dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14796

Daniel
MVM
join:2000-06-26
San Francisco, CA

2 edits

3 recommendations

Daniel

MVM

Stealthed vs. Closed - The Battle Continues

This debate has been raging uncontrollably both here an elsewhere since Steve Gibson launched his GRC site a few years back. Currently the discussion is going on in another thread as well, so I though I'd give the subject its own thread and state my opinion on the matter.

Let's start with an informal definition. "Stealthing" yourself, in network security, is nothing more than not responding to stimuli. This is also called by some programs "filtering" the traffic that was destined for you .

The argument, for those who don't already know, is that setting up your border device (firewall or router) to not respond to ICMP or connection attempts to your ports will give you added security. The idea is that if you don't send them a response at all, they won't know you are there and they will move on.

The problem with this is simple -- it is not possible to attack closed ports, and as a result it is unnecessary to hide them from scanners. This simple piece of information is the key to defending vs. mass-scanners - don't. They can't hurt you. And as far as directed attacks go, do you think that having your ports stealthed vs. closed is going to discourage a talented and determined attacker? Do you honestly think that they are going to say to themselves, "Well damn, the guy stealthed his ports...if he had only left them closed I would have tore him up..."

...a couple scenarios...

Look, let's say that I am a home user not running any services, and I want to keep my home network safe. I choose to "stealth" all my ports. Any scan trying to scan or ping my IP gets absolutely no response. Fair enough. Any automated scripts that do pings and/or scans on the network will not getting anything back from you.

Now consider that I am the same user, but I decide to not drop ICMP or connection attempts. I am still not running any services, and I therefore have no ports passed. What happens when an automated scan comes by and hits my IP address? They get an entire list of closed ports. What possible use is this to the attacker running the script? Are they compiling a list of victims running absolutely no software they can exploit? What good would that do? None. Go onto a USENET hacking group and post some juicy lists of hosts with nothing but closed ports and see what people say.

How about if I am running services? What if I have a web server and and email server running at home, and I have ports 80 and 25 open to the world? Should I stealth my other ports? Why would I? If a scanner comes by looking for innocent victims, it is either looking for one of the services you have open or it isn't -- whether or not your other ports are open is utterly irrelevant. So if it's a scanner that is attempting an IIS exploit then it is going to get the chance since you have the port open, but if you had it closed then there would be no such attempt. The important thing here is that closed and stealthed offer the same security, i.e., NOT OPEN. Open or not open is all that matters when it comes to TCP/IP. If you have no open services, nothing can be done to you over those services -- period.

Anyone still in doubt needs only to fire up the most popular port scanner in the world -- Nmap. Scan a host that has some ports open, some ports closed, and some ports "stealthed" (nmap calls them filtered). Now, which show up in the results? Two types show up -- take a guess which two.

Open and Filtered.

Why? Because closed ports are the least interesting of the three types; the author of Nmap didn't even think them important enough to mention in scan output. That should tell you something.


Think about that, and then think about the fact that dropping certain traffic rather than answering like you are supposed to is actually in some cases bad for the Internet. So, pass it on -- not only does stealth not afford you additional security, it's also morally repugnant to boot. Just say no to stealth.
Expand your moderator at work

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to Daniel

to Daniel

Re: Stealthed vs. Closed - The Battle Continues

Stealth... absolutely useless in the real world. But if it makes you feel better, great...

My two cents, anyhow. Evidently, it's the two cents of the applicable RFC's, though, too...

A closed port's closed. Nobody's getting in. Spend the time spent on getting "stealthed" making sure nothing unexpected's getting out, if you ask me, would be a far more useful expenditure of that time.

As an aside, you're running your trusty ol' filesharing or ftp or browser app... you're connected to Badboy's P2P or ftp or webserver... you're all stealthed down... now, does Badboy know you're there??? I hope everyone said yes, because he sure does... now, badboy wants to scan you silly. Let him. If you have a good firewall, and everything's closed, well, you can hear 'im knocking, but he can't come in... if he decides to scan and prod and probe all night long, great. Long as he isn't crimping your bandwidth, that isn't hurting you, it's keeping the little ankle biter busy banging himself across the forehead repeatedly with a builder's brick. Either he's a masochist, or he's clueless about ports, or he just does it because it feels so darn good when he quits...

K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY

1 recommendation

K McAleavey to Daniel

Premium Member

to Daniel
THANK YOU THANK YOU THANK YOU!

