[ale] How to test your public internet connection for open ports

Michael B. Trausch mike at trausch.us
Fri Feb 11 11:40:02 EST 2011


Ron,

No offense, but frankly: you are absolutely not qualified to relay any
sort of advice on security.  Being that you've continued on and on and
on, it seems to me that one of two things are the case here.  Either:

 * You truly believe that you are correct and that the rest of us are
   wrong.  In which case, there is a remedy: read the RFCs that define
   the way things work on the Internet.  There is no higher authority
   than that.

 * You are attempting to draw this thread out as far as possible, in
   the long-lived tradition of Internet trolls.  I am disinclined to
   believe that this is the case, but it is the only other option to
   the former.  If the latter, this has been the most effective trolling
   that's been done on ALE, at least in my memory.

Whichever it is, this needs to stop.  Educate yourself.  It's not going
to make any difference to me.  But I refuse to reply any further until
you actually take the time to learn how the infrastructure of which you
speak _works_.  Until such time, you've proved that you're as qualified
to give computer networking advice as my mother is qualified to give
advice on the care and maintenance of a car.

If you're not scared or offended away yet, read on.  I've spent too much
time trying to facilitate your understanding on this thread, however.
I'm not replying to anything else on this topic, because frankly, I'm
sick of repeating myself.  I'm sick of myself echoing others, and them
echoing me.  Nothing makes me more angry than a person who does not care
to learn.  Nothing.

This message is NOT edited.  I have work to do, I don't have time.  Deal
with it, or skip over it.  If you detect that I've had it, then you
detect correctly, because I have.  Spend some time _actually_ learning,
or just shut up already (on this topic, anyway); it's not cool to be a
brick wall, on any forum.

[Post writing note: I really am trying hard to assume that you're not
trolling.  But the longer this thread goes on, the harder and harder
that becomes; you are employing all of the typical troll tactics.  If
you're not trolling, then do yourself and us a favor, and try not to
read like you are.]

On Fri, 2011-02-11 at 02:56 -0500, Ron Frazier wrote:
> There is a possibility that, during a system patch or configuration 
> change, ports that were previously closed may become open.  If Joe 
> Cracker's bot previously logged my address as having an active host, 
> then it's logical that it may come back periodically and recheck my 
> ports.  I'd just rather that it didn't find me at all.

If a system patch starts listening on a port without the user's consent,
that is a security problem with the patch.  End of story.

Configuration changes can absolutely alter the state of the system,
including what ports are being listened on for connections.  This is
normal and expected.  If you need a service that runs on a particular
port, then you need the service that runs on a particular port.
End-users won't have anything to worry about.

For example, running a BitTorrent client, it is going to listen on ports
in order to facilitate participation in the BT protocol.  This is
precisely how it manages to invert the normal expectation that multiple
downloaders negatively impact performance for all downloaders.  The
number of fully available seeds increases the number of places that a
person can download from, and the number of leechers (those downloading
but not yet with a full copy) also helps, if the leechers have segments
that are needed to complete the download for any person downloading
whatever is in the torrent.

Some types of NAT truly inhibit BT from full functionality.  A shame,
because BT is a truly useful protocol, and I'm of the opinion that
everyone should use BitTorrent (and seed for a while!) to help everyone
else download large pieces of software more effectively.  Furthermore,
BitTorrent includes some rudimentary security that ensures that it can
validate that the download is correct.  This is an inherent advantage
over downloading files over HTTP or FTP, for example.

> Now, you guys are telling me, that if the bot randomly scans my public 
> IP address, 76.97.???.???, and if my ports are stealthed and I don't 
> send ANY response, and if I don't respond to ICMP pings and such, that 
> the bot is still going to know I'm there?  Come on!  I'm not buying that 
> for 5 seconds unless someone explains exactly how that will occur.

Feel free to read any and all relevant standards.  Educate yourself from
authoritative sources.

The Internet is built on standards: otherwise we would not be able to
communicate at all.  These standards define correct behavior and set
expectations for well-behaved application software.

