Sign in with
Sign up | Sign in
Your question

port 80 is open

Last response: in Networking
Share
June 16, 2004 12:42:17 AM

Archived from groups: comp.security.firewalls (More info?)

To Whom It May Concern:



I am using NIS 2004.

When I did Security Check of my computer, I have learned that Port 80 is
OPEN. Please let me know how to change the status from OPEN to STEALTH.



Thank you in advance for your help.



Sincerely,

Peter

More about : port open

Anonymous
a b 8 Security
June 16, 2004 5:13:22 PM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter wrote:
: Peter wrote:
:
: 'Stealth' is technical nonsense and sign of a misconconfiguration due
: to a lack of knowledge regarding TCP/IP protocols.
:
: Wolfgang

How so? Closed is when the port is closed and computers online can see you
but they can't enter that port. Stealth is when they can't see you and your
computer firewall drops the packets, and because their is no response its
like your computer is not there. This is a big deal. If you have a port
closed, then that gives the bad guy the information he needs to carry on
port scanning in hopes of finding a port open. If it's stealthed he/she
sees nothing, and moves on to the next victim. So why is stealth technical
nonsense?
Anonymous
a b 8 Security
June 16, 2004 7:41:47 PM

Archived from groups: comp.security.firewalls (More info?)

"GhostMaster" <Mung@invalid.duh> wrote in message
news:SHXzc.1314$bs4.1194@newsread3.news.atl.earthlink.net...
> Wolfgang Kueter wrote:
> : Peter wrote:
> :
> : 'Stealth' is technical nonsense and sign of a misconconfiguration due
> : to a lack of knowledge regarding TCP/IP protocols.
> :
> : Wolfgang
>
> How so? Closed is when the port is closed and computers online can see
you
> but they can't enter that port. Stealth is when they can't see you and
your
> computer firewall drops the packets, and because their is no response its
> like your computer is not there. This is a big deal. If you have a port
> closed, then that gives the bad guy the information he needs to carry on
> port scanning in hopes of finding a port open. If it's stealthed he/she
> sees nothing, and moves on to the next victim. So why is stealth
technical
> nonsense?

The upstream router knows that you are connected, and therefore the "bad
guy" knows your PC is there whether your ports are stealthed or not because
he doesn't get the ICMP response from router that would be received if your
PC wasn't connected. Stealthing can sometimes slow down scans, but apart
from that isn't a huge difference to ports just being closed - either way
there's nothing at that port that can be accessed. Stealthing can also cause
problems, eg IDENT requests when connecting to certain services (some FTP
servers, many IRC servers, etc) because the server waits for a response from
the request or times out, so you end up with a delay in creating a
connection.

Dan
Related resources
Anonymous
a b 8 Security
June 16, 2004 7:43:59 PM

Archived from groups: comp.security.firewalls (More info?)

"Peter" <petyablank@hotmail.com> wrote in message
news:JaJzc.86301$2F.65041@newssvr25.news.prodigy.com...
> I am using NIS 2004.
>
> When I did Security Check of my computer, I have learned that Port 80 is
> OPEN. Please let me know how to change the status from OPEN to STEALTH.

Does that check open a remote web site to check your machine from outside?
If so, and you're connecting via your ISPs web proxy, then the scan is not
being done against your IP, it's the ISP proxy that is being scanned, and if
that has a web server running on port 80 you'll get this response.

Dan
Anonymous
a b 8 Security
June 16, 2004 8:02:03 PM

Archived from groups: comp.security.firewalls (More info?)

GhostMaster wrote:

> Wolfgang Kueter wrote:
> : Peter wrote:
> :
> : 'Stealth' is technical nonsense and sign of a misconconfiguration due
> : to a lack of knowledge regarding TCP/IP protocols.
> :
> : Wolfgang
>
> How so? Closed is when the port is closed and computers online can see
> you

There is nothing wrong that one can bee seen.

> but they can't enter that port.

Port closed, fine.

> Stealth is when they can't see you and
> your computer firewall drops the packets, and because their is no response
> its like your computer is not there.

If the machine was not there, the router in front of it it will - according
to RfC (!) - send an ICMP host unreable message. So by dropping the packets
an attacker knows that your box *is* there because no ICMP message is sent.

> This is a big deal.

Well, if you really believe in that, you demonstrate just the lack of
knowledge that I mentioned in my posting.

> If you have a port
> closed, then that gives the bad guy the information he needs to carry on
> port scanning in hopes of finding a port open.

Wrong. A closedport remains a closed port. Period.

> If it's stealthed he/she
> sees nothing, and moves on to the next victim.

The 'attacker' knows not only that the 'victim' is there but also that the
victim has little knowledge about real security due to the fact that he is
running some kind of suspicoius firewall simulation.

> So why is stealth technical nonsense?

