Re: port 80 is open

From: JC (jhoppyc_at_westnet.com.invalid)
Date: 06/18/04

• Next message: Don Kelloway: "Re: a VPN Question"
• Previous message: D. Newton: "Re: Very Warm SpeedStream 2624 Router?"
• In reply to: Daniel Crichton: "Re: port 80 is open"
• Next in thread: Daniel Crichton: "Re: port 80 is open"
• Reply: Daniel Crichton: "Re: port 80 is open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 18 Jun 2004 14:03:00 +1000

On Thu, 17 Jun 2004 09:26:49 +0100, "Daniel Crichton" <news@worldofspack.co.uk> wrote:

> "JC" <jhoppyc@westnet.com.invalid> wrote in message
> news:k6q1d0lhl3nknikiq42q5ikb8deuhhog54@4ax.com...
> > Please help me understand the process. I am new to this business but I
> am trying to understand the processes involved.
> >
> > Suppose I have a firewall installed that has been told to drop any traffic
> not initiated from the LAN side. The firewall drops all packets initiated
> > from the WAN side and this is confirmed by the firewall log. For all
> packets dropped by my firewall you say that my ISP's router will send back
> to
> > the packet sender an ICMP host unreachable message.
>
> No, the ICMP host unreachable message is sent if the ISP router cannot see
> your PC, meaning that you are not connected. If you are connected to the
> internet the ISP router does not send the unreachable message. If your PC is
> stealthed then the person scanning knows because they *don't* get the ICMP
> unreachable message.

Does a hardware firewall change this process? I can imagine that what you said above would be true if a software firewall is used since that is
running on the PC itself. However, a hardware firewall is independent of the PC so the ISP's router would see the hardware firewall but not the PC
itself if the firewall drops packets initiated from the WAN. However, my ISP would know that I am active since it would see packets coming from me
at various times during the day and would be adding up the bytes sent/received to get to a monthly figure which it then uses to determine whether to
throttle the link back if the monthly figure exceeds a preset target. Since that is the case why would it send ICMP host unreachable packets?

> > If I contact the ISP host from which the port scans are coming about the
> port scans and that ISP puts a temporary/permanent block on my IP address
> > does that ISP send back to the port scanner ICMP host unreachable
> messages?
>
> No. But it's highly unlikely you'll be able to get your ISP to do this,
> because it requires time for someone to configure the router to block the
> IP. More likely is that your ISP will tell you to run a firewall at your
> end, which is pretty much what you are doing.

I haven't asked MY ISP to do this but I have complained to other ISPs from whom the ports probes were coming and had that ISP stop the probes. One
ISP stopped the probes within an hour of my complaint going out in a situation in which I was getting 10 probes per day spread across a range of
source addresses a.b.0.0 to a.b.9.255 - dial-up lines perhaps? Given the response time I figured that the ISP simply put a block on my IP address.

Since I send out a copy of the firewall log entries telling me to run a firewall would be pointless.
 
> > I was under the impression that "stealthing" rendered my IP address
> invisible to the WAN. From what you said above it would seem that all
> > "stealthing" does is stop the packets reaching the PC on the LAN side of
> the firewall, which is part of what I want to achieve, but doesn't render my
> > IP address invisible.
>
> No, stealthing renders it "invisible" to simple automated scripts and people
> who don't know what they are doing. If a proper "hacker" really wanted into
> your machine, stealthing is a waste of time. It is no more secure than just
> non-stealthed. However, the fact that you have a firewall is a start - by it
> 's very nature it blocks incoming connections to software on your PC that
> would normally be a good starting place for someone to try and get in. So
> long as you don't have any vulnerable services running on your PC that can
> be accessed from thw WAN side you should have no problems. It's highly
> unlikely someone will spend a great amount of time trying to get into your
> PC - this time is better spent getting into systems that make the hacker
> money or get them some sort of peer recognition, and getting into a home PC
> doesn't do either of these.

I realise that firewalls are like locks on your front door. They don't keep the determined thief at bay for long, but can delay them long enough to
make them toddle off next door where it is easier to break in. At least that is the theory.

> > Why are these ICMP host unreachable packets sent back when it would seem
> that they are counter-productive to good security?
>
> These ICMP packets are designed to tell systems upstream that something
> isn't connected, so therefore it's a waste of time sending data to it. It's
> got nothing to do with security, and without it there would be much more
> traffic on the internet - normally when a TCP packet is sent the sending
> system will attempt it 4 (or sometimes more) times if it doesn't get a
> response, however if the ICMP packet is returned notifying the sender that
> nothing is at that IP then there's no need to retry.

That makes sense from a system pov. Of course the system was designed well before the current crop of script kiddies came on the scene.
 
> On the other hand, if the upstream router always sent an ICMP unreachable
> response, you'd never make a connection to anything on the internet,
> rendering it useless - eg. if you tried to open a web site, the server would
> return a TCP packet with the first bit of data, get the ICMP unreachable
> packet, and then close the connection as your IP is seen as not connected.

I guess the upstream router sees my traffic going out to the ip address and uses those bits of info to stop sending ICMP host unreachable packets.

Cheers, John

Use au instead of invalid for emails to me.

---

---

• Next message: Don Kelloway: "Re: a VPN Question"
• Previous message: D. Newton: "Re: Very Warm SpeedStream 2624 Router?"
• In reply to: Daniel Crichton: "Re: port 80 is open"
• Next in thread: Daniel Crichton: "Re: port 80 is open"
• Reply: Daniel Crichton: "Re: port 80 is open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: strange network traffic ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ... (Security-Basics) Re: port 80 is open ... you said above would be true if a software firewall is used since that is ... the PC so the ISP's router would see the hardware firewall but not the PC ... ISP would know that I am active since it would see packets coming from me ... If you have a connection to your ISP at all (you have a piece ... (comp.security.firewalls) Re: Freeswan IPsec routing problem... ;^( ... > I forgot to mention that my ADSL connection is based on Dinamyc IPs, ... the default gateway is the place that a machine directs all packets it doesn't ... an address *behind* the other firewall. ... the tunnel leave via ipsec0 and will not be NAT'd then. ... (comp.os.linux.security) Re: port 80 is open ... The firewall drops all packets initiated ... > the packet sender an ICMP host unreachable message. ... the ICMP host unreachable message is sent if the ISP router cannot see ... and then close the connection as your IP is seen as not connected. ... (comp.security.firewalls) Re: internet explorer / connection problems ... speaking with QWest (isp), D-Link, and Actiontec ... and the connection was verified. ... Disabling the XP firewall and the Norton ... UNINSTALL the Norton firewall and see if this helps. ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)