Re: Stealthing

---

• From: roberson@xxxxxxxxxxxx (Walter Roberson)
• Date: Tue, 13 Jun 2006 23:28:54 GMT

---

In article <7bgu82lm79qg58lp1f6294vg67fh612oqg@xxxxxxx>,
B. Nice <b__nice@xxxxxxxxxxx> wrote:

Just a few questions:

If You connect to the internet with a public IP address and then ping
another public IP adress containg a stealthed machine. What response
should You get?

If you could provide a technical definition of 'stealthed' then
we might be able to answer the question. Different people mean different
things by it, and the answer will be different depending on the
definition.

If You connect to the internet with a public IP adress and then ping
another public IP adress containing no machine at all (plug pulled, so
to speak). What response should You get?

- no response if something along the way is filtering the icmp
or icmp responses

- no response if you are using a PAT (Port Address Translation)
device to provide your "public IP address" and your PAT device cannot
figure out how to get the icmp response back to the original host
(icmp does not have "ports", so getting the response back is
problematic)

- no response if the last router (or firewall) in the chain has been set
to not return icmp responses for unavailable devices [this is
fairly common]

- If nothing filters, all addresses get mapped well enough, and
the terminal device is configured to return status, then you
would get an ICMP UNREACHABLE (ICMP type 3). The ICMP subtype
would be 0 (Network Unreachable), or 1 (Host Unreachable), or
possibly even 2 (Protocol Unreachable). But you could even get
other subtypes, such as Destination Network Unknown,
or Destination Network Administratively Prohibitted.
The response ICMP subtype would, however, *NOT* be 3 (Port Unreachable) for
an ICMP ECHO packet, even though that's one of the very common
subtypes when TCP or UDP are the protocol.
.

---

• Follow-Ups:
  • Re: Stealthing
    • From: Sebastian Gottschalk
  • Re: Stealthing
    • From: B . Nice

• References:
  • Stealthing
    • From: B . Nice

• Prev by Date: Stealthing
• Next by Date: Re: Stealthing
• Previous by thread: Stealthing
• Next by thread: Re: Stealthing
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Active response... some thoughts. ... I am having a hard time imagining a decent hacker who is allowing inbound ... ignoring the ICMP would be anything but trivial. ... them being able to determine the presence of active response IDS, ... happens when they get the "port unreachable" AND the valid response from the ... (Focus-IDS) Re: ICMP (type:33/subtype:1) problem? Help! ... trying to reach-out to some other computer via the Internet and it cannot ... suspect computer via PING (the sending and responding of an ICMP packet) ... > unreachable, I get the alert as a response, am I right? ... (microsoft.public.windowsxp.security_admin) Re: Stealthing ... If you could provide a technical definition of 'stealthed' then ... I was referring to "stealthed" in the meaning: not responding to ICMP ... In that case the answer to my question must obviously be: no response. ... The ICMP subtype ... (comp.security.misc) Re: Survive without ICMP? ... Maxime Ducharme wrote: ... and the server does not send an ICMP ... > error message back (in iptables, it is DROPing packets). ... >> which effects an ICMP response, ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2006-06