skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| BEFSX41 Stealth & Closed Ports and AFP
This has been discussed before but I was never clear of the reason why the Advanced Firewall Protection enabled on the BEFSX41 router reveals closed ports on the
Gibson Nano Probe test »https://grc.com/x/ne.dll?bh0bkyd2 on one test, but not another. As you can see, testing all the ports at once results in 53 closed ports. If you test just the closed ports, however, they are stealthed. Why the difference? Are the ports closed or stealthed?
GRC Port Authority Report created on UTC: 2003-08-28 at 20:14:06
Results from scan of ports: 0-1055
0 Ports Open
53 Ports Closed
1003 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 1002, 1003, 1004, 1005, 1006,
1007, 1008, 1009, 1010, 1011,
1012, 1013, 1014, 1015, 1016,
1017, 1018, 1019, 1020, 1021,
1022, 1023, 1024, 1025, 1026,
1027, 1028, 1029, 1030, 1031,
1032, 1033, 1034, 1035, 1036,
1037, 1038, 1039, 1040, 1041,
1042, 1043, 1044, 1045, 1046,
1047, 1048, 1049, 1051, 1052,
1053, 1054, 1055
Testing only those ports originally reported closed in the GRC Test.
GRC Port Authority Report created on UTC: 2003-08-28 at 23:07:20
Results from scan of ports: 1002-1055
0 Ports Open
0 Ports Closed
54 Ports Stealth
---------------------
54 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received. |
|
buggy device
join:2003-08-27
philippines
|  It is actually better if the port is stealth coz there'll be no sign of intrusion that will happen. hackers using port based software will detect the ip address as non existent if they probe your address using a particular port. if the hacker detected that this ip address is closed on a particular port, then he'll find another way of running into your system by using a different port. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| said by buggy device  :
It is actually better if the port is stealth coz there'll be no sign of intrusion that will happen. hackers using port based software will detect the ip address as non existent if they probe your address using a particular port. if the hacker detected that this ip address is closed on a particular port, then he'll find another way of running into your system by using a different port.
I understand that. That is not the issue here. My question had to do with why the test indicated some ports are closed when ports 0-1055 are scanned and why when just ports 1002-1055 are scanned, these ports which were originally identified as closed, are now identified as stealthed. |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| reply to buggy device
(If you read the question again, it wasn't about which is better (closed or stealth), but why the results vary between tests.)
You might want to sniff the WAN traffic to see the actual packets, there's no other way to decide how the GRC comes to the posted conclusions. |
|
buggy device
join:2003-08-27
philippines | better converse this with GRC on the way they test the ports. btw, have you tried running the test again without the router? |
|
CrazyM
Premium
join:2001-05-16
BC Canada
| reply to skj
It's a bug in the advanced firewall protection when subjected to scans that exceed 1000 ports.
If you check your firewall log you will likely see an entry similar to: Ceiling for number of connections reached dropping packet.
One of the previous posts on this:
»[wired] BEFSX41 and Extensive Port Scan
Regards,
CrazyM |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| reply to buggy device
said by buggy device :
better converse this with GRC on the way they test the ports. btw, have you tried running the test again without the router?
Running it without the router, using just the ZoneAlarm firewall, will reveal the ports are totally stealthed. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| reply to CrazyM
said by CrazyM :
It's a bug in the advanced firewall protection when subjected to scans that exceed 1000 ports.
If you check your firewall log you will likely see an entry similar to: Ceiling for number of connections reached dropping packet.
One of the previous posts on this:
»[wired] BEFSX41 and Extensive Port Scan
Regards,
CrazyM
So are we to assume when subjected to over 1000 port scans it removes the port stealthing? |
|
buggy device
join:2003-08-27
philippines | reply to skj
hopefully, linksys is already aware of this issue and has released a firmware to fix it. |
|
CrazyM
Premium
join:2001-05-16
BC Canada
| reply to skj
said by skj :
So are we to assume when subjected to over 1000 port scans it removes the port stealthing?
At the time of that linked post the results seemed consistent. Under intense scan from from a single source, when the number of inbound ports scanned reached 1000, the router/firewall would start providing a closed response instead of stealth (no response).
I do not believe this issue has been resolved yet.
Regards,
CrazyM |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South | I know it has been raised as an issue for some time. I have not heard if the newest firmware version addresses this issue. |
|
buggy device
join:2003-08-27
philippines
| linksys engineers should know for a fact that ignoring this concern will just create an enormous problem and not a single individual is looking for a way to resolve it. try to forward this to linksys SKJ and see what workaround they can provide you with... |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| reply to CrazyM
said by CrazyM :
At the time of that linked post the results seemed consistent. Under intense scan from from a single source, when the number of inbound ports scanned reached 1000, the router/firewall would start providing a closed response instead of stealth (no response).
This is actually not a bad stance and can avoid other problems.
For example, if your computer crashes while gaming, or you get an IP that was just used by a file share client, you'll get tons of probes and they won't end because the other side is never notified that the service no longer exists. A closed response will provide that notification (This is especially important for stateless protocols such as UDP).
