Re: Differences between closed and filtered ports

From: simon chan (simon@redsentry.net)
Date: 11/19/01 

From: "simon chan" <simon@redsentry.net>
Subject: Re: Differences between closed and filtered ports
To: "Golden_Eternity" <bhodi_jabir@yahoo.com>, "Bandi" <05.08@web.de>, <SECURITY-BASICS@SECURITYFOCUS.COM>
Date: Mon, 19 Nov 2001 11:35:38 +0800
Message-ID: <web-1050009@redsentry.net>

Hi,

> > I recently thought about the following. If a port is
> closed the host
> > refuses the connection. What does the host exactly
> response?
>
> It sends a reset.

Correct if I'm wrong, but the host would respond with FIN,
ACK.

Client sync--> host
client <--sync,ack host
cllent ack---> host

(if host port is closed )

client <---fin,ack host
client ack---> host
client rst---> host

>
> > Is it necessary that the host responses on a closed
> port (couldn't that be
> > managed in some way with timeouts)?
>
> If the host is alive it sends back a reset so that you
> don't have to wait
> for the timeout, otherwise the application would be
> stalled waiting for the
> timeout.
>
> > Could you suggest a way to make ipchains act like a
> port was closed when
> > filtering it, so that a portscanner from certain
> machines wouldn't notice
> > the firewall?
>
> Use '-j REJECT' instead of '-j DROP'.
>
> For more info on this subject you can see my paper
> "Firewall rule exposure
> on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html)
> but
> your best bet is one of Fyodor's papers on how nmap
> (http://www.insecure.org/nmap/) works.
>
> -G_E
>
>

"Security of information is an illusion.
What is in one's mind gets into the collective consciousness
(akasha),
so that can be read with meditation ;-) You don't have to
hack.
Just 'remember'! You're the one."

Relevant Pages

  • Re: setting up RD without a VPN connection ?
    ... Remote Desktop only needs TCP Port 3389. ... > The PC in Brazil (the host) is connected via radio internet connection. ... The client cannot connect to the host. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: UDP block via Simulink
    ... I've successfully connect this two IP through Simulink via UDP block between two real-time target system (one is HOST and another one is CLIENT) ... UDP Receive from 193.63.131.220, port 4003. ...
    (comp.soft-sys.matlab)
  • Re: UDP Client Problem
    ... If library you use don't return you peer host IP/port that mean that you ... On return it doesn't automaticaly has the source ip and port (that what i ... mentioning the client port and ip in my server code but still i am getting ...
    (microsoft.public.win32.programmer.networks)
  • Re: External drives not installing or working properly on USB
    ... with the USB system before but these disappearred when I disabled the ... Only one of the five host controllers is connected to the 6 ... work on any port on the PC? ... operating system to recognise the four additional 'drives'. ...
    (microsoft.public.windowsxp.general)
  • RE: application for an employment
    ... scanned a publicly available host. ... First off, I put "port scan" in quotes, meaning that, in concept, the two ... attempt to create a 1:1 equality between client connects and a port scan. ... Rights are rights. ...
    (Security-Basics)