Because it has no effect and violates RFC's.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 16, 2004 8:02:04 PM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter wrote:
: GhostMaster wrote:
:
:: Wolfgang Kueter wrote:
::: Peter wrote:
:::
::: 'Stealth' is technical nonsense and sign of a misconconfiguration
::: due to a lack of knowledge regarding TCP/IP protocols.
:::
::: Wolfgang
::
:: How so? Closed is when the port is closed and computers online can
:: see you
:
: There is nothing wrong that one can bee seen.
:
:: but they can't enter that port.
:
: Port closed, fine.
:
:: Stealth is when they can't see you and
:: your computer firewall drops the packets, and because their is no
:: response its like your computer is not there.
:
: If the machine was not there, the router in front of it it will -
: according to RfC (!) - send an ICMP host unreable message. So by
: dropping the packets an attacker knows that your box *is* there
: because no ICMP message is sent.
:
:: This is a big deal.
:
: Well, if you really believe in that, you demonstrate just the lack of
: knowledge that I mentioned in my posting.
:
:: If you have a port
:: closed, then that gives the bad guy the information he needs to
:: carry on port scanning in hopes of finding a port open.
:
: Wrong. A closedport remains a closed port. Period.
:
:: If it's stealthed he/she
:: sees nothing, and moves on to the next victim.
:
: The 'attacker' knows not only that the 'victim' is there but also
: that the victim has little knowledge about real security due to the
: fact that he is running some kind of suspicoius firewall simulation.
:
:: So why is stealth technical nonsense?
:
: Because it has no effect and violates RFC's.
:
: Wolfgang

So are we talking router here or a software firewall? Both? If so then
why tell people to get ZoneAlarm?
ZoneAlarm has been bragging for years about stealth mode.
Anonymous
a b 8 Security
June 16, 2004 11:05:33 PM

Archived from groups: comp.security.firewalls (More info?)

GhostMaster wrote:

> personally if ZoneAlarm didn't work it wouldn't be so damn popular.

Popularity has nothing to do with the technical standards of network
communication/protocols defined in the RfC's.

> Second of all... if it didn't work as well as it did, the damn internet
> would be a damn mess right now.

The net *is* a mess, and the misinformation concerning security spread by
ZAand other vendors of personal firewalls is part of the mess.

> I don't think half of the people online
> would be online if they wondered what script kiddies today was going to
> hit their box. How the hell can I give good info if I am not getting good
> info?

You believe that the output of a standard violating tool like Zonealarm to
be good information? I don't. I believe those information to be what it is,
a marketing trick.

> .... goes back to the web to search for MORE Security sites to read on
> this.

Read the documents that define the define of network communication.
Attention: These are technical documents and you might need some deeper
knowledge to unterstand them.

> All I have seen is firewall, use a firewall.

Zonealarm is *not* a fiewall and similar tools are no firewalls either.
These are firewall placebos.

> BTW not all routers are made the same either.

Irrelevant, they have to implement the standards. Besides that you can bet
that any upstream router which is controlled by any ISP is functioning
properly and according to the standards defined in RfC's, which means that
the particular router *will* definitely send an ICMP host unreachable
message, if a host/network behind it is unreachable. And plaese have in
mind that I'm talking about routers used by ISP's, which usually means
devices that might cost several times more than your yearly income.

So may I kindly ask you to get some basic knowledge about network
communication and protocols before you continue to try to discuss those
topics with me!?

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 16, 2004 11:10:08 PM

Archived from groups: comp.security.firewalls (More info?)

Daniel Crichton wrote:


> Does that check open a remote web site to check your machine from outside?
> If so, and you're connecting via your ISPs web proxy, then the scan is not
> being done against your IP, it's the ISP proxy that is being scanned, and
> if that has a web server running on port 80 you'll get this response.

Even the proxy itself might be running on port 80 and be open to the public.
I'd call that a misconfiguration but I've heard that there happen to be
some misconfigured proxies around. ;-)

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
June 17, 2004 3:01:56 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 19:05:33 +0200, Wolfgang Kueter <wolfgang@shconnect.de> wrote:

> Irrelevant, they have to implement the standards. Besides that you can bet
> that any upstream router which is controlled by any ISP is functioning
> properly and according to the standards defined in RfC's, which means that
> the particular router *will* definitely send an ICMP host unreachable
> message, if a host/network behind it is unreachable. And plaese have in
> mind that I'm talking about routers used by ISP's, which usually means
> devices that might cost several times more than your yearly income.
>
> Wolfgang

Please help me understand the process. I am new to this business but I am trying to understand the processes involved.

Suppose I have a firewall installed that has been told to drop any traffic not initiated from the LAN side. The firewall drops all packets initiated
from the WAN side and this is confirmed by the firewall log. For all packets dropped by my firewall you say that my ISP's router will send back to
the packet sender an ICMP host unreachable message.

