R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to catahoula7
Re: Closed vs. Filtered
said by catahoula7  :
So the "closed" state would be the most idea(l) then. Or so it sounds, because the probing computer would have no evidence of a service there to attack.
It sounds as if "stealth" lets the hacker know there is a firewall there because the packet was simply dropped.
It depends on how you look at it...
I believe the term "stealth", was coined or at least put into THIS general use by GRC. Previously, the term "stealth" refered to the TYPE of port scan being done. Regardless, at this point in time we have to accept that many people are going to use the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting computer.
If someone is probing your ports and every single probe is not returned, then your computer is relatively "invisible" -- meaning that the prober does not know for sure if your computer is on the Internet or not. You could simply have your computer turned off or unplugged it -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall.
______________________________
An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated above.
However, when I tried to probe non-existent IP addresses (e.g., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back any ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with 4 TCP/IP SYN packets, I got no reponse at all.
If I probe port 80 at DSLR, I get an OPEN response (open = SYN/ACK) -- see above. If I probe port 81 at DSLR, I get a CLOSED response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if you will. I get the same response (NONE) when I probe port 1234 here that I do when I probe any port at the non-existant sites.
That being said, I then tried a simple ping of those addresses, and I found this:
Pinging 123.123.123.123 with 32 bytes of data:
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Request timed out.
Reply from 65.112.160.53: Destination host unreachable.
Ping statistics for 123.123.123.123:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\Desktop>ping 111.111.111.111
Pinging 111.111.111.111 with 32 bytes of data:
Request timed out.
Reply from 65.123.254.57: Destination host unreachable.
Request timed out.
Request timed out.
Ping statistics for 111.111.111.111:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Which -- I believe -- just so happens to prove MeDuZa's point!:) Even though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all...
Therefore, perhaps with extensive probing one could figure out with some partial degree of certainty that the computer has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely certain....
[text was edited by author 2003-08-08 10:39:29] |