I've been engaged in this neverending pything match for YEARS now, and am still a regular peanut gallery member in Stevieland even though I blaspheme. Still have a lot of friends there too.

I too concur with "CLOSED" instead of "Not to home" for a reason few may even be aware of - when a port is closed, your end sends an RST (reset) back to say "nah, ah - not here" to the pinger at the other end. When a port is "STEALTHED" then the other end has to keep a connection alive until the TIMEOUT occurs. Wasted bandwidth.

PERFECT example is remote connections on older systems where port 113 is used ... if you STEALTH your port 113 and you have to wait for the server to time out, it can take as long as 30 seconds for that timeout to occur on older mail servers. So as a practical example (where available) you go to fetch your mail. 113 is sent from the mail server. YOUR end does nothing, you don't get your mail for 30 seconds. However if 113 is CLOSED on your end, your end sends an immediate RST and voila! Mail! Granted, most Microsoft style servers don't use 113, but the "secure stuff" still does.

So by "stealthing" you have all these timeouts piling up (side amusement is the kiddies with the port scanners are sitting on a timeout when you're "stealthed" but it also piques their interest as to WHY) ... and in the circles I have to swim in (malware authors so we can leech their trojans BEFORE they release them) they become MORE interested in "stealthed" IP's because "they must have something to hide - an ARP says it IS lit" ...

When they get "closed" then they just move on assuming that what they've found is "grandma running windows" and they MOVE ON. In fact, a lot of the malware tools they use will actually REMOVE you from their scans as "junk" because they get CLOSED instead of STEALTH.

But you can't argue with some people who have all the answers they read somewhere else.

THANK YOU for sticking your neck out.
qrkx
Premium Member
join:2003-04-26
Montreal, QC

qrkx to Daniel

Premium Member

to Daniel
Getting late in la-la-land...and I suspect there's much shoveling to do in the morning (snow...dammit..snow...) but here's my take on this subject.

This thread should not be about Stealth vs. Closed but rather Stealth vs. Common sense.

The role of a fw is to protect against potential TCP/IP stack failures and provide access control to its resources. I may be way out of sync here but fws should at least follow this:
»www.icir.org/vern/papers ··· 01-html/

Just an example of what the role of a fw should be, besides the common acls implementations.

Whether you run Linux or BSD or Windows - security begins with understanding how a network environment behaves, the factors to take in consideration and the pro/re active measures that can be applied. Reading rfcs might be boring but should be a prerequisite for anyone serious enough about security.

But - as I said earlier - if stealth keeps people happy - then stealth it is. Santa is also real. So is *insert favorite deity here*.

rgds.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to K McAleavey

to K McAleavey
said by K McAleavey:
Stevieland
Stevieland? Mom?

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel

MVM

said by Steve:
said by K McAleavey:
Stevieland
Stevieland?
He was talking about Gibson. You're the *good* Steve.

K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY

1 recommendation

K McAleavey to Steve

Premium Member

to Steve
Go to your room.

Nah, I meant GRC ... those of us who have been at it for ages and remember Unca Steve from the days of yore and ST-505 hard drives call GRC "Stevieland" ...

Logan 5
What a long strange trip its been
Premium Member
join:2001-05-25
San Francisco, CA

Logan 5 to Daniel

Premium Member

to Daniel
This has been a fascinating read on Stealth vs Closed vs Common Sense!!

I will admit, that by being 'duped' (for lack of a better word) by the dire predictions of gloom and doom if I was NOT stealthed coming from the grc.com site, (and a few other places on the internet) that I was one of the many who naively thought that being stealthed was the only assurance that I was safe against internet mischief being done against me.

It was educational to read that being stealthed can actually be a BAD thing under certain circumstances, and that certain people do *indeed* take a closer look when they get no reply (stealthed) rather than a boring 'go away, nothing to see here' (closed) response when probing for vulnerable systems.

I have since altered my firewall accordingly after reading and re-reading these threads until I understood the implications of having things the way that they were.

I echo the others: Thanks for treading where few would willingly go and taking the less favorable position.

Sometimes the truth is less favorable than the comfortable misconception....
Expand your moderator at work

Ol_OO_ll_Ol
Rock And Roll.
join:2003-11-23
Canada

1 edit

Ol_OO_ll_Ol

Member

Re: Stealthed vs. Closed - The Battle Continues

I'll tell you.

A hungry bear leaps up to eat the goodies from the tree the campers use. It lumbers about sniffing the brownies etc.LOL:D

Now. Just use the same idea with crackers.

Poor bear.