If I contact the ISP host from which the port scans are coming about the port scans and that ISP puts a temporary/permanent block on my IP address
does that ISP send back to the port scanner ICMP host unreachable messages?

I was under the impression that "stealthing" rendered my IP address invisible to the WAN. From what you said above it would seem that all
"stealthing" does is stop the packets reaching the PC on the LAN side of the firewall, which is part of what I want to achieve, but doesn't render my
IP address invisible.

Why are these ICMP host unreachable packets sent back when it would seem that they are counter-productive to good security?

Cheers, John

Use au instead of invalid for emails to me.

---
Anonymous
a b 8 Security
June 17, 2004 3:01:57 PM

Archived from groups: comp.security.firewalls (More info?)

"JC" <jhoppyc@westnet.com.invalid> wrote in message
news:k6q1d0lhl3nknikiq42q5ikb8deuhhog54@4ax.com...
> Please help me understand the process. I am new to this business but I
am trying to understand the processes involved.
>
> Suppose I have a firewall installed that has been told to drop any traffic
not initiated from the LAN side. The firewall drops all packets initiated
> from the WAN side and this is confirmed by the firewall log. For all
packets dropped by my firewall you say that my ISP's router will send back
to
> the packet sender an ICMP host unreachable message.

No, the ICMP host unreachable message is sent if the ISP router cannot see
your PC, meaning that you are not connected. If you are connected to the
internet the ISP router does not send the unreachable message. If your PC is
stealthed then the person scanning knows because they *don't* get the ICMP
unreachable message.

> If I contact the ISP host from which the port scans are coming about the
port scans and that ISP puts a temporary/permanent block on my IP address
> does that ISP send back to the port scanner ICMP host unreachable
messages?

No. But it's highly unlikely you'll be able to get your ISP to do this,
because it requires time for someone to configure the router to block the
IP. More likely is that your ISP will tell you to run a firewall at your
end, which is pretty much what you are doing.

> I was under the impression that "stealthing" rendered my IP address
invisible to the WAN. From what you said above it would seem that all
> "stealthing" does is stop the packets reaching the PC on the LAN side of
the firewall, which is part of what I want to achieve, but doesn't render my
> IP address invisible.

No, stealthing renders it "invisible" to simple automated scripts and people
who don't know what they are doing. If a proper "hacker" really wanted into
your machine, stealthing is a waste of time. It is no more secure than just
non-stealthed. However, the fact that you have a firewall is a start - by it
's very nature it blocks incoming connections to software on your PC that
would normally be a good starting place for someone to try and get in. So
long as you don't have any vulnerable services running on your PC that can
be accessed from thw WAN side you should have no problems. It's highly
unlikely someone will spend a great amount of time trying to get into your
PC - this time is better spent getting into systems that make the hacker
money or get them some sort of peer recognition, and getting into a home PC
doesn't do either of these.

> Why are these ICMP host unreachable packets sent back when it would seem
that they are counter-productive to good security?

These ICMP packets are designed to tell systems upstream that something
isn't connected, so therefore it's a waste of time sending data to it. It's
got nothing to do with security, and without it there would be much more
traffic on the internet - normally when a TCP packet is sent the sending
system will attempt it 4 (or sometimes more) times if it doesn't get a
response, however if the ICMP packet is returned notifying the sender that
nothing is at that IP then there's no need to retry.

On the other hand, if the upstream router always sent an ICMP unreachable
response, you'd never make a connection to anything on the internet,
rendering it useless - eg. if you tried to open a web site, the server would
return a TCP packet with the first bit of data, get the ICMP unreachable
packet, and then close the connection as your IP is seen as not connected.

Dan
Anonymous
a b 8 Security
June 17, 2004 10:17:41 PM

Archived from groups: comp.security.firewalls (More info?)

"Daniel Crichton" <news@worldofspack.co.uk> wrote in message news:<40d05c2b$0$11557$afc38c87@news.easynet.co.uk>...
<SNIP>
> The upstream router knows that you are connected, and therefore the "bad
> guy" knows your PC is there whether your ports are stealthed or not because
> he doesn't get the ICMP response from router that would be received if your
> PC wasn't connected. Stealthing can sometimes slow down scans, but apart
> from that isn't a huge difference to ports just being closed - either way
> there's nothing at that port that can be accessed. Stealthing can also cause
> problems, eg IDENT requests when connecting to certain services (some FTP
> servers, many IRC servers, etc) because the server waits for a response from
> the request or times out, so you end up with a delay in creating a
> connection.

I cant believe this false notion still exists.

So, I will say it again. The majority of ISP's *as a matter of
course* explicitly enter "no ip unreachables" on their peering link
configs. All it takes is ONE router in the chain between
source/destination to not pass on icmp unreachables, for the source to
not receive the message.

