Re: UPnP Port

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/17/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 17 May 2002 10:22:47 +0000 (UTC)


< Tim Haynes
>RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> writes:
>
>> Yes, dropping all packets so called "stealth" is telling the scanner
>> that "YES - I AM HERE, but I am dropping the all packets to blackhole".
>> According to "inverse mapping" or "inverse scan", timeout no responding
>> (DROP all ports) mean machine exist there. I think _real_ stealth is;
>>
>> - Disconnect internet and goto off line. Or
>> - Respond ICMP Type 3 destination unreachable Code 1 host unreachable or
>> Code 0 net unreachable packets imitating your upper stream border router
>> originated. You should perfectly imitate (craft) fingerprint of upper
>> stream router type. But I'm not sure upper stream router can route this
>> spoofed ICMP packets.
>
>While I'm passing by, I've noticed that my normal policy of rejecting
>incoming ident with tcp-reset seems to lead to a lot of untracked packets
>in the other machine's firewall logs. (I used to have two boxes set up in
>the same rack where I'd occasionally send mail from one to t'other...)
>
>Has this been noticed and/or addressed recently?

I'm confusing about "stealth ports" and "stealth box".

--[ stealth ports

Some server box is running wide opened network related server like
httpd. This box is already not "stealth box". In this case, "stealth
ports" need to drop all default, open TCP port 80 (443) only.

--[ stealth box

Some workstation box is not running network related server. In this
case, my previous post. If you only use mail client not FTP nand IRC
client, TCP DPT 113 identd, SRC ISP mail server IP and DST my IP,
rejecting with TCP RST is good for usability. If you use FTP client
and SRC related FTP server IP, rejecting with TCP RST is good for
usability. But this box is not "stealth box" already for FTP server
admin. Http server admin as well. Own mail server as well.

A: OS fingerprint
B: Delay scan
C: IP (host) exist
D: Firewall (filter) exist

Type A B C D Comments
DROP x o o? o no response, maybe IP and FW exist
REJECT o x o o ICMP Type 3 Code 3 port unreachable, indicate FW exist
REJECT x? x x o ICMP Type 3 Code 1 host unreachable originated upper stream
TCP RST o x o x port closed (no service), indicate IP (host) exist
LaBrea o o o ? respond SYN-ACK only with window throttle

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: UPnP Port
    ... But I'm not sure upper stream router can route this ... Some server box is running wide opened network related server like ... rejecting with TCP RST is good for usability. ... REJECT o x o o ICMP Type 3 Code 3 port unreachable, ...
    (comp.os.linux.security)
  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: Managing "capabilities" for security
    ... default tickets are held by the kernel and can be chosen by the parent ... The default ticket for any particular call is assumed unless the ... than to check that the server address on the ticket is good. ... the kernel had to invoke the RPC if the service port IN YOUR ...
    (comp.arch.embedded)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)