RFC 793 defines Transmission Control Protocol (TCP).  From that
document:

>> TCP is a connection-oriented, end-to-end reliable protocol
>> designed to fit into a layered hierarchy of protocols which
>> support multi-network applications.  The TCP provides for
>> reliable inter-process communication between pairs of processes
>> in host computers attached to distinct but interconnected
>> computer communication networks.  Very few assumptions are
>> made as to the reliability of the communication protocols
>> below the TCP layer.  TCP assumes it can obtain a simple,
>> potentially unreliable datagram service from the lower level
>> protocols.  In principle, the TCP should be able to operate
>> above a wide spectrum of communication systems ranging from
>> hard-wired connections to packet-switched or circuit-switched
>> networks.

This is an accurate high-level overview of what TCP is and does.  TCP is
used for nearly everything---the Web, SSH, XMPP, all Internet mail
protocols that I'm aware of, and so forth.  It is one of the most
well-understood of protocols that are run on the Internet.  Read the RFC
in order to learn precisely how TCP works.

Protocols are designed such that multiple systems are in agreement on
how they work.  Thus, they make explicit definitions.  Well-designed
protocols are very specific.  Such protocols aren't found just in
computing: Waffle House is a great real-world example of the use of a
network communication protocol.  No joke.  You talk to the waiter or
waitress, and give your order to him/her.  (S)he then stands in a
prescribed location and calls out for the attention of the cook (roughly
equivalent to a TCP SYN).  The cook will then acknowledge (roughly the
same as SYN+ACK in TCP).  The "handshake" between the waiter/waitress is
complete, and now they can communicate bidirectionally.  The waitress
calls out the order, using symbology that is well-defined in the context
of Waffle House communication.  The cook lays out objects on plates and
their counter to create a "ticket" from which they can build the order,
as a method of tracking orders.

Also, there is RFC 1122, "Requirements for Internet Hosts --
Communication Layers".  This RFC provides the standards that glue
together many different other RFCs and protocols and prescribe their use
in networks.  It provides an overview of the various types of ICMP
messages that are used with IPv4:

 * Destination Unreachable
 * Redirect
 * Source Quench
 * Time Exceeded
 * Parameter Problem
 * Echo
 * Information
 * Timestamp
 * Address Mask

Destination Unreachable has multiple codes for destination network
unknown, destination host unknown, source host isolated, communication
with destination network administratively prohibited, communication with
destination host administratively prohibited, network unreachable for
type of service, host unreachable for type of service.  There is also
protocol unreachable and port unreachable.

Sending "destination unreachable" ICMP packets neither helps nor hinders
an attacker who is scanning a subnet with an automated script.  The only
things that an attacker is interested in are the answers to the
following questions:

  * For a given IP address, what ports are being listened to?
  * Is there software running on those ports that I can exploit?

Sending ICMP destination unreachable packets does however provide a far
quicker turnaround time if someone connects to your IP address by
accident (something that happens a lot on the Internet, believe it or
not), either by mistyping an address, or through the resolution of a
name into an IP address by a DNS server for some domain where the IP has
been miskeyed).  The use of ICMP in this case signals that the
connection will never succeed, and results in a turnaround time that is
significantly shorter than waiting for a TCP connection timeout.
Remember that TCP is designed to provide reliable transport on
unreliable networks!  By itself, TCP cannot really detect that the host
on the other side is never going to pick up the phone.  It has to retry
multiple times to be certain of this.

> What I think you're saying is that all or most of the other addresses 
> that are scanned on the 76.97.???.??? space will have hosts and that 
> they will respond with a "closed" port and a host unreachable code or 
> something.  Therefore, mine will be conspicuous by it's absence.  There 
> are two problems with that theory.  A) The address space may not be 
> full, and B) Most of the other users are going to be home users just 
> like me with with routers stealthing their ports too.  So, the port 
> scanner will see large blocks of non responses.

