[ale] How to test your public internet connection for open ports

Michael H. Warfield mhw at WittsEnd.com
Fri Feb 11 10:42:19 EST 2011


On Fri, 2011-02-11 at 02:56 -0500, Ron Frazier wrote: 
> Hi David,
> 
> As you said, nothing personal meant in anything I say.  For the record, 
> I don't have any interest in Steve Gibson, other than that I find his 
> services, products, and advice useful in securing my computers and my 
> network.  See comments in line.
> 
> On 02/10/2011 08:51 PM, David Tomaschik wrote:
> 
> > So, apparently GMail's web interface ate my earlier post.  It's a shame.
> >
> > Note: This is not directed towards Ron or anyone else on the list, and I
> > hope it is not taken personally.  I'm also not going to call Steve
> > Gibson a hack, even if he might be called that by other audiences.  I'm
> > not interested in Steve Gibson, just the (poor) advice he gives.
> >
> > Yes, we need someone who can break down security issues into terms that
> > are useful for the average consumer.  That being said, it should be
> > someone who accurately describes security issues, countermeasures, and
> > implications.  Steve Gibson has, in my eyes, failed that on several
> > occasions.
> >
> > 1.) The description of "stealthed" vs. "closed" ports, and the security
> > implications of the two.  His description of a stealthed port as a "good
> > thing" and a closed port as a "bad" thing is ridiculous.  If the port is
> > closed, the most information an attacker will glean from that is that
> > there is a host on that IP address.  He'll get that from the lack of a
> > ICMP Host Unreachable response anyway.  (See MHW's post about that.)
> >
> >    

> There is a possibility that, during a system patch or configuration 
> change, ports that were previously closed may become open.  If Joe 
> Cracker's bot previously logged my address as having an active host, 
> then it's logical that it may come back periodically and recheck my 
> ports.  I'd just rather that it didn't find me at all.

> Now, you guys are telling me, that if the bot randomly scans my public 
> IP address, 76.97.???.???, and if my ports are stealthed and I don't 
> send ANY response, and if I don't respond to ICMP pings and such, that 
> the bot is still going to know I'm there?  Come on!  I'm not buying that 
> for 5 seconds unless someone explains exactly how that will occur.

Real bloody easy.  Too bloody easy.

ping IP-1
Result: ICMP UNREACH HOST_UNREACH

ping IP+1
Result: ICMP UNREACH HOST_UNREACH

ping IP
Result: Dropped packet.  No response.

Cool!  I have a NULL sink I can use as a source for spoofed SYN floods.
Feed that address into my DDoS bots and lets ROCK ON!

Now, if you are on a dynamic address, that address may change.  Then
again, I had always-on DSL and broadband addresses which did not change
for years.

> What I think you're saying is that all or most of the other addresses 
> that are scanned on the 76.97.???.??? space will have hosts and that 
> they will respond with a "closed" port and a host unreachable code or 
> something.

NO!  It means we get an error back from the router saying the host is
unreachable if there is nothing there.  That's the whole point.  That's
what you are not getting.  ICMP indicates when there are errors.  But
you are telling him you are there by NOT sending back the error he
should receive.  If you are there and you're dropping packets, we don't
get anything back.  Your presence is unmasked by the absence of an
error.

> Therefore, mine will be conspicuous by it's absence.  There 
> are two problems with that theory.  A) The address space may not be 
> full, and B) Most of the other users are going to be home users just 
> like me with with routers stealthing their ports too.  So, the port 
> scanner will see large blocks of non responses.

You're only half right and the half you are right may only be half
right.  You're assuming they're all dropping packets.  If they are all
dropping all packets, that whole subnet becomes useful as a DDoS bot
null sync.  I understand from your statements above that you don't
understand what that is any why it's significant but it is.  Don't feel
bad about that.  I know IT professionals that have a hard time
understanding that.

> If I were programming the bot, I do NOT think I would set it to pay 
> special attention and focus attacks on non responses.

Guess you wouldn't be a good hacker then.  Because they do.  They find
an address like that, they don't need to attack it but they can abuse it
as part of their other attacks.  I work with these things.  It does
happen.

> I believed last week, and I still believe this week, that my home 
> network is safer by operating with a stealth firewall at the edge, even 
> if the benefit is not tremendous over that of a non stealth firewall.

You haven't show any of us a single benefit and I've mentioned a couple
of benefits to rejecting packets appropriately.  Nice try.  Thank you
for playing.

> The consumer needs simple, direct advice.  So, my advice, derived from 
> Steve's is, buy a home router which stealths all the ports, configure it 
> according to the directions I've given, check it with ShieldsUp (or some 
> more comprehensive tool that's easy to use that I don't know about), and 
> that part of your network setup is done.  You're as safe as you can be 
> within your budget and knowledge level from unsolicited attacks.