The "bad guy" (as you say) wont ever get the icmp unreachable,
regardless of whether a port is stealthed or not. So, not getting an
icmp unreachable message is NOT a guarantee that a port has been
stealthed.

SysAdm
Anonymous
a b 8 Security
June 18, 2004 6:12:10 AM

Archived from groups: comp.security.firewalls (More info?)

SysAdm wrote:
: "Daniel Crichton" <news@worldofspack.co.uk> wrote in message
: news:<40d05c2b$0$11557$afc38c87@news.easynet.co.uk>... <SNIP>
:: The upstream router knows that you are connected, and therefore the
:: "bad guy" knows your PC is there whether your ports are stealthed or
:: not because he doesn't get the ICMP response from router that would
:: be received if your PC wasn't connected. Stealthing can sometimes
:: slow down scans, but apart from that isn't a huge difference to
:: ports just being closed - either way there's nothing at that port
:: that can be accessed. Stealthing can also cause problems, eg IDENT
:: requests when connecting to certain services (some FTP servers, many
:: IRC servers, etc) because the server waits for a response from the
:: request or times out, so you end up with a delay in creating a
:: connection.
:
: I cant believe this false notion still exists.
:
: So, I will say it again. The majority of ISP's *as a matter of
: course* explicitly enter "no ip unreachables" on their peering link
: configs. All it takes is ONE router in the chain between
: source/destination to not pass on icmp unreachables, for the source to
: not receive the message.
:
: The "bad guy" (as you say) wont ever get the icmp unreachable,
: regardless of whether a port is stealthed or not. So, not getting an
: icmp unreachable message is NOT a guarantee that a port has been
: stealthed.
:
: SysAdm

This makes more sence. Also explains why Zone Alarm works
Anonymous
a b 8 Security
June 18, 2004 9:30:37 AM

Archived from groups: comp.security.firewalls (More info?)

On 2004-06-16, Wolfgang Kueter <wolfgang@shconnect.de> wrote:
> If the machine was not there, the router in front of it it will - according
> to RfC (!) - send an ICMP host unreable message. So by dropping the packets
> an attacker knows that your box *is* there because no ICMP message is sent.

Uhm...how is the router in front going to tell the difference between the host
dropping all packets because it is stealthed, and dropping all packets because
it does not exist?

--
--Tim Smith
Anonymous
a b 8 Security
June 18, 2004 9:40:35 AM

Archived from groups: comp.security.firewalls (More info?)

On 2004-06-16, Daniel Crichton <news@worldofspack.co.uk> wrote:
> PC wasn't connected. Stealthing can sometimes slow down scans, but apart
> from that isn't a huge difference to ports just being closed - either way
> there's nothing at that port that can be accessed. Stealthing can also cause

What about fingerprinting?

--
--Tim Smith
Anonymous
a b 8 Security
June 18, 2004 2:10:56 PM

Archived from groups: comp.security.firewalls (More info?)

"Tim Smith" <reply_in_group@mouse-potato.com> wrote in message
news:16vAc.4936$bs4.2504@newsread3.news.atl.earthlink.net...
> On 2004-06-16, Wolfgang Kueter <wolfgang@shconnect.de> wrote:
> > If the machine was not there, the router in front of it it will -
according
> > to RfC (!) - send an ICMP host unreable message. So by dropping the
packets
> > an attacker knows that your box *is* there because no ICMP message is
sent.
>
> Uhm...how is the router in front going to tell the difference between the
host
> dropping all packets because it is stealthed, and dropping all packets
because
> it does not exist?

Because when it doesn't exist the IP address that was used is not allocated
to a connected resource. Either it's allocated and the router passes the
packets onto the next piece of hardware (your PC's modem, network card, or
however it connects to the ISP), or it's dropped and the ICMP unreachable
response is sent.

Dan
Anonymous
a b 8 Security
June 18, 2004 2:25:00 PM

Archived from groups: comp.security.firewalls (More info?)

"SysAdm" <willgeeza@yahoo.com> wrote in message
news:a23233af.0406171717.57c56388@posting.google.com...
> "Daniel Crichton" <news@worldofspack.co.uk> wrote in message
news:<40d05c2b$0$11557$afc38c87@news.easynet.co.uk>...
> <SNIP>
> > The upstream router knows that you are connected, and therefore the "bad
> > guy" knows your PC is there whether your ports are stealthed or not
because
> > he doesn't get the ICMP response from router that would be received if
your
> > PC wasn't connected. Stealthing can sometimes slow down scans, but apart
> > from that isn't a huge difference to ports just being closed - either
way
> > there's nothing at that port that can be accessed. Stealthing can also
cause
> > problems, eg IDENT requests when connecting to certain services (some
FTP
> > servers, many IRC servers, etc) because the server waits for a response
from
> > the request or times out, so you end up with a delay in creating a
> > connection.
>
> I cant believe this false notion still exists.
>
> So, I will say it again. The majority of ISP's *as a matter of
> course* explicitly enter "no ip unreachables" on their peering link
> configs. All it takes is ONE router in the chain between
> source/destination to not pass on icmp unreachables, for the source to
> not receive the message.
>
> The "bad guy" (as you say) wont ever get the icmp unreachable,
> regardless of whether a port is stealthed or not. So, not getting an
> icmp unreachable message is NOT a guarantee that a port has been
> stealthed.