Use of the rules of the Internet states that hosts and networks that are
in violation of the rules are actively breaking them.  This can be known
to be the case, because ISP networks and first-tier networks all adhere
to the standards on which the Internet are built, with very few
exceptions---in fact, I'm not aware of any exceptions.  Where there are
problems, people who run networks seek solutions which eventually make
their way into the standards that we use.

> If I were programming the bot, I do NOT think I would set it to pay 
> special attention and focus attacks on non responses.

Maybe, maybe not.  Depends on what you're after.  Again, without a
functional understanding, you really don't have a clue _what_ you'd
program the bot to do.  The first thing you'd do if you were going to
write any sort of a network program is to read up on all of the pieces
of networking that you're touching with your program, if you're smart.
Otherwise, you're just asking for trouble (like the majority of
programmers out there these days, who expect that learning and adhering
to standards is for everyone else).

> I believed last week, and I still believe this week, that my home 
> network is safer by operating with a stealth firewall at the edge, even 
> if the benefit is not tremendous over that of a non stealth firewall.

This has been shown to be false time and time again.  The fact that you
still hold this misconception shows that either you do not understand
what we're saying, or that you don't care.  Take your pick.  It truly
matters not to me.

> The consumer needs simple, direct advice.  So, my advice, derived from 
> Steve's is, buy a home router which stealths all the ports, configure it 
> according to the directions I've given, check it with ShieldsUp (or some 
> more comprehensive tool that's easy to use that I don't know about), and 
> that part of your network setup is done.  You're as safe as you can be 
> within your budget and knowledge level from unsolicited attacks.

Leaving things setup the way they are by default, or using a
configuration wizard to set things up, or consulting with a
knowledgeable person (friend, family, or otherwise) in the area of
security is the way to go.  Consumers don't want advice.  They want
their shit to work.

> > 2.) Misleading descriptions of the implications of open ports.  If you
> > run GRC's "Shields Up" with 443 open, you'll receive this message: "The
> > presence of this secure web port in your system implies that this system
> > is establishing secure connections with web browsers. The number one
> > reason for doing this is the transmission of credit card information.
> > This implies that the successful intruder could access the web server's
> > credit card database and score bigtime. This is a VERY bad port to have
> > open unless you are actually conducting secure web commerce!"  There are
> > a number of other uses of HTTPS, and implied in this message is that
> > being compromised by HTTPS makes it easier for the attacker to gain
> > access to the database than any other compromise, leading to users
> > thinking that other open ports are "less important".
> 
> I don't have 443 open.  I clicked on the green light I got in the grid 
> and it cross referenced to his port database, which has different text.  
> I'll admit the language is awkward.  I think what he's trying to get 
> across to the consumer, is that if you are a consumer and you have 443 
> open and you didn't open it on purpose, you have a potentially big 
> problem.  I have no problem with that.  I think the complaint is a bit 
> nit picky.

But that's the case for _all_ ports, not just 443.  But again, consumers
are not equipped with the required knowledge to deal with *any* sort of
problem at this level.  None.  Those who think they do are even worse
off than the average bear!  The only way to really understand what's
going on is to take the time to learn it for yourself.  That's one of
many reasons that it's a good thing that the Internet is built on open
and accessible standards.

It really couldn't work any other way.

> As a home user, I've been blocking outside pings for years, as long as 
> I've had broadband.  It's all part of being invisible.

By actively breaking protocol expectations, you're quite visible,
regardless of whether block ping or not.

> I can't speak to 
> whether the router is blocking other ICMP.  I've never had any ill 
> affects that I know of.  There is absolutely no reason anyone outside my 
> house needs to ping me, and I have serious doubts as to whether I need 
> to receive any other ICMP traffic.

You've yet to actually show that there is a reason to block any sort of
ICMP at all, including ping.

>   Blocking ping, and ICMP, may break 
> certain things enterprise networks expect.

Again: IT HAS NOTHING TO DO WITH WHETHER OR NOT YOUR NETWORK IS AN
ENTERPRISE NETWORK OR NOT.  WE'RE NOT TALKING ABOUT ENTERPRISE NETWORKS.
WE'RE TALKING ABOUT NETWORKING IN GENERAL.  PERIOD.