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel

MVM

There are still no goodies whether you stealth or not. Closed = not available.

dp
MVM
join:2000-12-08
Greensburg, PA

dp to Daniel

MVM

to Daniel
Good thread and nice explanation Daniel. Maybe now the issue of 'Stealth vs Closed' can be put out to pasture.

Bowserman
join:2003-04-15
Australia

Bowserman to Daniel

Member

to Daniel
Thanks for the nice post Daniel, will help alot of newbies who are confused about the issue.

Regards,
Jade.

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel

MVM

Well, we'll see what happens when the stealth crowd gets a hold of the thread. It is interesting that so many are agreeing these days though; it used to be that everyone was into stealth and no one would even entertain the notion that closed was just as secure.

I know this to be true because I was one of the stealth ninja types. My defense is that I touched my first computer that same year, and didn't know any better. Stealth just sounded too cool to not be true.
Tablet
Premium Member
join:2003-01-15
Czech

1 edit

Tablet to Daniel

Premium Member

to Daniel
In the previous thread you had agreed that with some hardware configuration (i.e. router with firewalling capabilities) user who is stealth is also invisible for searching hacker. Isn't this an advantage for some, if only because of privacy issues (for example I don't want others from my ISP to know that my IP address is existent). Ofcourse this stealth status is gone at the very moment you initiate communication with someone else on the internet, at this time the computer you're communicating with knows you exist.

I just wanted to point out that there is some reason to be stealth, although it may be exaggerated by many users. You are putting it as if people who want to be stealth are all uninformed to put it lightly, some of them are but some of them know why they want to be stealth. Please correct me if anything I said is not true.

Regards
dave
Premium Member
join:2000-05-04
not in ohio

dave to Daniel

Premium Member

to Daniel
It's especially fatuous when considering UDP.

If there is a program operating on UDP port N, then the response from the IP stack (for a datagram addressed to port N) is ... nothing.

If there is no program operating on UDP port N, then the response is ... an ICMP error.

So 'open' and 'stealth' are the same condition. Only 'closed' is different.

(Yes, of course it's possible, perhaps even likely, that you'll get an app-level response from an open port).
bobbyzee
join:2001-02-15

1 edit

bobbyzee to Daniel

Member

to Daniel
said by Daniel:
I know this to be true because I was one of the stealth ninja types. My defense is that I touched my first computer that same year, and didn't know any better. Stealth just sounded too cool to not be true.
Yeah stealth is cool. Well it used to be when Win 98 was the go and IE 5.0 was the the browser. But that was back when we knew nothing about our OS' and the only way we knew we were safe is if we got 100% on grc.com.
These days though dslreports or should I say broadbandreports has matured and people here have learnt that stealth or closed doesn't really matter, as long as you understand what is going on when someone tries to connect to port X of your desktop machine that does nothing but fetch email and get web pages.
Stealth or blocked who cares? Let's learn how TCP/IP affects you and me.
x539
join:2003-08-23
Oklahoma City, OK

x539 to Daniel

Member

to Daniel
My opinion on this is that a case can be made for both DROP ("stealth" if you're Gibson, "filtered" if you're fyodor) and REJECT ("closed").

If you don't have a service listening on a port, noone can connect to it regardless of whether that port is listed as "open", "closed", or "stealthed" in your firewall. In the case of a NAT router, you can "open" all 65535x2 ports in your router, but unless your router has listening services itself noone will be able to connect to any of those ports without you forwarding them to machines in your LAN that have services listening on those ports. When a TCP port comes back as "open" in a port scan, it means that there is a service accepting connections on that port (generally this just means that the host replied to the portscan's SYN packet with a SYN/ACK).

Using DROP rather than REJECT can markedly slow down dumb port scanning tools, so that's one reason some people choose that policy as a default. The one port that really shouldn't be "stealthed" is port 113/tcp, the ident port. Having this port "stealthed" can create delays when connecting to most irc servers, and occasionally web and mail servers.

Most of the "bad" traffic on the internet is the result of worms and viruses that scan and attack completely indiscriminately. To this type of malware, it doesn't make a difference at all whether your port is "closed" or "stealthed". The risk comes from having "open" ports with exploitable services listening on them. If you don't patch your webserver software but allow connections to your webserver from the internet, you can reasonably expect that sooner or later it will get owned.

