Proper "stealth" behavior

From: John Brock (jbrock_at_panix.com)
Date: 03/26/04


Date: 26 Mar 2004 14:33:15 -0500

I recently flashed my Linksys BEFSX41 firewall/router and had
problems. I had to flash it several times before it settled down
and worked again. Afterwards I did some tests using the GRC
ShieldUP! service and got some results that troubled me, although
they may in fact be proper.

In particular, when I first got the router I used the same service
and was told that all ports were operating in "stealth" mode. But
I think the service has been expanded since then. This time I ran
the "All Service Ports" test (which I'm not sure existed last time),
and the first time I ran it all the ports showed up in green
("stealth"), except port 113 (blue, or "closed"), until I got to
the very end of the test, when the last two dozen or so ports showed
up as blue. But when I repeated the test *everything* came up as
blue (except port 80 and one other that I can't remember)!

I could reset my status and get everything green for the first test
by reconnecting to my ISP, but on the second test everything always
came up blue. So I reset and ran the "Common Ports" test (which
checks far fewer ports) a couple of times, and everything came up
green. But when I tried the "All Service Ports" again everything
started out green like before, except that the switch to blue
happened earlier.

I checked the firewall log and found that the switch from green to
blue occurred at the same time that the router decided that I might
be under a DoS attack. It appears that after a fixed number of
requests from a given IP address (about 1000) the firewall decides
that stealth is pointless and starts acknowledging requests, although
all ports remain closed.

So what I want to know is whether this is normal behavior for a
firewall. I don't see any reason for this behavior (why not just
stay in stealth mode?), and my concern is that maybe I've damaged
the router by trying to flash it, and at some point the firewall
may fail entirely. But OTOH maybe this was always the firewall's
behavior, and I just never did this test before (or never ran it
twice in a row).

-- 
John Brock
jbrock@panix.com