how-to block ads
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to catahoula7
Re: Closed vs. Filtered
said by catahoula7  :
So the "closed" state would be the most idea(l) then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.
It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
It depends on how you look at it...
I believe the term "stealth", was coined or at least put into THIS general use by GRC. Previously, the term "stealth" refered to the TYPE of port scan being done. Regardless, at this point in time we have to accept that many people are going to use the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting computer.
If someone is probing your ports and every single probe is not returned, then your computer is relatively "invisible" -- meaning that the prober does not know for sure if your computer is on the Internet or not. You could simply have your computer turned off or unplugged it -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall.
______________________________
An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated above.
However, when I tried to probe non-existent IP addresses (e.g., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back any ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with 4 TCP/IP SYN packets, I got no reponse at all.
If I probe port 80 at DSLR, I get an OPEN response (open = SYN/ACK) -- see above. If I probe port 81 at DSLR, I get a CLOSED response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if you will. I get the same response (NONE) when I probe port 1234 here that I do when I probe any port at the non-existant sites.
That being said, I then tried a simple ping of those addresses, and I found this:
Pinging 123.123.123.123 with 32 bytes of data:
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Ping statistics for 123.123.123.123:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\Desktop>ping 111.111.111.111
Pinging 111.111.111.111 with 32 bytes of data:
Request timed out.
Reply from 65.123.254.57: Destination host unreachable.
Request timed out.
Request timed out.
Ping statistics for 111.111.111.111:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Which -- I believe -- just so happens to prove MeDuZa's point!:) Even though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all...
Therefore, perhaps with extensive probing one could figure out with some partial degree of certainty that the computer has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely certain....
[text was edited by author 2003-08-08 10:39:29] | |
catahoula7
Catahoula
join:2002-12-30
| reply to Marilla
said by Marilla :
"stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
[..]
"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)...
[..]
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall.
I get them backwards too sometimes ! lol
So the "closed" state would be the most idea then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.
It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
--
--Catahoula Hound Dawg | |
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Marilla
In the context of the thread title: "closed vs filtered" -- I think R2 got it right: said by R2 :
for TCP/IP ports:
Filtered = Stealth = no response at all is sent back to the requesting site.
Closed = a specific "port is closed" response is sent back to the requesting site.
I think the other interpretation is not consistent with what the thread author means in his thread title. JMHO, HTH 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to catahoula7
"stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
Open: Meaning a service is active and responding on that port.
Closed: Meaning communications are getting through to the host on the port in question, but that host has no daemons/services and is responding to that effect.
Stealth: Meaning the communication was simply dropped, and no response was sent at all.
"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)... but when a firewall "Rejects" a packet, that will result in a "Stealthed" result.. when a firewall "Deny", there may be a "Closed" response... As I said, I may have 'reject' and 'deny' backwards... but one simply sends the communication to the great packet bucket in the sky, but the other one sends a specific reply saying, "nothing to see here".
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall. | |
catahoula7
Catahoula
join:2002-12-30
| reply to R2
said by R2 :
Filtered = Stealth = no response at all is sent back to the requesting site.
Closed = a specific "port is closed" response is sent back to the requesting site.
I thought "Reject" sent a response And "DENY" just dropped the packet.
Where did "stealth" come from anyway? I thought there was just the "Drop" and "Reject" flags?
--
--Catahoula Hound Dawg | |
|