If someone wants to get to your computers badly enough, they probably will eventually do so, through a zero day exploit, social engineering, physical breakin, whatever. But is your LAN really that interesting? Probably not. Pretty much all the "bad" traffic home users receive is untargetted, and is the result of worms, viruses, and script kiddiez doing broad scans of the internet for a particular Trojan port or such. Assuming your firewall is properly configured, even if you DO have trojaned machines behind it noone will be able to make inbound connections to them. Thus DROP vs REJECT is really splitting hairs; the important thing is that the connection is not allowed.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Here's my take on closed vs. stealthed. I've run with all ports stealthed for years. Maybe there's little difference between "closed" and "stealth" in terms of overall security, sure, a kiddie or worm can't get in through either type of port, but, I tend to disagree with the "stealthed = more interesting" to a script kiddie. Why? If you scan an IP that isn't in use, or belongs to a system that's not online, or shut down, what will you get? All ports not responding, or stealth. Having ports closed instead of stealth tells a kiddie that that IP is active. Meaning that, even if all ports are closed today, one may be open tomorrow. On the other hand, having some ports stealth and some closed or open might give the impression of "hiding" something from a hacker. Stealth as a security measure works if all ports are stealthed. And btw, I've never had any problems with stealthing the ident/113 port, but then I don't use IRC.

Stealth rather than closed can help slow the spread of certain worms, as well. At least those that spread via TCP protocols, such as CodeRed, Nimda, Blaster, and Welchia (blocking pings helps cut Welchia traffic btw) when they hit an IP with a stealthed or non-responding port, they have to time out before moving on. Hitting a closed port gets an immediate response and the worm can hit its next target(s) that much faster.

So, in short, if you stealth all ports as well as ICMP, you'll appear to be an inactive IP to hackers and script kiddies, and it does help slow down their scanning (as well as scans by worms).
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Daniel

Premium Member

to Daniel
This is a useful, and intelligent thread. I see there are even a few people who had to be moderated

Hopefully more people will read this to realize that stealth is not what Steve Gibson made it out to what he thinks it is, and its quite unfortunate that most software firewalls only work on 'stealth' techniques, even some hardware firewalls do it now.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to kpatz

to kpatz
said by kpatz:
So, in short, if you stealth all ports as well as ICMP, you'll appear to be an inactive IP to hackers and script kiddies, and it does help slow down their scanning (as well as scans by worms).
... but if they have reason to believe you're really online (by the same mechanism that they got your IP addressing the first place), you won't fool them long.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

said by Steve:
... but if they have reason to believe you're really online (by the same mechanism that they got your IP addressing the first place), you won't fool them long.
Well, unless you're specifically targeted by a hacker, chances are they didn't get your IP via any mechanism at all, they just scan entire IP ranges. They'll see stealthed IPs and most likely assume they're offline or inactive. What "mechanism" are you referring to anyway? ARP? ARP is only useful to a hacker if they're on the same subnet as you, isn't it?

KJP

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by kpatz:
Well, unless you're specifically targeted by a hacker, chances are they didn't get your IP via any mechanism at all, they just scan entire IP ranges. They'll see stealthed IPs and most likely assume they're offline or inactive.
If you're not being targeted specifically, then the bad guys aren't really going to spend any time on you, so they won't care. I write scanner tools now and then, and not one of them does a ping first: they're either open to the thing I look for, or not.
quote:
What "mechanism" are you referring to anyway?
I think IRC and some game servers can reveal your IP, as does some forum software (though not here). Headers in an email will do it too. If you're targeted specifically, they found your IP *somehow*.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

1 recommendation

kpatz

Premium Member

said by Steve:
I think IRC and some game servers can reveal your IP, as does some forum software (though not here). Headers in an email will do it too. If you're targeted specifically, they found your IP *somehow*.

That's true. Of course, if you're on IRC at the time a hacker targets you, they can assume you're online. But if they get your IP from an email or newsgroup posting, and scan you, and find that you're stealth, how are they to know whether you're online in stealth, or you went offline/shut down your PC after sending the email?

Probably for the majority of threats (random skiddie scans and worms), it makes little difference whether you're closed or stealthed. If somehow I were to be targeted though, I would prefer to be stealth than closed for a couple reasons. One is, it'll be a bit harder to DoS me if my box isn't flooding my upstream with RST packets. Also, when one is online 24/7 stealth is beneficial since if you're closed you will in essence be "advertising" the fact that you're online 24/7 (and probably have a high-speed connection to boot, not that they can't figure that out from your IP info), making your IP a more attractive target than one that is all stealth, where they can't determine if you're online 24/7 or 1 hour a day.