> I don't have a problem with 
> that.  I don't have an enterprise network.  I have a home network that I 
> want to be as safe as possible and one that does what I need it to do by 
> giving me access to the internet.

Blocking ICMP makes no difference in how safe your network is.  It
cannot, because it DOES NOT PROVIDE A PORT OF ENTRY.

"Stealthing" TCP ports makes no difference in how safe your network is.
It cannot, because CLOSED PORTS CANNOT PROVIDE A PORT OF ENTRY.  ONLY A
PORT THAT IS ACTIVELY BEING LISTENED TO IS GOING TO PROVIDE A PORT OF
ENTRY.  And for that matter, you're not going to have a problem with TCP
at all, with a stateful firewall overlooking things.  UDP, OTOH, you
could potentially have a problem with depending on the type of NAT your
appliance employs.  But that isn't a detail that you're going to have
the answer to---you can't, not with your present level of networking
knowledge.

> I really don't care if that violates 
> RFC 1122.  Also, the internet was "designed to work" in the 60's when 
> the types of security issues we face today, with millions of automated 
> viruses roaming around, hadn't even been dreamed of.  So, maybe the way 
> it was designed to work, isn't the safest way to have it work, in the 
> modern era.

Protocols and RFCs are updated all the time.  They are updated to
address security concerns.  You don't truly think that protocols have
been dead in the water since the 70s and 80s when they were defined, do
you?  What do you take network managers for, idiots?  Yeesh.

All you are showing is that you are seriously ignorant of the facts of
how networking works, all the way around.  The fact that you don't care
if your network adheres to requirements for Internet hosts simply shows
that you either do not care or do not understand why standards are
important for communication on the Internet.

RFC 1122 is kind of like a traffic control device on a public highway.
I guess it's okay to ignore them; who needs to adhere to a stop or yield
sign anyway, right?

> >   In 2004, the Internet Storm Center estimated that an unpatched Windows
> > system would only last 20 minutes online before being compromised.[3]
> > Suggesting that ANY "unprotected" system be connected to the Internet
> > for any amount of time is terrible advice, especially from someone who
> > calls himself a security expert.
> 
> That's very interesting, and I hadn't noted it before.  I tried the 
> procedure by connecting my laptop directly to the cable modem.  I DO 
> have the Linux firewall running, controlled by Firestarter.  Everything 
> comes back closed except 135, 136, 137, 138, 139, and 445, which are 
> stealthed.  That's very intriguing.  I gues Comcast is blocking those.

Port 135: (Microsoft) DCOM service control manager
Port 136: PROFILER (not familiar with it myself)
Port 137: (Microsoft) NetBIOS, used in non-AD windows networking
Port 138: (Microsoft) NetBIOS, used in non-AD windows networking
Port 139: (Microsoft) NetBIOS, used in non-AD windows networking
Port 445: (Microsoft) Directory Services

These are filtered out by most ISPs on residential and small business
networks, because their being open is nearly universally unintended,
since Windows uses them by default and can cause lots of traffic for the
ISP---as well as make it possible to easily crack into Windows boxes
since they're not exactly paragons of security, either.

> had read a post such as mine, he'd have UPNP off.  Also, if your router 
> is stealthing the first 1056 ports properly, it's highly likely that 
> it's doing the rest.

uPnP is useful and was designed for consumers so that consumer hardware
does not have to tell the user "please go to your NAT applicance and
forward port X to IP address Y [which is probably DHCP-assigned and so
you'll need to update the mapping later]".  In that instance, you
increase your security _properly_ by disallowing uPnP on your computers,
and enabling it on, say, your gaming consoles.

> Finally, if he had scanned all the ports, the CPU load and bandwidth 
> requirements would have increased by a factor of 62 which is 65535 / 
> 1056.  Therefore, each test would take the customer 62 minutes, which 
> the customer wouldn't tolerate, AND, with the same resources, he could 
> only serve 1.5 Million customers instead of 88 Million.  So, he probably 
> made a design decision to make the system such that it would serve the 
> most people with the least pain, the least time, and the least cost.  If 
> the ShieldsUp test passes, you have a high degree of certainty (but not 
> absolute), that you are protected from unsolicited attacks.