The consumer needs simple direct advice that IS NOT INACCURATE.
Everything should be as simple as possible but not TOO SIMPLE.

This is what makes me so frustrated.  By making inaccurate, imprecise,
statements like "you need a router for security" and "you're secure
because you have a NAT device" has perpetuated this myth that NAT ==
security.  Then foolish consumers think "Oh, IPv6 must not be very
secure if it doesn't have NAT" when just the opposite is true!

As a security professional I'll go so far as to say you are more secure
on IPv6 with no firewall at all, than you are on IPv4 with a firewall or
NAT.  Why?  Because IPv6 is 4 billion times more difficult to
comprehensively brute force scan a single subnet than it is to scan the
IPv4 internet from end to end.  Note:  I'm being VERY precise in that
terminology.  Yes, IPv6 can be scanned, especially when people treat it
like IPv4 and assign sequential addresses, but you have to use
"intelligent" scans and heuristics to choose your targets, you can not
simply start at one end of even a single subnet and scan to the other
end.  Now put THAT behind a firewall, or have the addresses changing
periodically (privacy enhanced addresses) and try scanning for that.
Combine that with the deliberate sparse nature of v6 allocations.  IPv4
is like shooting fish in a barrel.  You hit a broadband or DSL subnet,
you can barely turn around and take a breath without hitting an
opportune target.  Now, replace each of those single IPv4 addresses with
an IPv6 /64 subnet.  Now you have only 1 change in 18 billion billion of
guessing a host address (times the number of machines).  The opportunity
to score drops real low and your attack yield is low because the
defenders attackable footprint is so much tinier.

Point on the curve.  Years ago a particularly nasty worm called the
Whitty worm cut loose on the net.  Its growth was explosive.  Within
minutes it overwhelmed routers and networks.  Within a half an hour it
had infected well over 12,000 hosts around the world.  It took days to
clean up.  I participated in a lot of that.  Because of the unique
nature of that worm, I was able to track it in my darknet net-telescope
as did CAIDA, a much larger (/8) net telescope.  It was a single packet
spoofed UDP based worm that was spoofed "from" a particular port making
is rather easy to track and easy to tell when it managed to "sneak"
behind a NAT router (I started seeing other ports and multiple ports
from teh same address - simple).  It wasn't part of a virus or trojan
package, so it only propagated by network traffic alone and it wasn't
something you tripped on browsing a web site.  A classical self
propagating worm.

From the time I saw the first Whitty worm packets in the aperture of my
net-telescope to the time I saw the first indications that it had wormed
it's way past a NAT and infected a NAT based network was under 1 minute.
We never did determine how it was that it managed to make it past NAT
devices, which should have been acting like firewalls, but it did and by
the end of the day there were hundreds of NAT based networks that were
infected.  I can't say if it snuck past stateful firewalls or not, since
I couldn't discriminate that, but I strongly suspect that it would have
as well.  Whitty would have never gotten off the ground on an IPv6
network.

http://en.wikipedia.org/wiki/Witty_%28computer_worm%29

<-- Snip -->

> > 3.) Advocating blocking ICMP echo request (ping) packets.  Again, from
> > "Shields Up": "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to
> > our Ping (ICMP Echo) requests, making it visible on the Internet. Most
> > personal firewalls can be configured to block, drop, and ignore such
> > ping requests in order to better hide systems from hackers. This is
> > highly recommended since "Ping" is among the oldest and most common
> > methods used to locate systems prior to further exploitation."  RFC 1122
> > [1] specifically requires that hosts on the Internet respond to ICMP
> > echo requests with an ICMP echo reply.  Misguided users might end up
> > blocking all ICMP packets (I have seen at least one consumer router with
> > an option to block all ICMP), resulting in the breaking of path MTU
> > discovery, ICMP redirection (which admittedly has its own issues), and
> > the loss of Host/Network unreachable messages.  (In addition to the
> > dozens of other messages carried by ICMP.)  This might also make the
> > user unable to send outbound pings, or receive their replies.  (Again,
> > dropping ICMP = bad.)  Even Steve himself admits[2] that this breaks the
> > way things are designed to work.


> As a home user, I've been blocking outside pings for years, as long as 
> I've had broadband.  It's all part of being invisible.  I can't speak to 
> whether the router is blocking other ICMP.  I've never had any ill 
> affects that I know of.

You wouldn't probably realize it.  A web site takes ages to load.
Happens all the time.  Sometimes it works, sometimes it doesn't,
sometimes you go elsewhere.  You think it's just the net.  You don't
realize you shot yourself in the foot.

> There is absolutely no reason anyone outside my 
> house needs to ping me, and I have serious doubts as to whether I need 
> to receive any other ICMP traffic.

No offense but that's because you obviously have no clue how the network
works.  ICMP in the Internet CONTROL Message Protocol.  It's used for a
lot of book keeping and management, not just ICMP ECHO (ping).