Overall, closed vs. stealth is not really a security issue, both are equally secure. Even a closed port is completely safe.
Sometimes "stealth at any cost" indirectly causes too many other problems. Stealth is mostly hype.
[text was edited by author 2003-08-28 20:42:53] |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| said by SYNACK :
said by CrazyM :
At the time of that linked post the results seemed consistent. Under intense scan from from a single source, when the number of inbound ports scanned reached 1000, the router/firewall would start providing a closed response instead of stealth (no response).
This is actually not a bad stance and can avoid other problems.
For example, if your computer crashes while gaming, or you get an IP that was just used by a file share client, you'll get tons of probes and they won't end because the other side is never notified that the service no longer exists. A closed response will provide that notification (This is especially important for stateless protocols such as UDP).
Overall, closed vs. stealth is not really a security issue, both are equally secure. Even a closed port is completely safe.
Sometimes "stealth at any cost" indirectly causes too many other problems. Stealth is mostly hype.
Thanks for the explanation. Maybe that is why Linksys has not "fixed" this issue.
I was also looking to verify the 1000 port scan "limit" with another scanner. I found PCFlank but scanning that many ports results in the connection to the site being lost. Anybody know of any other scanner out there that can test that many ports at once?
Edit: Got PcFlank to work and was able to duplicate the same result with a 1000+ port scan.
[text was edited by author 2003-08-28 21:16:47] |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
| reply to skj
I supposed we should have better explain this problem to the community. Let's just say that Linksys is aware of this. Let's add that firmware 1.44.11t does not fix this problem. And before diving into the specifics of the problems, let's specify that even though this is a conceptual problem, it does not permit a hacker or an intruder to get to your local network. The ONLY side effects of this bug is purely and simply the fact that under some circumstances (that I am describing below), the BEFSX41 will advertise its presence on the internet that's it, that's all. Note that this problem is not present if you disable the SPI firewall (as known as advance firewall) simply because the problem is in the SPI firewall itself.
A good SPI firewall keeps states about established TCP connections. These states allow the firewall to discards any packet that do not match a precise set of condition much better than a regular NAT firewall would do. A good SPI firewall keeps such state when a given TCP connection is fully connected (meaning the first 3-way handshake is completed). The problem with the BEFSX41 SPI firewall implementation is that it starts maintaining states on TCP connections even if the 3-way handshake is not completed. If you get a DoS attack using a TCP SYN flood on different ports in a very short amount of time, you will exhaust the BEFSX41 SPI TCP connection state table. So far that is not that bad. The problem comes from the fact that when it has exhausts its connection table, the BEFSX41 starts replying with SYN/RST and that is what the nanoprobe test is complaining about. Replying with SYN/RST is a standard response when not behind a firewall BUT THAT IS NOT THE DESIRED BEHAVIOR FOR A GOOD SPI FIREWALL  .
The BEFSX41 SPI bug is about replying with SYN/RST packet thus revealing the IP address existence to the internet. That is what Linksys has to fix in their next firmware version.
Again as I said before. This bug does not open holes for hacker or intruder but rather advertise the presence on the internet with those SYN/RST. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South | Thank you Flogator for your detailed explanation which explains the issue very clearly.  |
|
rboone18
join:2001-12-19
Indianapolis, IN
| My two cents is if I knew of this fault I would of never bought it because this is fucking crap. If I wanted to be seen Then I wouldnt of pick the option to not be pinged. I picked an advance firewall for security and they knowing I am still connected doesnt show much of a security measure. I think linksys or cisco since they are connected should get off there ass and fix it. Advance firewall doesnt look so advance if you are seen when in precious standard BEFSR41 v2 never showed me up in stealth as far as I know. So somone needs to push the paper on this issue and fix it. This is a big disappoint to me on linksys products, if they cant get the job done and fix this issue then they shouldnt be in business. Advanced firewall my ass if it cant keep me stealth completely.
-illusion
Ps. My comments, I am sure most will be close to my view just not as pissed off as me. |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
| rboone18, if you are patient, in the mean time you could disable the advanced firewall until the next firmware version (assuming this will be fixed then). Disabling advanced firewall will make your BEFSX41 act like a BEFSR41. Otherwise, I may recommend you some other brand router with very similar features but slightly more expensive. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Gone South
Host:
Charter HSI/CATV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| said by Flogator :
rboone18, if you are patient, in the mean time you could disable the advanced firewall until the next firmware version (assuming this will be fixed then). Disabling advanced firewall will make your BEFSX41 act like a BEFSR41. Otherwise, I may recommend you some other brand router with very similar features but slightly more expensive.
The question also becomes are you still better off (more secure) with the "advanced" firewall enabled? |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
| reply to skj
Just for your information, despite that fact that this bug is present in the SPI firewall, I still have the advanced firewall enabled on both of my routers. Remember that you need to be flooded with TCP SYN packet for this problem to exhibit itself. Furthermore, I prefer have the SPI firewall enabled than otherwise. |
|
