[ale] How to test your public internet connection for open ports

Greg Freemyer greg.freemyer at gmail.com
Fri Feb 11 08:01:31 EST 2011


Ron,

You're focused on the wrong router.

Your ISP has an edge router that sends you packets.

By definition it has to know if you (and your IP) exist or not.
Nothing you can do about.

If someone pings a IP that is not in use THAT router will reply with
"destination unreachable".

The fact that THAT router does not reply with a failure message is all
the malware needs to know you exist.

And you have no control of THAT router.

Greg

On 2/11/11, Ron Frazier <atllinuxenthinfo at c3energy.com> wrote:
> Hi David,
>
> As you said, nothing personal meant in anything I say.  For the record,
> I don't have any interest in Steve Gibson, other than that I find his
> services, products, and advice useful in securing my computers and my
> network.  See comments in line.
>
> On 02/10/2011 08:51 PM, David Tomaschik wrote:
>
>> So, apparently GMail's web interface ate my earlier post.  It's a shame.
>>
>> Note: This is not directed towards Ron or anyone else on the list, and I
>> hope it is not taken personally.  I'm also not going to call Steve
>> Gibson a hack, even if he might be called that by other audiences.  I'm
>> not interested in Steve Gibson, just the (poor) advice he gives.
>>
>> Yes, we need someone who can break down security issues into terms that
>> are useful for the average consumer.  That being said, it should be
>> someone who accurately describes security issues, countermeasures, and
>> implications.  Steve Gibson has, in my eyes, failed that on several
>> occasions.
>>
>> 1.) The description of "stealthed" vs. "closed" ports, and the security
>> implications of the two.  His description of a stealthed port as a "good
>> thing" and a closed port as a "bad" thing is ridiculous.  If the port is
>> closed, the most information an attacker will glean from that is that
>> there is a host on that IP address.  He'll get that from the lack of a
>> ICMP Host Unreachable response anyway.  (See MHW's post about that.)
>>
>>
>
> There is a possibility that, during a system patch or configuration
> change, ports that were previously closed may become open.  If Joe
> Cracker's bot previously logged my address as having an active host,
> then it's logical that it may come back periodically and recheck my
> ports.  I'd just rather that it didn't find me at all.
>
> Now, you guys are telling me, that if the bot randomly scans my public
> IP address, 76.97.???.???, and if my ports are stealthed and I don't
> send ANY response, and if I don't respond to ICMP pings and such, that
> the bot is still going to know I'm there?  Come on!  I'm not buying that
> for 5 seconds unless someone explains exactly how that will occur.
>
> What I think you're saying is that all or most of the other addresses
> that are scanned on the 76.97.???.??? space will have hosts and that
> they will respond with a "closed" port and a host unreachable code or
> something.  Therefore, mine will be conspicuous by it's absence.  There
> are two problems with that theory.  A) The address space may not be
> full, and B) Most of the other users are going to be home users just
> like me with with routers stealthing their ports too.  So, the port
> scanner will see large blocks of non responses.
>
> If I were programming the bot, I do NOT think I would set it to pay
> special attention and focus attacks on non responses.
>
> I believed last week, and I still believe this week, that my home
> network is safer by operating with a stealth firewall at the edge, even
> if the benefit is not tremendous over that of a non stealth firewall.
>
> The consumer needs simple, direct advice.  So, my advice, derived from
> Steve's is, buy a home router which stealths all the ports, configure it
> according to the directions I've given, check it with ShieldsUp (or some
> more comprehensive tool that's easy to use that I don't know about), and
> that part of your network setup is done.  You're as safe as you can be
> within your budget and knowledge level from unsolicited attacks.
>
>> 2.) Misleading descriptions of the implications of open ports.  If you
>> run GRC's "Shields Up" with 443 open, you'll receive this message: "The
>> presence of this secure web port in your system implies that this system
>> is establishing secure connections with web browsers. The number one
>> reason for doing this is the transmission of credit card information.
>> This implies that the successful intruder could access the web server's
>> credit card database and score bigtime. This is a VERY bad port to have
>> open unless you are actually conducting secure web commerce!"  There are
>> a number of other uses of HTTPS, and implied in this message is that
>> being compromised by HTTPS makes it easier for the attacker to gain
