Re: UPnP Port

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/17/02

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 17 May 2002 10:22:47 +0000 (UTC)

< Tim Haynes
>RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> writes:
>> Yes, dropping all packets so called "stealth" is telling the scanner
>> that "YES - I AM HERE, but I am dropping the all packets to blackhole".
>> According to "inverse mapping" or "inverse scan", timeout no responding
>> (DROP all ports) mean machine exist there. I think _real_ stealth is;
>> - Disconnect internet and goto off line. Or
>> - Respond ICMP Type 3 destination unreachable Code 1 host unreachable or
>> Code 0 net unreachable packets imitating your upper stream border router
>> originated. You should perfectly imitate (craft) fingerprint of upper
>> stream router type. But I'm not sure upper stream router can route this
>> spoofed ICMP packets.
>While I'm passing by, I've noticed that my normal policy of rejecting
>incoming ident with tcp-reset seems to lead to a lot of untracked packets
>in the other machine's firewall logs. (I used to have two boxes set up in
>the same rack where I'd occasionally send mail from one to t'other...)
>Has this been noticed and/or addressed recently?

I'm confusing about "stealth ports" and "stealth box".

--[ stealth ports

Some server box is running wide opened network related server like
httpd. This box is already not "stealth box". In this case, "stealth
ports" need to drop all default, open TCP port 80 (443) only.

--[ stealth box

Some workstation box is not running network related server. In this
case, my previous post. If you only use mail client not FTP nand IRC
client, TCP DPT 113 identd, SRC ISP mail server IP and DST my IP,
rejecting with TCP RST is good for usability. If you use FTP client
and SRC related FTP server IP, rejecting with TCP RST is good for
usability. But this box is not "stealth box" already for FTP server
admin. Http server admin as well. Own mail server as well.

A: OS fingerprint
B: Delay scan
C: IP (host) exist
D: Firewall (filter) exist

Type A B C D Comments
DROP x o o? o no response, maybe IP and FW exist
REJECT o x o o ICMP Type 3 Code 3 port unreachable, indicate FW exist
REJECT x? x x o ICMP Type 3 Code 1 host unreachable originated upper stream
TCP RST o x o x port closed (no service), indicate IP (host) exist
LaBrea o o o ? respond SYN-ACK only with window throttle

Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.