Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Closed vs. Filtered
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
GWF's, useless logs, and abuse desks. »
« ZoneAlarm TrueVector Device Driver  
AuthorAll Replies


catahoula7
Catahoula

join:2002-12-30

reply to Marilla
Re: Closed vs. Filtered

said by Marilla See Profile:
"stealth" is mostly, from what I understand, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they check are in one of three states:
[..]

"Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)...
[..]
so the confusion stems from two separate sets of terms, used in two different realms of discussion... from the point of view of the port scanner, or of the firewall.
I get them backwards too sometimes ! lol

So the "closed" state would be the most idea then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.

It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
--
--Catahoula Hound Dawg
to forum · permalink · · 2003-08-07 19:24:45 · Reply to this


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:

said by catahoula7 See Profile:
So the "closed" state would be the most idea(l) then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.

It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
It depends on how you look at it...

I believe the term "stealth", was coined or at least put into THIS general use by GRC. Previously, the term "stealth" refered to the TYPE of port scan being done. Regardless, at this point in time we have to accept that many people are going to use the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting computer.

If someone is probing your ports and every single probe is not returned, then your computer is relatively "invisible" -- meaning that the prober does not know for sure if your computer is on the Internet or not. You could simply have your computer turned off or unplugged it -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall.
______________________________

An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated above.

However, when I tried to probe non-existent IP addresses (e.g., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back any ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with 4 TCP/IP SYN packets, I got no reponse at all.

If I probe port 80 at DSLR, I get an OPEN response (open = SYN/ACK) -- see above. If I probe port 81 at DSLR, I get a CLOSED response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if you will. I get the same response (NONE) when I probe port 1234 here that I do when I probe any port at the non-existant sites.

That being said, I then tried a simple ping of those addresses, and I found this:

Pinging 123.123.123.123 with 32 bytes of data:

Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.

Ping statistics for 123.123.123.123:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS\Desktop>ping 111.111.111.111

Pinging 111.111.111.111 with 32 bytes of data:

Request timed out.
Reply from 65.123.254.57: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 111.111.111.111:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Which -- I believe -- just so happens to prove MeDuZa's point!:) Even though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all...

Therefore, perhaps with extensive probing one could figure out with some partial degree of certainty that the computer has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely certain....
[text was edited by author 2003-08-08 10:39:29]
to forum · permalink · · 2003-08-08 10:35:32 · Reply to this
Forums » Up and Running » Security » SecurityGWF's, useless logs, and abuse desks. »
« ZoneAlarm TrueVector Device Driver  

Tuesday, 24-Nov 21:25:03 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [100] New AT&T Ad Campaign Hits Back At Verizon
· [85] New Bill Takes Aim At Higher Verizon ETFs
· [74] Apple Joins AT&T Verizon Snark Fest
· [39] In-Flight Internet Headed For Bumpy Landing?
· [32] Senators Want ACTA Made Public
· [30] Earthlink Suffers From Major E-mail Outage
· [30] AT&T Offers New Prepaid Wireless plans
· [28] Frontier Increases Modem Rental Fee
· [16] Vivendi In Way Of Comcast's NBC Desires
· [15] Charter Still Fighting With Creditors
Most people now reading
· [Rant] Damn Sermons through my speakers! [Rants, Raves, and Praise]
· Windows 7 boot manager editing questions [Microsoft Help]
· Mysterious $800 Cash Deposit? [General Questions]
· RG Firmware update to VDSL2 this morning [AT&T U-verse]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Climate Change Scandal Erupts After Email Hack. [Security]
· 1333mW AP?! Everything we know says it shouldnt exist.... [Wireless Service Providers]
· "ISP owners could face jail under child porn bill" - CBC [Canadian Broadband]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· christmas music already, Christ! [Rants, Raves, and Praise]