Re: port 80 is open
From: Daniel Crichton (news_at_worldofspack.co.uk)
Date: Thu, 17 Jun 2004 09:26:49 +0100
"JC" <firstname.lastname@example.org> wrote in message
> Please help me understand the process. I am new to this business but I
am trying to understand the processes involved.
> Suppose I have a firewall installed that has been told to drop any traffic
not initiated from the LAN side. The firewall drops all packets initiated
> from the WAN side and this is confirmed by the firewall log. For all
packets dropped by my firewall you say that my ISP's router will send back
> the packet sender an ICMP host unreachable message.
No, the ICMP host unreachable message is sent if the ISP router cannot see
your PC, meaning that you are not connected. If you are connected to the
internet the ISP router does not send the unreachable message. If your PC is
stealthed then the person scanning knows because they *don't* get the ICMP
> If I contact the ISP host from which the port scans are coming about the
port scans and that ISP puts a temporary/permanent block on my IP address
> does that ISP send back to the port scanner ICMP host unreachable
No. But it's highly unlikely you'll be able to get your ISP to do this,
because it requires time for someone to configure the router to block the
IP. More likely is that your ISP will tell you to run a firewall at your
end, which is pretty much what you are doing.
> I was under the impression that "stealthing" rendered my IP address
invisible to the WAN. From what you said above it would seem that all
> "stealthing" does is stop the packets reaching the PC on the LAN side of
the firewall, which is part of what I want to achieve, but doesn't render my
> IP address invisible.
No, stealthing renders it "invisible" to simple automated scripts and people
who don't know what they are doing. If a proper "hacker" really wanted into
your machine, stealthing is a waste of time. It is no more secure than just
non-stealthed. However, the fact that you have a firewall is a start - by it
's very nature it blocks incoming connections to software on your PC that
would normally be a good starting place for someone to try and get in. So
long as you don't have any vulnerable services running on your PC that can
be accessed from thw WAN side you should have no problems. It's highly
unlikely someone will spend a great amount of time trying to get into your
PC - this time is better spent getting into systems that make the hacker
money or get them some sort of peer recognition, and getting into a home PC
doesn't do either of these.
> Why are these ICMP host unreachable packets sent back when it would seem
that they are counter-productive to good security?
These ICMP packets are designed to tell systems upstream that something
isn't connected, so therefore it's a waste of time sending data to it. It's
got nothing to do with security, and without it there would be much more
traffic on the internet - normally when a TCP packet is sent the sending
system will attempt it 4 (or sometimes more) times if it doesn't get a
response, however if the ICMP packet is returned notifying the sender that
nothing is at that IP then there's no need to retry.
On the other hand, if the upstream router always sent an ICMP unreachable
response, you'd never make a connection to anything on the internet,
rendering it useless - eg. if you tried to open a web site, the server would
return a TCP packet with the first bit of data, get the ICMP unreachable
packet, and then close the connection as your IP is seen as not connected.