Again your logic fails.  I can scan all 65,535 ports on a system in
under 10 minutes with nmap.  And when my network is attacked, I do so to
gain a picture of the attacker, which I then forward to the attacker's
ISP.

Usually, then, I block the IP address that the attacker comes from.  If
the attacker comes from outsides of the US, I block the entire /24 that
they're coming from.  Excessive, sure.  But most ISPs outside of the
United States do not seem to give a rat's ass about security issues;
they almost never reply to them, and they almost never stop them, so I
just block entire /24 networks from them.

I do remove such blocks if the ISP handles the situation.

I do not add these blocking rules to my firewall to add to my network
security.  They're not going to get into my SSH servers (period) unless
there is a bug in OpenSSH or they get my high-entropy password somehow
(which is impossible without a hell of a lot of brute force).  I add
such rules to my firewall so that my systems stay responsive and don't
have to worry about a lot of load.  Nothing more complex than that.

> > 7.) Steve has advocated[5] pointing the DMZ feature on a router to an
> > unused IP address so that unsolicited inbound packets are dropped.
> > Sounds great, right?  It probably is, unless you're a user who points to
> > something that happens to be unused right now, but the next time you
> > reboot your computer, you might just get that IP address.  (Sure, if you
> > pay close attention, you can put it outside your router's DHCP range,
> > but hey, we're talking about "Average consumer", right?)
> 
> Maybe the average smart consumer.  They have to know enough to know they 
> need to seek out advice on security and listen to the podcast.  Also, 
> many of his listeners, such as myself, are more advanced.  This is a 
> slightly more advanced technique.  Perhaps he should mention that they 
> need to set the DHCP server not to distribute LAN addresses in this 
> range.  That's what I've done.  My DHCP server distributes xxx.xxx.xxx.2 
> - 200 on the LAN.  If I want to forward something to a black hole, I 
> send it to 250 or something.  That address will NEVER be allocated.  
> Steve likes to give lots of technical detail.  Some listeners will be 
> able to absorb it, and some won't.  This might be another thing that 
> could be suggested on the feedback page.

There is no security benefit to this activity whatsoever.

None.

A port that is not being listened on is a port that cannot provide
entry.  Period.  TCP doesn't work any other way.

> > 8.) Steve continues to refer to NAT as security.[5] (And numerous other
> > places.)
> The consumer is going to go look at the store shelf and see "NAT Router" 
> on the box.  Steve has to use terminology that they'll understand.  The 
> consumer NAT router has NAT, firewall, and routing functionality, so it 
> is a security device, whether NAT is providing the security or not.  I 
> think one of the Michael's said that part of doing NAT involves stateful 
> packet inspection, so it seems to me that all this is pretty intertwined 
> anyway.  The consumer thinks, "If I have a NAT router, I have some 
> security." - which is true.

No, the average consumer is going to go buy a box that says "router".
Nevermind the fact that it's not a true router (most such devices can be
turned into a real router through the use of third-party firmware, but
they are not by default).

> By the way, as long as we're discussing NAT, since the cable / dsl modem 
> ONLY provides 1 IP on it's ethernet LAN port, as far as I know, then, 
> without NAT, the customer could only put 1 PC on the LAN and connect to 
> the internet.  That would be unfeasible for most of us.

Correct.  But that's the current state of affairs, not the state of
affairs that will be when native IPv6 connectivity is rolled out.

> If you had listened to the last 5 years of his weekly podcast, as I 
> have, you'd find that he's all about education.  Everything you 

If he was all about education, he would not provide intentionally
misleading information.

If he is providing information that is misleading because he doesn't
know any better, then he is no more qualified than you are to provide
advice to end-users on how to practice security.