And yet some of the largest ISPs still don't do this, so you cannot assume
that the OP's ISP does.

For instance, here's a response from pinging an IP on Demon Internet in the
UK (one of the largest UK ISPs) that I know isn't connected (because the PC
that has been allocated this static IP isn't dialled up right now) pinging
from an Easynet connection (another of the largest UK ISPs):

Pinging XXX.demon.co.uk [158.152.XX.XXX] with 32 bytes of data:

Reply from 194.70.98.66: Destination host unreachable.
Reply from 194.70.98.66: Destination host unreachable.
Reply from 194.70.98.66: Destination host unreachable.
Reply from 194.70.98.66: Destination host unreachable.

Ping statistics for 158.152.XX.XXX:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms



Certainly looks like an ICMP host unreachable response to me. Unfortunately
this is the only example I can come up with right now because that is the
only remote IP that I know does not have something connected to it, and it
would take a while to scan ranges on other ISPs looking for an unreachable
response.

Dan
Anonymous
a b 8 Security
June 18, 2004 2:29:48 PM

Archived from groups: comp.security.firewalls (More info?)

"GhostMaster" <Mung@invalid.duh> wrote in message
news:_bsAc.4619$bs4.2160@newsread3.news.atl.earthlink.net...
> SysAdm wrote:
> : "Daniel Crichton" <news@worldofspack.co.uk> wrote in message
> : news:<40d05c2b$0$11557$afc38c87@news.easynet.co.uk>... <SNIP>
> :: The upstream router knows that you are connected, and therefore the
> :: "bad guy" knows your PC is there whether your ports are stealthed or
> :: not because he doesn't get the ICMP response from router that would
> :: be received if your PC wasn't connected. Stealthing can sometimes
> :: slow down scans, but apart from that isn't a huge difference to
> :: ports just being closed - either way there's nothing at that port
> :: that can be accessed. Stealthing can also cause problems, eg IDENT
> :: requests when connecting to certain services (some FTP servers, many
> :: IRC servers, etc) because the server waits for a response from the
> :: request or times out, so you end up with a delay in creating a
> :: connection.
> :
> : I cant believe this false notion still exists.
> :
> : So, I will say it again. The majority of ISP's *as a matter of
> : course* explicitly enter "no ip unreachables" on their peering link
> : configs. All it takes is ONE router in the chain between
> : source/destination to not pass on icmp unreachables, for the source to
> : not receive the message.
> :
> : The "bad guy" (as you say) wont ever get the icmp unreachable,
> : regardless of whether a port is stealthed or not. So, not getting an
> : icmp unreachable message is NOT a guarantee that a port has been
> : stealthed.
> :
> : SysAdm
>
> This makes more sence. Also explains why Zone Alarm works

This has no impact on how ZoneAlarm works. ZoneAlarm just sits at your PC
TCP/IP stack and drops packets. It doesn't have anything to do with if ICMP
host unreachable packets can be passed back from the upstream router.
ZoneAlarm doesn't stop working if you don't stealth ports. It's just an
application that exerts a bit of control. Personally I prefer to have a
hardware firewall connected between my PC and my ISP - that way if my wife
accidentally manages to somehow disable my AV scanner and my email settings
and run a trojan that kills software firewall processes such as ZA, it still
doesn't leave my PC open to the outside. It also helps by offloading a lot
of the work that a software would have to do and leaving my PC with more
resources available to do what it does best - play games :) 

Dan
Anonymous
a b 8 Security
June 18, 2004 2:42:20 PM

Archived from groups: comp.security.firewalls (More info?)

Well, here's another:

Taking the IP shown in your message headers I get the following response:

Pinging 209.86.133.98 with 32 bytes of data:

Reply from 209.165.105.1: Destination host unreachable.
Reply from 209.165.105.1: Destination host unreachable.
Reply from 209.165.105.1: Destination host unreachable.
Reply from 209.165.105.1: Destination host unreachable.

Ping statistics for 209.86.133.98:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


That's an IP belonging to a poster in this thread on Earthlink. Isn't that a
very large US ISP? And yet it still appears to not drop ICMP host
unreachable messages as it's peering borders. My guess is that IP isn't
allocated right now, which is lucky for me or else I wouldn't have been able
to confirm Earthlink's configuration.

