Proper "stealth" behavior

From: John Brock (jbrock_at_panix.com)
Date: 03/26/04


Date: 26 Mar 2004 14:33:15 -0500

I recently flashed my Linksys BEFSX41 firewall/router and had
problems. I had to flash it several times before it settled down
and worked again. Afterwards I did some tests using the GRC
ShieldUP! service and got some results that troubled me, although
they may in fact be proper.

In particular, when I first got the router I used the same service
and was told that all ports were operating in "stealth" mode. But
I think the service has been expanded since then. This time I ran
the "All Service Ports" test (which I'm not sure existed last time),
and the first time I ran it all the ports showed up in green
("stealth"), except port 113 (blue, or "closed"), until I got to
the very end of the test, when the last two dozen or so ports showed
up as blue. But when I repeated the test *everything* came up as
blue (except port 80 and one other that I can't remember)!

I could reset my status and get everything green for the first test
by reconnecting to my ISP, but on the second test everything always
came up blue. So I reset and ran the "Common Ports" test (which
checks far fewer ports) a couple of times, and everything came up
green. But when I tried the "All Service Ports" again everything
started out green like before, except that the switch to blue
happened earlier.

I checked the firewall log and found that the switch from green to
blue occurred at the same time that the router decided that I might
be under a DoS attack. It appears that after a fixed number of
requests from a given IP address (about 1000) the firewall decides
that stealth is pointless and starts acknowledging requests, although
all ports remain closed.

So what I want to know is whether this is normal behavior for a
firewall. I don't see any reason for this behavior (why not just
stay in stealth mode?), and my concern is that maybe I've damaged
the router by trying to flash it, and at some point the firewall
may fail entirely. But OTOH maybe this was always the firewall's
behavior, and I just never did this test before (or never ran it
twice in a row).

-- 
John Brock
jbrock@panix.com


Relevant Pages

  • Re: New stealth test in Pc-flank
    ... firewall is absolutely absurd. ... you what ports they're using. ... something's from local network, as can stand-alone desktops with a firewall ... Again the never ending stupid stealth stuff. ...
    (comp.security.firewalls)
  • Re: NIS 2002 upgraded to 2003, Stealth ports??
    ... >from Symantec or GRC they both say the ports are closed and not stealth ... >and I should check my firewall settings! ... >I even tried to install NIS 2003 on a clean install of Winxp and it does ...
    (comp.security.firewalls)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-current)
  • Re: Someone is Scanning my computer
    ... You don't really need to worry about the actual scan. ... there's no need to worry as you run a firewall. ... if I have this STEALTH classification.. ... Ports Closed ...
    (microsoft.public.windowsxp.basics)