>> access to the database than any other compromise, leading to users
>> thinking that other open ports are "less important".
>>
>>
>
> I don't have 443 open.  I clicked on the green light I got in the grid
> and it cross referenced to his port database, which has different text.
> I'll admit the language is awkward.  I think what he's trying to get
> across to the consumer, is that if you are a consumer and you have 443
> open and you didn't open it on purpose, you have a potentially big
> problem.  I have no problem with that.  I think the complaint is a bit
> nit picky.
>
>> 3.) Advocating blocking ICMP echo request (ping) packets.  Again, from
>> "Shields Up": "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to
>> our Ping (ICMP Echo) requests, making it visible on the Internet. Most
>> personal firewalls can be configured to block, drop, and ignore such
>> ping requests in order to better hide systems from hackers. This is
>> highly recommended since "Ping" is among the oldest and most common
>> methods used to locate systems prior to further exploitation."  RFC 1122
>> [1] specifically requires that hosts on the Internet respond to ICMP
>> echo requests with an ICMP echo reply.  Misguided users might end up
>> blocking all ICMP packets (I have seen at least one consumer router with
>> an option to block all ICMP), resulting in the breaking of path MTU
>> discovery, ICMP redirection (which admittedly has its own issues), and
>> the loss of Host/Network unreachable messages.  (In addition to the
>> dozens of other messages carried by ICMP.)  This might also make the
>> user unable to send outbound pings, or receive their replies.  (Again,
>> dropping ICMP = bad.)  Even Steve himself admits[2] that this breaks the
>> way things are designed to work.
>>
>>
>
> As a home user, I've been blocking outside pings for years, as long as
> I've had broadband.  It's all part of being invisible.  I can't speak to
> whether the router is blocking other ICMP.  I've never had any ill
> affects that I know of.  There is absolutely no reason anyone outside my
> house needs to ping me, and I have serious doubts as to whether I need
> to receive any other ICMP traffic.  Blocking ping, and ICMP, may break
> certain things enterprise networks expect.  I don't have a problem with
> that.  I don't have an enterprise network.  I have a home network that I
> want to be as safe as possible and one that does what I need it to do by
> giving me access to the internet.  I really don't care if that violates
> RFC 1122.  Also, the internet was "designed to work" in the 60's when
> the types of security issues we face today, with millions of automated
> viruses roaming around, hadn't even been dreamed of.  So, maybe the way
> it was designed to work, isn't the safest way to have it work, in the
> modern era.
>
>> 4.) Steve suggests connecting unprotected hosts directly to the
>> Internet.  On the "Shields Up" results page, he has a section labeled
>> "Detecting Ports Blocked by Your ISP" where he states "If your system is
>> operating behind a residential "NAT" router, the router will be acting
>> as a natural and excellent hardware firewall. But that's not what you
>> want for the moment. You can temporarily remove your NAT router and
>> connect an unprotected computer directly to your cable modem or DSL
>> line. Or, if you are comfortable reconfiguring your NAT router, you may
>> be able to point the router's "DMZ" at one of your computers which has
>> been instructed to "trust" our probe IP of [4.79.142.206]. If, after
>> doing so, most of the service ports change to either open or closed, you
>> have succeeded and any remaining stealth are being blocked by your ISP."
>>   In 2004, the Internet Storm Center estimated that an unpatched Windows
>> system would only last 20 minutes online before being compromised.[3]
>> Suggesting that ANY "unprotected" system be connected to the Internet
>> for any amount of time is terrible advice, especially from someone who
>> calls himself a security expert.
>>
>>
>
> That's very interesting, and I hadn't noted it before.  I tried the
> procedure by connecting my laptop directly to the cable modem.  I DO
> have the Linux firewall running, controlled by Firestarter.  Everything
> comes back closed except 135, 136, 137, 138, 139, and 445, which are
> stealthed.  That's very intriguing.  I gues Comcast is blocking those.
>
> I believe this page is several years old, and probably hasn't been
> touched for a while.  However, I agree with you that he doesn't properly
> warn the customer of the danger of trying this experiment.  Most of his
> listeners would probably have a patched Windows system, with a firewall
> running unless it's ancient.  You'd probably have to turn off the
> software firewall to make this work, and that would make me nervous.  It
> should probably be reworded.
