Re: Stealth vs. Blocked

From: SysAdm (wjones@sitesmith.com)
Date: 01/31/03


From: "SysAdm" <wjones@sitesmith.com>
Date: Fri, 31 Jan 2003 18:19:45 +0000 (UTC)


"JR" <notlikely@nowhere.com> wrote in message
news:UNy_9.67425$lj.2698052@read1.cgocable.net...
> I have recently seen a lot of discussion involving the pros and cons of
> "stealthed" vs "blocked" ports.
> I have always been in favor of being blocked AND stealthed as opposed to
> just blocked, but I'm always open to new ways of thinking.
> Just for the hell of it, I went out on a standard XP box and pinged a main
> firewall that is "stealthed" (does not respond to ICMP), and promptly
rec'd
> the good ol' "Request timed out"
> Then I powered down the cable modem to the main firewall, pinged it again,
> and once more rec'd "Request timed out"
> Script kiddies often tend to start their days with ping scans.
> Seriously, how do I know, with the above scenario, if a host/firewall is
up
> or down? I must be missing something.
> JR

ICMP as a protocol provides more than just echo reply and echo request. So
if a device does not respond to echo requests, this does not mean an ardent
hacker will give up.

Stealth, does not just apply to ICMP.
With the use of a fingerprinting tool such as NMAP, you can determine remote
OS and potentially patch levels, just by the return (or not) of packets.
This is exactly the reasoning behind things like FIN scans, If the tcpip
interaction provided by a service which sits on a tcp port is written to RFC
specs, you should expect an out-of-band FIN packet to be silently discarded.
This is but one example of intelligence collection, which is the first part
of any (real) hacking prognosis.

SysAdm



Relevant Pages

  • Re: Stealth vs. Blocked
    ... > ICMP as a protocol provides more than just echo reply and echo request. ... you should expect an out-of-band FIN packet to be silently ... I understand what you are saying (I use nmap and nessus all the ...
    (alt.computer.security)
  • Re: Stealth vs. Blocked
    ... > ICMP as a protocol provides more than just echo reply and echo request. ... you should expect an out-of-band FIN packet to be silently ... I understand what you are saying (I use nmap and nessus all the ...
    (comp.security.firewalls)
  • Re: Stealth vs. Blocked
    ... ICMP as a protocol provides more than just echo reply and echo request. ... Stealth, does not just apply to ICMP. ... you should expect an out-of-band FIN packet to be silently discarded. ...
    (alt.computer.security)
  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > it's pointless to stealth if they're not going to block ICMP too. ... gain by blocking inbound ICMP messages which don't require a response ... Blocking ICMP breaks ICMP protocol. ...
    (comp.security.firewalls)