Re: Beginner's Question

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 09/23/05


Date: Thu, 22 Sep 2005 19:43:43 -0500

In the Usenet newsgroup alt.computer.security, in article
<433311d3$0$49013$14726298@news.sunsite.dk>, Management wrote:
>Moe Trin wrote:

>> I suspect that is all that Gibson the marketeer is testing.
>
>Sour Grapes Mr M? At least Steve does not go around making empty
>snide remarks about other people.

No, he makes totally clueless network statements such as:

-------
But, of course, this "affirmative denial" also lets the sending system
know that a system actually exists on the receiving end . . . which is
what we want to avoid in the case of malicious hackers attempting to
probe our systems.

I coined the term 'Stealth' when I developed this site's port probing
technology to describe a closed port that chooses to remain completely
hidden by sending nothing back to its attempted opener, preferring
instead to appear not to exist at all.
-------

which just shows he doesn't understand how networking works - particularly
those darned routers that do announce that a non-existent IP address
really doesn't exist - rather than just ignoring those packets. Or
haven't you tried using the original 'traceroute' to investigate things.

This is a trace to a stealthed host (I've deleted the hostname normally
seen in the first column for space and privacy reasons, and masked the
first octet of the address to avoid having fools attack this particular
set of hosts):

14 (XXX.117.52.49) 329.807 ms 309.331 ms 309.864 ms
15 (XXX.181.218.10) 329.744 ms 329.413 ms 299.859 ms
16 * * *
17 * * *

I have another (similar) tool that tells me that hop 16 is some kind of
firewall that is NAT/Port-Forwarding to a host - hop 17 comes back with
an indication from a server, but with the address of hop 16.

Similar trace - host exists, and is reachable:

14 (XXX.117.52.49) 348.127 ms 327.441 ms 339.921 ms
15 (XXX.181.218.10) 350.116 ms 331.256 ms 333.981 ms
16 (XXX.87.184.55) 339.793 ms 529.427 ms 469.787 ms

Similar trace - host does not exist, or is turned off or disconnected

14 (XXX.117.52.49) 409.373 ms 329.452 ms 331.011 ms
15 (XXX.181.218.10) 419.833 ms !H

Here - the router at hop 15 tells me that it knows how to get "there" (or
I'd see a !N = Network Unreachable), but the host (!H) isn't there. For
some strange reason, Steve doesn't want to admit to this concept. Wonder
why.

        Old guy