Dan
June 18, 2004 6:03:00 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 09:26:49 +0100, "Daniel Crichton" <news@worldofspack.co.uk> wrote:

> "JC" <jhoppyc@westnet.com.invalid> wrote in message
> news:k6q1d0lhl3nknikiq42q5ikb8deuhhog54@4ax.com...
> > Please help me understand the process. I am new to this business but I
> am trying to understand the processes involved.
> >
> > Suppose I have a firewall installed that has been told to drop any traffic
> not initiated from the LAN side. The firewall drops all packets initiated
> > from the WAN side and this is confirmed by the firewall log. For all
> packets dropped by my firewall you say that my ISP's router will send back
> to
> > the packet sender an ICMP host unreachable message.
>
> No, the ICMP host unreachable message is sent if the ISP router cannot see
> your PC, meaning that you are not connected. If you are connected to the
> internet the ISP router does not send the unreachable message. If your PC is
> stealthed then the person scanning knows because they *don't* get the ICMP
> unreachable message.

Does a hardware firewall change this process? I can imagine that what you said above would be true if a software firewall is used since that is
running on the PC itself. However, a hardware firewall is independent of the PC so the ISP's router would see the hardware firewall but not the PC
itself if the firewall drops packets initiated from the WAN. However, my ISP would know that I am active since it would see packets coming from me
at various times during the day and would be adding up the bytes sent/received to get to a monthly figure which it then uses to determine whether to
throttle the link back if the monthly figure exceeds a preset target. Since that is the case why would it send ICMP host unreachable packets?

> > If I contact the ISP host from which the port scans are coming about the
> port scans and that ISP puts a temporary/permanent block on my IP address
> > does that ISP send back to the port scanner ICMP host unreachable
> messages?
>
> No. But it's highly unlikely you'll be able to get your ISP to do this,
> because it requires time for someone to configure the router to block the
> IP. More likely is that your ISP will tell you to run a firewall at your
> end, which is pretty much what you are doing.

I haven't asked MY ISP to do this but I have complained to other ISPs from whom the ports probes were coming and had that ISP stop the probes. One
ISP stopped the probes within an hour of my complaint going out in a situation in which I was getting 10 probes per day spread across a range of
source addresses a.b.0.0 to a.b.9.255 - dial-up lines perhaps? Given the response time I figured that the ISP simply put a block on my IP address.

Since I send out a copy of the firewall log entries telling me to run a firewall would be pointless.

> > I was under the impression that "stealthing" rendered my IP address
> invisible to the WAN. From what you said above it would seem that all
> > "stealthing" does is stop the packets reaching the PC on the LAN side of
> the firewall, which is part of what I want to achieve, but doesn't render my
> > IP address invisible.
>
> No, stealthing renders it "invisible" to simple automated scripts and people
> who don't know what they are doing. If a proper "hacker" really wanted into
> your machine, stealthing is a waste of time. It is no more secure than just
> non-stealthed. However, the fact that you have a firewall is a start - by it
> 's very nature it blocks incoming connections to software on your PC that
> would normally be a good starting place for someone to try and get in. So
> long as you don't have any vulnerable services running on your PC that can
> be accessed from thw WAN side you should have no problems. It's highly
> unlikely someone will spend a great amount of time trying to get into your
> PC - this time is better spent getting into systems that make the hacker
> money or get them some sort of peer recognition, and getting into a home PC
> doesn't do either of these.

I realise that firewalls are like locks on your front door. They don't keep the determined thief at bay for long, but can delay them long enough to
make them toddle off next door where it is easier to break in. At least that is the theory.

> > Why are these ICMP host unreachable packets sent back when it would seem
> that they are counter-productive to good security?
>
> These ICMP packets are designed to tell systems upstream that something
> isn't connected, so therefore it's a waste of time sending data to it. It's
> got nothing to do with security, and without it there would be much more
> traffic on the internet - normally when a TCP packet is sent the sending
> system will attempt it 4 (or sometimes more) times if it doesn't get a
> response, however if the ICMP packet is returned notifying the sender that
> nothing is at that IP then there's no need to retry.

That makes sense from a system pov. Of course the system was designed well before the current crop of script kiddies came on the scene.

> On the other hand, if the upstream router always sent an ICMP unreachable
> response, you'd never make a connection to anything on the internet,
> rendering it useless - eg. if you tried to open a web site, the server would
> return a TCP packet with the first bit of data, get the ICMP unreachable
> packet, and then close the connection as your IP is seen as not connected.

I guess the upstream router sees my traffic going out to the ip address and uses those bits of info to stop sending ICMP host unreachable packets.

Cheers, John

Use au instead of invalid for emails to me.