>
> Perhaps you could point it out in a positive manner at
> http://www.grc.com/feedback .  He says he reads every post, even if he
> cannot personally reply.
>
>> 5.) Default options on "Shields Up" scan either a handful of common
>> service ports or the lowest 1056 TCP ports.  A successful result there
>> is significantly misleading to the end user by implying that their
>> system is secure.  There is a lot of software, particularly Peer-to-Peer
>> software, that uses ports over 1056.  For example, the default
>> "/etc/services" (listing "Well Known" ports) on Ubuntu contains 165 TCP
>> services with ports over 1056.  Many of these applications (P2P again)
>> may use UPnP to open ports on your firewall, so if you haven't done
>> EVERYTHING Steve Gibson advocates and have left UPnP enabled, you could
>> have applications exposed to the Internet and never know.
>>
>>
>
> I cannot speak for him other than to note what's on his website.  The
> scan will cover almost all the common service ports.  Keep in mind that
> the objective is to help protect the user from unsolicited attacks.  If
> they click on a website and invite something in that opens a port that's
> non standard, all bets are off.  If the attacker doesn't have some way
> of starting a custom server on the user's PC, this scan would cover the
> large majority of the ports that could be attackable.  Both I and Steve
> recommend turning off UPNP - specifically to prevent something from
> trying to open a port behind your back.  And, I put that in my prior
> post.  It would not be logical to follow some of the instructions for
> securing your router and not the others.  I think that if the user is
> going to go to this trouble at all, and if he'd heard many podcasts or
> had read a post such as mine, he'd have UPNP off.  Also, if your router
> is stealthing the first 1056 ports properly, it's highly likely that
> it's doing the rest.
>
> Also, the website says that it has been used to scan 88 Million user's
> PC's.  Now, the scan I did took about 1 minute.  So, his server has
> spent 88 Million minutes of CPU thread time doing these scans, all for
> free, for years.  There are 1440 minutes in a day, so a quick
> calculation reveals that the server has spent 61,111 DAYS of CPU thread
> time, or 167 YEARS of CPU thread time doing free scans for all those
> people.  Obviously, the server can run multiple simultaneous threads.
> But, you get the idea.  This is a very large amount of CPU time and
> network bandwidth to provide a service that he's giving the world for
> free.  I, for one, thank him for it.
>
> Finally, if he had scanned all the ports, the CPU load and bandwidth
> requirements would have increased by a factor of 62 which is 65535 /
> 1056.  Therefore, each test would take the customer 62 minutes, which
> the customer wouldn't tolerate, AND, with the same resources, he could
> only serve 1.5 Million customers instead of 88 Million.  So, he probably
> made a design decision to make the system such that it would serve the
> most people with the least pain, the least time, and the least cost.  If
> the ShieldsUp test passes, you have a high degree of certainty (but not
> absolute), that you are protected from unsolicited attacks.
>> 6.) His "File Sharing" test only checks port 139.  Port 445 is also used
>> for the SMB protocol, and has had a number of quite successful
>> exploits.[4]
>>
>>
>
> This is a single purpose test designed to expose an old bug in Windows.
> Nothing else.  445 is tested in both other tests.  I recommend people
> run all three.  By the way, you can also test specific addresses if
> you're inclined to.
>
>> 7.) Steve has advocated[5] pointing the DMZ feature on a router to an
>> unused IP address so that unsolicited inbound packets are dropped.
>> Sounds great, right?  It probably is, unless you're a user who points to
>> something that happens to be unused right now, but the next time you
>> reboot your computer, you might just get that IP address.  (Sure, if you
>> pay close attention, you can put it outside your router's DHCP range,
>> but hey, we're talking about "Average consumer", right?)
>>
>>
>
> Maybe the average smart consumer.  They have to know enough to know they
> need to seek out advice on security and listen to the podcast.  Also,
> many of his listeners, such as myself, are more advanced.  This is a
> slightly more advanced technique.  Perhaps he should mention that they
> need to set the DHCP server not to distribute LAN addresses in this
> range.  That's what I've done.  My DHCP server distributes xxx.xxx.xxx.2
> - 200 on the LAN.  If I want to forward something to a black hole, I
> send it to 250 or something.  That address will NEVER be allocated.
> Steve likes to give lots of technical detail.  Some listeners will be
> able to absorb it, and some won't.  This might be another thing that
