Re: Stealth vs. Blocked

From: JR (
Date: 01/31/03

From: "JR" <>
Date: Fri, 31 Jan 2003 13:30:58 -0500

"SysAdm" <> wrote in message
> "JR" <> wrote in message
> news:UNy_9.67425$
> > I have recently seen a lot of discussion involving the pros and cons of
> > "stealthed" vs "blocked" ports.
> > I have always been in favor of being blocked AND stealthed as opposed to
> > just blocked, but I'm always open to new ways of thinking.
> > Just for the hell of it, I went out on a standard XP box and pinged a
> > firewall that is "stealthed" (does not respond to ICMP), and promptly
> rec'd
> > the good ol' "Request timed out"
> > Then I powered down the cable modem to the main firewall, pinged it
> > and once more rec'd "Request timed out"
> > Script kiddies often tend to start their days with ping scans.
> > Seriously, how do I know, with the above scenario, if a host/firewall is
> up
> > or down? I must be missing something.
> > JR
> ICMP as a protocol provides more than just echo reply and echo request.
> if a device does not respond to echo requests, this does not mean an
> hacker will give up.

I understand that part. If I know an IP does exist, the lack of response is
not going to stop me, (during security testing).

> Stealth, does not just apply to ICMP.
> With the use of a fingerprinting tool such as NMAP, you can determine
> OS and potentially patch levels, just by the return (or not) of packets.
> This is exactly the reasoning behind things like FIN scans, If the tcpip
> interaction provided by a service which sits on a tcp port is written to
> specs, you should expect an out-of-band FIN packet to be silently
> This is but one example of intelligence collection, which is the first
> of any (real) hacking prognosis.
Again, I understand what you are saying (I use nmap and nessus all the
time), except most of the discussions I have seen just involve ICMP,
specifically requests and replies (or the lack of)

> SysAdm