---
Anonymous
a b 8 Security
June 18, 2004 6:03:01 PM

Archived from groups: comp.security.firewalls (More info?)

"JC" <jhoppyc@westnet.com.invalid> wrote in message
news:1ro4d0h6b375625usp3ilj0oi843m367fd@4ax.com...
> On Thu, 17 Jun 2004 09:26:49 +0100, "Daniel Crichton"
<news@worldofspack.co.uk> wrote:

> Does a hardware firewall change this process? I can imagine that what
you said above would be true if a software firewall is used since that is
> running on the PC itself. However, a hardware firewall is independent of
the PC so the ISP's router would see the hardware firewall but not the PC
> itself if the firewall drops packets initiated from the WAN. However, my
ISP would know that I am active since it would see packets coming from me
> at various times during the day and would be adding up the bytes
sent/received to get to a monthly figure which it then uses to determine
whether to
> throttle the link back if the monthly figure exceeds a preset target.
Since that is the case why would it send ICMP host unreachable packets?

It would only send the packets if your hardware firewall was turned or
disconnected. If you have a connection to your ISP at all (you have a piece
of hardware connected at your end of the line that is turned on and has been
allocated an IP address) then it won't send the unreachable packets - it
doesn't matter if your PC is turned off.

> > On the other hand, if the upstream router always sent an ICMP
unreachable
> > response, you'd never make a connection to anything on the internet,
> > rendering it useless - eg. if you tried to open a web site, the server
would
> > return a TCP packet with the first bit of data, get the ICMP unreachable
> > packet, and then close the connection as your IP is seen as not
connected.
>
> I guess the upstream router sees my traffic going out to the ip address
and uses those bits of info to stop sending ICMP host unreachable packets.

It has nothing to do with traffic being generated by your PC. When you are
physically connected to the ISP you have been allocated an IP address, when
you disconnect (either your Network card/stack tells the ISP router to close
the connection, or the ISP router can no longer get responses at the
physical/network layer) that IP is no longer allocated and then the router
will respond to data sent to that IP with the ICMP host unreachable data. It
might be worth you reading up on the concepts of networking, specifically at
how routers interact at the various layers with equipment connected to them.
I don't pretend to understand it all, but I know the basics enough to
understand the principles.

Dan
Anonymous
a b 8 Security
June 18, 2004 6:34:06 PM

Archived from groups: comp.security.firewalls (More info?)

"Daniel Crichton" <news@worldofspack.co.uk> wrote in message news:<40d2b8fc$0$14828$afc38c87@news.easynet.co.uk>...
> Well, here's another:
>
> Taking the IP shown in your message headers I get the following response:
>
> Pinging 209.86.133.98 with 32 bytes of data:
>
> Reply from 209.165.105.1: Destination host unreachable.
> Reply from 209.165.105.1: Destination host unreachable.
> Reply from 209.165.105.1: Destination host unreachable.
> Reply from 209.165.105.1: Destination host unreachable.
>
> Ping statistics for 209.86.133.98:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
>
> That's an IP belonging to a poster in this thread on Earthlink. Isn't that a
> very large US ISP? And yet it still appears to not drop ICMP host
> unreachable messages as it's peering borders. My guess is that IP isn't
> allocated right now, which is lucky for me or else I wouldn't have been able
> to confirm Earthlink's configuration.
>
> Dan


Im not going to go testing every Tier C providers border routers just
to proove myself. ICMP ACLs have been the subject of countless
threads on IANA and IETF mailing lists for the past aon.

For a good reference, check
http://www.cymru.com/Documents/icmp-messages.html
You will find references to Cisco, Juniper and Riverstone Security
Templates (all of which advocate dropping ip unreachables).

SysAdm
Anonymous
a b 8 Security
June 19, 2004 4:37:57 AM

Archived from groups: comp.security.firewalls (More info?)

Tim Smith wrote:

> Uhm...how is the router in front going to tell the difference between the
> host dropping all packets because it is stealthed, and dropping all
> packets because it does not exist?

There happens to be a level below IP the layer in the network layer model.
Have you ever heard of ARP (in case of Ethernet) and similar mechanisms?
Because of that the upstream knows whether a box behind it is connected or
not and depending on that sends ICMP messages (if nor connected) or not.

Sorry to sound harsh, but nearly all of you firewall placebo experts have
not the slightest clue about how network communication is really
functioning.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
Anonymous
a b 8 Security
June 19, 2004 11:32:16 AM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter <wolfgang@shconnect.de> wrote in message news:<cavqtg$c2i$1@news.shlink.de>...
<snip>
> Sorry to sound harsh, but nearly all of you firewall placebo experts have
> not the slightest clue about how network communication is really
> functioning.
>
> Wolfgang

you go Wolfgang... yeeeahh baby.
Anonymous
a b 8 Security
June 21, 2004 4:09:17 PM

Archived from groups: comp.security.firewalls (More info?)

