austria
| reply to Maven
The frequently used association of STEALTH with INVISIBLE is snake oil.
In case you wouldn't be there the nearest router located at your provider would respond with
"ICMP-Host unreachable"
No answer means that you are there and the requests have been dropped by a packet filter(FW)
REJECT means an active refuse of a connection attempt with a special ICMP message.
DENY means to throw away the connection attempts. The inquiring computer gets a timeout in this case. |
|
catahoula7
Catahoula
join:2002-12-30
| reply to Marilla
said by Marilla :
"stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
[..]
"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)...
[..]
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall.
I get them backwards too sometimes ! lol
So the "closed" state would be the most idea then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.
It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
--
--Catahoula Hound Dawg |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Maven
I think he may be using "filtered" as used as a term of art by nMap and nMap inspired port scanners, perhaps? An nMap scan might return something like:
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap )
Interesting ports on 195.98.xxx.xxx:
(The 1601 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
22/tcp open ssh
113/tcp closed auth
From the nMap man page, »www.insecure.org/nmap/data/nmap_manpage.html :
The result of running nmap is usually a list of interest
ing ports on the machine(s) being scanned (if any). Nmap
always gives the port's "well known" service name (if
any), number, state, and protocol. The state is either
"open", "filtered", or "unfiltered". Open means that the
target machine will accept() connections on that port.
Filtered means that a firewall, filter, or other network
obstacle is covering the port and preventing nmap from
determining whether the port is open. Unfiltered means
that the port is known by nmap to be closed and no fire
wall/filter seems to be interfering with nmap's attempts
to determine this. Unfiltered ports are the common case
and are only shown when most of the scanned ports are in
the filtered state.
--
I'm not good,
I'm not nice,
I'm just right.
I'm the Witch.
You're the world. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by gwion :
The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no firewall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are the common case and are only shown when most of the scanned ports are in the filtered state.
Precisely what R2 stated, thanks gwion .
[text was edited by author 2003-08-07 19:57:30] |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to catahoula7
said by catahoula7 :
So the "closed" state would be the most idea(l) then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.
It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
It depends on how you look at it...
I believe the term "stealth", was coined or at least put into THIS general use by GRC. Previously, the term "stealth" refered to the TYPE of port scan being done. Regardless, at this point in time we have to accept that many people are going to use the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting computer.
If someone is probing your ports and every single probe is not returned, then your computer is relatively "invisible" -- meaning that the prober does not know for sure if your computer is on the Internet or not. You could simply have your computer turned off or unplugged it -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall.
______________________________
An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated above.
However, when I tried to probe non-existent IP addresses (e.g., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back any ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with 4 TCP/IP SYN packets, I got no reponse at all.
If I probe port 80 at DSLR, I get an OPEN response (open = SYN/ACK) -- see above. If I probe port 81 at DSLR, I get a CLOSED response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if you will. I get the same response (NONE) when I probe port 1234 here that I do when I probe any port at the non-existant sites.
That being said, I then tried a simple ping of those addresses, and I found this:
Pinging 123.123.123.123 with 32 bytes of data:
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Ping statistics for 123.123.123.123:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\Desktop>ping 111.111.111.111
Pinging 111.111.111.111 with 32 bytes of data:
Request timed out.
Reply from 65.123.254.57: Destination host unreachable.
Request timed out.
Request timed out.
Ping statistics for 111.111.111.111:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Which -- I believe -- just so happens to prove MeDuZa's point!:) Even though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all...
Therefore, perhaps with extensive probing one could figure out with some partial degree of certainty that the computer has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely certain....
[text was edited by author 2003-08-08 10:39:29] |
|
Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| reply to Maven
I think the critical question is whether the person ("hacker") sending the packets actually cares whether a port is "closed" or "stealth". IMHO, I doubt it. If a port is stealthed, does the hacker put it on a "don't bother" list and never try that port again? Of course not. He has no way of knowing that a stealthed port won't be an open port an hour or a day or a week from now. Same thing with a closed port. For the moment, all he cares about is "open" or "other". If it's open, he tries to break in, if it's other, he moves on to the next port or next IP address.
Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't answer, the phone rings and rings. Closed is like an answering machine with an auto-response "There is nobody at home" which doesn't accept incoming messages. In either case, the autodialer just moves on. But when the autodialer starts a new cycle, it will call the same number again, just in case someone might answer next time.
On paper, it seems slightly more desirable to have your ports stealthed rather than closed. But in the real world, with zombie machines and lightning-fast port scanners, I don't think it makes any difference. Nobody is going to sit around and keep hammering one port just because it is "closed" rather than "stealthed", when there are millions of open ports waiting on millions of other machines ...  |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: |  Well said. |
|
catahoula7
Catahoula
join:2002-12-30
| reply to Reverend Ike
said by Reverend Ike :
Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't answer, the phone rings and rings. Closed is like an answering machine with an auto-response "There is nobody at home" which doesn't accept incoming messages. In either case, the autodialer just moves on. But when the autodialer starts a new cycle, it will call the same number again, just in case someone might answer next time.
On paper, it seems slightly more desirable to have your ports stealthed rather than closed. But in the real world, with zombie machines and lightning-fast port scanners, I don't think it makes any difference. Nobody is going to sit around and keep hammering one port just because it is "closed" rather than "stealthed", when there are millions of open ports waiting on millions of other machines ...
Excellent! A very clear analogy.
Thank you.
--
--Catahoula Hound Dawg |
|
reaver221
join:2003-05-08
Cincinnati, OH
| reply to Maven
I could very well be wrong, but wouldn't 'stealth' help to defeat accurate OS detection?
For example, nmap supposedly needs to get responses from both closed and open ports to do a good job of detecting a target host's OS, because 'stealth' = less OS specific packets to fingerprint.
I didn't get a chance to read much of the thread that Randy linked to, so this could've already be talked about.
[text was edited by author 2003-08-08 19:30:44] |
|