How's this for a way of fooling hackers/skiddies: have things set up so when you're online 24/7, your ports will be "closed" during certain times of the day and "stealth" the rest of the time. If a hacker is profiling you to determine when you're online, they'll be fooled into thinking you're only online during the times your ports read "closed". It's a little like setting a light on a timer when you're away.

KJP

hpguru
Curb Your Dogma
Premium Member
join:2002-04-12

hpguru

Premium Member

said by kpatz:

...But if they get your IP from an email or newsgroup posting, and scan you, and find that you're stealth, how are they to know whether you're online in stealth, or you went offline/shut down your PC after sending the email?
You are assuming a stealthed system looks identical to a "non-existant" system. It isn't. If you are stealthed the scanner will know you are there because there is a route to your non-responding computer. On the other hand there is no route to a system that isn't on the network. See the difference?
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

1 edit

kpatz

Premium Member

said by hpguru:
You are assuming a stealthed system looks identical to a "non-existant" system. It isn't. If you are stealthed the scanner will know you are there because there is a route to your non-responding computer. On the other hand there is no route to a system that isn't on the network. See the difference?
In what way? Let's say you traceroute three IPs in the same subnet, but a different subnet than yours. One of these IPs is inactive (never been used), another was active but the box assigned to that IP was just shut down, and the third is active but stealthed (no ICMP responses, etc.). Will the results of the traceroutes be different? Do routers respond differently if there is no ARP entry for an IP?

BTW, most script kiddies aren't going to trace individual IPs to see if they are routable or not. They just scan entire ranges for this week's most popular exploitable port.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Daniel

MVM

to Daniel

Oh, No!! Not Again!

Well, Daniel, you've done it now!

And just when I thought it was safe to come in from the cold, . . .

I mean, can't we talk about something that might go somewhere, you know . . . like the fact that Santa Claus has now pilfered stealth technology from the USAF and NORAD can't tell us anymore if he's on the way or is going to be a no-show? (And if he is on the way, but we just can't see him, how do we know that them thar terroristas haven't simply kidnapped Mrs. Claus and have put their own bunch of goodies into the sleigh? I mean, think about this, people!

And, don't ya love all those 'stealthed' sites that propagate worms and Trojans? Why, you can't tell if they're real and stealthed or whether they're spoofing IP addresses! Oops, I forgot! We can do automated tracebacks, can't we? (Of course, that sort of defeats the whole purpose of stealthing our boxes, doesn't it?)

I think I'll just pop another can of 'worm soup' into the microwave (Do I need to open it first and put it in a microwave-safe bowl? Gee, I dunno. Oh, well, let's just see what happens if I put the can in the microwave, . . . . . . .

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to Daniel

Premium Member

to Daniel

Like car thieves and burglars

Seems the overwhelming majority of these port scanning events are either a result of malware propagated through Email, worms or automated scans of blocks of addresses.

As such, their activity is analogous to the guys who walk down the street checking for unlocked cars, windows down, trunk lids not latched and so on. They do a quick check for an easy opportunity and don't hang around.

If you're the typical internet user with nothing to call attention to your system, that's all you'll see - the auto scanners and worms du jour. Whether they encounter "closed" or "stealthed" ports, those scanners just go on to the next target, looking for an easier mark.

Now back to the car thing. If you have that collector Pierce Arrow or Duesenberg and people know about it, your security will need to be more than locking the doors and rolling up the windows. Same goes if you drive your Mercedes 500SEL - or your Chevy Geo - to Hell's Kitchen and leave it unattended. Expect a targeted attack that will use more sophisticated and aggressive methods. With the Doozy, expect them to find your garage.

Same with a system that is higher visibility, sensitive information, controversial owner or somebody that likes to frequent sites and download that software of questionable or unknown reputation. Physical as well as logical security is in order.

So closed vs stealth ports and PING responses or not depends on your needs. Maybe, if you feel a need for higher levels of IDS and security, you'll have a honeypot and want to see who is hanging around your door. In that case you'd let the system respond to PING, port scans and so on. Ohterwise you may want to simply not respond to either. Both are valid methods.

If you have a basic system and don't need to respond and it's easy to turn off all responses, no reason not do it. If you can't turn off PING, port responses etc. because you need to VPN, allow selective access or provide some sort of service then other methods or products are in order.

Bottom line, one size doesn't fit all. Before you implement more than basic levels of security, determine your potential exposure, functional requirements, technical skill level and budget. Then develop, implement and periodically review and update your plan.

HTH

EG