"SysAdm" <willgeeza@yahoo.com> wrote in message
news:a23233af.0406181334.3d0d9ed9@posting.google.com...

> Im not going to go testing every Tier C providers border routers just
> to proove myself. ICMP ACLs have been the subject of countless
> threads on IANA and IETF mailing lists for the past aon.

But even if you did prove that the "majority" of ISPs drop unreachables,
haven't I just shown that some huge ones don't? And these huge ones tend to
have very large numbers of users who don't have a clue about the basics of
networking, so don't understand that by being on an ISP that doesn't drop
these packets that being stealthed is no different to just having the ports
closed.

> For a good reference, check
> http://www.cymru.com/Documents/icmp-messages.html
> You will find references to Cisco, Juniper and Riverstone Security
> Templates (all of which advocate dropping ip unreachables).

Maybe they do advocate it, but Cisco (and I guess the others, but don't have
equipment kicking around I can verify this with) still ship out their
routers with the default config being that unreachables are not dropped.
Many ISPs don't seem to care about this, and leave the configs pretty much
as they are. When our company had it's line installed I had to tell the
admin over the phone how to set the tty options to prevent anyone outside
their authorised admins from telnetting to the router - ours was the first
router to have this done because prior to that they'd simply dropped the
routers in with minimal configs. Later on we kept getting latency spikes
every 30 secs, and it took the ISP weeks to track it down to an interface on
our upstream router not having been set to down when it's connection had
been disabled, and every 30 secs it was stalling the router trying to
re-establish the connection. If even basic config changes like this aren't
being made, what hope is there that commands like "no ip unreachables" are
being added? Until equipment makers start shipping components that by
default are locked down nothing is really going to change for the average
user, and makers won't do that because installers will switch to other makes
that aren't as difficult to drop in and get running with the minimum of
effort.

Dan
Anonymous
a b 8 Security
June 21, 2004 4:09:18 PM

Archived from groups: comp.security.firewalls (More info?)

"Daniel Crichton" <news@worldofspack.co.uk> wrote in message news:<40d6c1e1$0$6387$afc38c87@news.easynet.co.uk>...
> "SysAdm" <willgeeza@yahoo.com> wrote in message
> news:a23233af.0406181334.3d0d9ed9@posting.google.com...
>
> > Im not going to go testing every Tier C providers border routers just
> > to proove myself. ICMP ACLs have been the subject of countless
> > threads on IANA and IETF mailing lists for the past aon.
>
> But even if you did prove that the "majority" of ISPs drop unreachables,
> haven't I just shown that some huge ones don't? And these huge ones tend to
> have very large numbers of users who don't have a clue about the basics of
> networking, so don't understand that by being on an ISP that doesn't drop
> these packets that being stealthed is no different to just having the ports
> closed.
>
> > For a good reference, check
> > http://www.cymru.com/Documents/icmp-messages.html
> > You will find references to Cisco, Juniper and Riverstone Security
> > Templates (all of which advocate dropping ip unreachables).
>
> Maybe they do advocate it, but Cisco (and I guess the others, but don't have
> equipment kicking around I can verify this with) still ship out their
> routers with the default config being that unreachables are not dropped.
> Many ISPs don't seem to care about this, and leave the configs pretty much
> as they are. When our company had it's line installed I had to tell the
> admin over the phone how to set the tty options to prevent anyone outside
> their authorised admins from telnetting to the router - ours was the first
> router to have this done because prior to that they'd simply dropped the
> routers in with minimal configs. Later on we kept getting latency spikes
> every 30 secs, and it took the ISP weeks to track it down to an interface on
> our upstream router not having been set to down when it's connection had
> been disabled, and every 30 secs it was stalling the router trying to
> re-establish the connection. If even basic config changes like this aren't
> being made, what hope is there that commands like "no ip unreachables" are
> being added? Until equipment makers start shipping components that by
> default are locked down nothing is really going to change for the average
> user, and makers won't do that because installers will switch to other makes
> that aren't as difficult to drop in and get running with the minimum of
> effort.
>
> Dan

Yes, I agree - it would be far better if the manufacturers turned this
and other options off by default. I know with the release of the ios
v12 code that a number of security measures were taken, however ip
unreachables wasnt part of the policy at the time. It would be easy
as the local admin to make sure that your own border routers did not
allow ip-unreachable messages out of your egress ISP-facing interface.
This would give you your own peace of mind.

Until such a time as manufactures apply greater default security
policies, as ever it will be up to diligent and informed net-sec
admin's to make sure that they configure their own environments
correctly. The onus is always on the customer to make sure their own
security is satisfactory. I guess thats why newsgroups like this
exist.

SysAdm
!