Re: Am I being hacked?
From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 08/26/04
- Next message: Ralph Alvy: "ZoneAlarm 5.1 leaves port 1025 open"
- Previous message: Stuart Gibson: "Re: Network Security Help Please"
- In reply to: Brian: "Re: Am I being hacked?"
- Next in thread: Lars M. Hansen: "Re: Am I being hacked?"
- Reply: Lars M. Hansen: "Re: Am I being hacked?"
- Reply: Double U: "Re: Am I being hacked?"
- Reply: xmp: "Re: Am I being hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Aug 2004 21:09:24 +0000
Brian wrote...
>> Some of the things you've related seem a little odd, but not so strange
>> they'd cause too much concern. The thing you should realize is that
>> these are not "connections". They're requests for connections, and your
>> machine probably telling the world no. There's really no harm in that,
>> although the ultra paranoid tend to want "stealth", or absolutely no
>> reply at all.
>>
> Thanks for clarifying. I did feel that I was being paranoid. However, it
> seems really strange that you have ports that test as 'stealthed' yet
> incoming TCP packets are 'Allowed' on those ports.
The term "stealth" is misleading. There's really nothing stealthy about
sticking your fingers in your ears and refusing to reply replying, and
while you may be stealthed when it comes to one type of activity, it's
obvious that you can't be stealthed to all activity or nothing would
work. You *must* respond so some things, or your connection is broken.
The online services that claim to test your firewall can be misleading
because of this. I don't know in particular which types of "ping" or
connection attempts something like GRC tests but I'd wager they're not
using ICMP timestamp request packets, for example. It's possible your
firewall might pass those, but block normal ICMP echo requests.
Also, ICMP packets aren't generally attached to a given port number. If
your firewall is truly reporting ICMP packets going out from port 'X'
then something is probably wrong with the firewall (one of the odd
things I was talking about). It may be reporting the ICMP type code, or
it may be reporting the *original* datagram, the incoming request, which
could have been tied to a port if it were something like a SYN request
or UDP "ping". Which your machine would naturally respond to with the
standard "I'm not listening". ;)
Bottom line is, I really don't think there's anything to be worried
about. Even if someone *is* probing you, they're not getting through.
And unless the level of that probe reaches a point where it's hampering
your ability to connect and becoming a denial of service attack, there's
probably nothing you can do about it anyway. Such is the nature of the
internet. If you want to really spook yourself, install something like
Snort and turn on all it's rules. Or simply do raw packet captures with
Ethereal/Packetyzer or such. You'd be amazed at what your firewall
*isn't* telling you, and even these types of utilities don't see every
bit of traffic that might cross your machine. ;)
--
Our country, right or wrong. When right, to be kept right;
when wrong, to be put right.
-- Carl Schurz, January 17, 1872
- Next message: Ralph Alvy: "ZoneAlarm 5.1 leaves port 1025 open"
- Previous message: Stuart Gibson: "Re: Network Security Help Please"
- In reply to: Brian: "Re: Am I being hacked?"
- Next in thread: Lars M. Hansen: "Re: Am I being hacked?"
- Reply: Lars M. Hansen: "Re: Am I being hacked?"
- Reply: Double U: "Re: Am I being hacked?"
- Reply: xmp: "Re: Am I being hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