> Blocking ping, and ICMP, may break 
> certain things enterprise networks expect.  I don't have a problem with 
> that.  I don't have an enterprise network.

What you will care about is if somethings takes 30 seconds to time out
instead of telling you that a site is busy or something else is wrong.
ICMP is how network errors are reported back.

> I have a home network that I 
> want to be as safe as possible and one that does what I need it to do by 
> giving me access to the internet.

Well, you're going about it all wrong and breaking things and making
things unreliable along the way.  But it's a self inflicted injury, so I
guess that's OK.  Enjoy.

> I really don't care if that violates 
> RFC 1122.  Also, the internet was "designed to work" in the 60's when 
> the types of security issues we face today, with millions of automated 
> viruses roaming around, hadn't even been dreamed of.  So, maybe the way 
> it was designed to work, isn't the safest way to have it work, in the 
> modern era.

<-- Snip -->

> Perhaps you could point it out in a positive manner at 
> http://www.grc.com/feedback .  He says he reads every post, even if he 
> cannot personally reply.

Reads?  Maybe.  Doesn't anything about them?  I'm not so sure.  I'm not
convinced.

<-- Snip -->

> The consumer is going to go look at the store shelf and see "NAT Router" 
> on the box.  Steve has to use terminology that they'll understand.  The 
> consumer NAT router has NAT, firewall, and routing functionality, so it 
> is a security device, whether NAT is providing the security or not.  I 
> think one of the Michael's said that part of doing NAT involves stateful 
> packet inspection, so it seems to me that all this is pretty intertwined 
> anyway.  The consumer thinks, "If I have a NAT router, I have some 
> security." - which is true.

And then, because of this inaccurate reasoning, they think that IPv6 is
less secure that IPv4 because it has no NAT.  That is just incredibly
wrong on so many levels it's mind boggling.

> By the way, as long as we're discussing NAT, since the cable / dsl modem 
> ONLY provides 1 IP on it's ethernet LAN port, as far as I know, then, 
> without NAT, the customer could only put 1 PC on the LAN and connect to 
> the internet.  That would be unfeasible for most of us.

Yes!  THAT's what NAT was created for.  To address the shortcomings and
failures of IPv4 and allow the sharing of addresses, not to provide
security (it also breaks several things in IPv4 along the way as well).
That's what IPv6 does away with.  That's what IPv6 fixes and is more
secure in principle to begin with.  You need an IPv6 router anyways just
to route your subnet.  I can replace a NAT device with three rules in a
stateful filter (which should be there by default anyways) on your
router, and we're done.  You have all the security of IPv6 plus all the
security you would have on IPv4 with NAT and you have no NAT!

> > I'm not saying Steve hasn't contributed to the field of consumer
> > security, and I'm not saying that every bit of advice he gives is crap.
> >   But, really, the way security is done needs to be reformed.  It needs
> > to be a collaborative effort, and we need to make users understand.
> > Steve has said things that misleads users into believing that they are
> > secure when they may, in fact, still have vulnerabilities.  I don't
> > think he emphasizes user education enough, and I don't believe he has
> > paid adequate attention to drive-by downloads, bundled malware, and user
> > privacy issues.  Most compromises of home computers are NOT caused by
> > services on the host.  Most of the compromises occur because users a)
> > download things they shouldn't, b) don't patch, c) use peer-to-peer (see
> > a.), and d) don't know better.  Being stealthed doesn't fix a single one
> > of those.
> >
> >    
> 
> If you had listened to the last 5 years of his weekly podcast, as I 
> have, you'd find that he's all about education.  Everything you 
> mentioned has been covered numerous numerous times, usually in great 
> detail.  There is far more content there than on his website.  I just 
> chose to point out ShieldsUp because of the discussion about routers.  
> Why else would he devote 4 hours a week (3 hours prep, 1 hour talk) to 
> making a podcast for over 250 weeks, all for free?  He's the most 
> dedicated person I know of in terms of protecting the consumer.  He also 
> pays his staff to transcribe each podcast so we can have better access 
> to it and search it.

> No offense intended, but I found your arguments interesting, and 
> somewhat valid, but overall nit picky and not compelling from the point 
> of view of the consumer.

Fine.  Then just don't point to him as an authority.  That's like
pointing to Mister Rodgers as an expert on quantum mechanics.  He may
make it popular and understandable but you, as the consumer, need to
understand that he's an approximation at best and misleading at worst.

<-- Snip -->

> My only motive in making these posts is to help other people.  It 
> doesn't do me any good in any other way, to sit in this chair with a 
> sore back, to spend dozens of hours typing this.  So, hopefully, it will 
> be helpful.  I do appreciate the dialog, by the way.

> Sincerely,
> 
> Ron

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/451ca5f8/attachment.bin 


More information about the Ale mailing list