> could be suggested on the feedback page.
>
>> 8.) Steve continues to refer to NAT as security.[5] (And numerous other
>> places.)
>>
>>
>
> The consumer is going to go look at the store shelf and see "NAT Router"
> on the box.  Steve has to use terminology that they'll understand.  The
> consumer NAT router has NAT, firewall, and routing functionality, so it
> is a security device, whether NAT is providing the security or not.  I
> think one of the Michael's said that part of doing NAT involves stateful
> packet inspection, so it seems to me that all this is pretty intertwined
> anyway.  The consumer thinks, "If I have a NAT router, I have some
> security." - which is true.
>
> By the way, as long as we're discussing NAT, since the cable / dsl modem
> ONLY provides 1 IP on it's ethernet LAN port, as far as I know, then,
> without NAT, the customer could only put 1 PC on the LAN and connect to
> the internet.  That would be unfeasible for most of us.
>
>> I'm not saying Steve hasn't contributed to the field of consumer
>> security, and I'm not saying that every bit of advice he gives is crap.
>>   But, really, the way security is done needs to be reformed.  It needs
>> to be a collaborative effort, and we need to make users understand.
>> Steve has said things that misleads users into believing that they are
>> secure when they may, in fact, still have vulnerabilities.  I don't
>> think he emphasizes user education enough, and I don't believe he has
>> paid adequate attention to drive-by downloads, bundled malware, and user
>> privacy issues.  Most compromises of home computers are NOT caused by
>> services on the host.  Most of the compromises occur because users a)
>> download things they shouldn't, b) don't patch, c) use peer-to-peer (see
>> a.), and d) don't know better.  Being stealthed doesn't fix a single one
>> of those.
>>
>>
>
> If you had listened to the last 5 years of his weekly podcast, as I
> have, you'd find that he's all about education.  Everything you
> mentioned has been covered numerous numerous times, usually in great
> detail.  There is far more content there than on his website.  I just
> chose to point out ShieldsUp because of the discussion about routers.
> Why else would he devote 4 hours a week (3 hours prep, 1 hour talk) to
> making a podcast for over 250 weeks, all for free?  He's the most
> dedicated person I know of in terms of protecting the consumer.  He also
> pays his staff to transcribe each podcast so we can have better access
> to it and search it.
>
> No offense intended, but I found your arguments interesting, and
> somewhat valid, but overall nit picky and not compelling from the point
> of view of the consumer.
>
> To me, this seems more like a witch hunt.  Rather than bash every little
> fault, consider the huge amount of time, energy, and money he's invested
> to make all our neighbors, family, and friends who he has influence over
> a bit safer.  I respectfully suggest that, if one were to listen to
> those 5 years of archived podcasts, or even 6 months of them, one would
> have a better perspective on which to form an objective opinion.  At
> least you went and got some quotes from his website to make comments
> on.  This one resource, the podcast, has taught me  more about
> networking and home computer security than my entire prior career (which
> was not focused on those topics, but did involve substantial use of
> computers).
>
> Those interested in gaining such a broader more objective perspective
> may find Steve's podcast at
>
> https://www.grc.com/securitynow.htm (includes low bandwidth versions and
> transcripts)
> http://www.twit.tv/sn
>
> Here's a challenge.  I've heard over 250+ of his podcasts.  I've found
> them useful, enlightening, and interesting.  I have implemented many of
> his suggestions in my own home network.  So, perhaps some of you chiding
> me could listen to 10% of that, say 25 podcasts, then report back.  At
> least you'll have a better basis for discussion.
>
> My only motive in making these posts is to help other people.  It
> doesn't do me any good in any other way, to sit in this chair with a
> sore back, to spend dozens of hours typing this.  So, hopefully, it will
> be helpful.  I do appreciate the dialog, by the way.
>
> Sincerely,
>
> Ron
>
>> [1] http://www.faqs.org/rfcs/rfc1122.html
>> [2] http://www.grc.com/sn/sn-146.txt
>> [3]
>> http://www.techrepublic.com/article/study-unpatched-pcs-compromised-in-20-minutes/5314563
>> [4] http://www.linklogger.com/TCP445Scan3.htm
>> [5] http://www.grc.com/sn/sn-064.txt
>>
>> --
>> David Tomaschik, RHCE, LPIC-1
>> System Administrator/Open Source Advocate
>> OpenPGP: 0x5DEA789B
>> http://systemoverlord.com
>> david at systemoverlord.com
>>
>>
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com



More information about the Ale mailing list