> mentioned has been covered numerous numerous times, usually in great 
> detail.  There is far more content there than on his website.  I just 
> chose to point out ShieldsUp because of the discussion about routers.  
> Why else would he devote 4 hours a week (3 hours prep, 1 hour talk) to 
> making a podcast for over 250 weeks, all for free?  He's the most 

Because he is paid by the advertisers, just like everyone else.  Gibson
has made a name for himself out of his sensationalist and highly public
personality.  Some advertiser thinks that he's Teh Awesome Shiznit, as
you do, and is willing to pay him to continue to be Teh Awesome Shiznit.

> dedicated person I know of in terms of protecting the consumer.  He also 
> pays his staff to transcribe each podcast so we can have better access 
> to it and search it.

Sure, he's so dedicated to security that he is providing nonsensical
advice.  If he were dedicated to security, he'd know how systems work
and advocate solutions that actually improve security.

What he really advocates is something that everyone seems to want in our
society:  All the benefits without the work that has to go into it.
Security is hard work.  It is more about the humans than it ever has
been about the devices.  And honestly, it will always be that way, no
matter if there is one or one million systems on a network.

> No offense intended, but I found your arguments interesting, and 
> somewhat valid, but overall nit picky and not compelling from the point 
> of view of the consumer.

The average person always finds the argument of the technically
competent to be nitpicky, not compelling, irrelevant, whatever.

> To me, this seems more like a witch hunt.  Rather than bash every little 
> fault, consider the huge amount of time, energy, and money he's invested 
> to make all our neighbors, family, and friends who he has influence over 
> a bit safer.

President Bush kept us all from dying.  Who cares that he authorized
wiretaps contrary to law?  Let's just sweep it under the rug, it's not
relevant.  We're not dead!

President Obama has kept us all from dying so far.  Who cares that he
has failed to follow through on some of his more relevant promises?
Let's just sweep it under the rug, it's not relevant.  We're not dead!

Attempting to remove from consideration the bad things a person or
business does by pointing out the good things they do is not a logical
argument.  It's emotionally charged and psychologically manipulative.
It has no place in a discussion such as this one.  I don't know about
you, but I'm here to deal in fact, not opinion.  Fact is, Gibson
provides a false sense of security, and if there is anything that we can
learn from history (in many fields, NOT just technology), it is that a
false sense of security leads very quickly to problems.

> I respectfully suggest that, if one were to listen to 
> those 5 years of archived podcasts, or even 6 months of them, one would 
> have a better perspective on which to form an objective opinion.

Many of us are well aware of who Gibson is.  At least myself, I've known
about him for years.  I base my opinions on facts, myself.  Gibson isn't
interested in providing accurate self-help to people.  He's interested
in keeping his pocket full and giving people what they want: the
illusion of security.  That is what his entire career has been built on.

Even a broken watch is right twice a day.

> At 
> least you went and got some quotes from his website to make comments 
> on.  This one resource, the podcast, has taught me  more about 
> networking and home computer security than my entire prior career (which 
> was not focused on those topics, but did involve substantial use of 
> computers).

If you read the documents that define the protocols that we use on the
Internet (and you use critical thinking skills to really understand
them), you'll learn far more, and much more accurately and correctly.
You'll then have a framework upon which to build when someone makes a
claim that "action X is secure", because you'll have an understanding of
how it works.

> Those interested in gaining such a broader more objective perspective 
> may find Steve's podcast at
> 
> https://www.grc.com/securitynow.htm (includes low bandwidth versions and 
> transcripts)
> http://www.twit.tv/sn

Your psychologically manipulative statements are only showing that
you're here to troll... your statement makes the implication that anyone
who already has a well-informed opinion of the man must not be objective
because they haven't listened to the PODCAST.  I object.

> Here's a challenge.  I've heard over 250+ of his podcasts.  I've found 
> them useful, enlightening, and interesting.  I have implemented many of 
> his suggestions in my own home network.  So, perhaps some of you chiding 
> me could listen to 10% of that, say 25 podcasts, then report back.  At 
> least you'll have a better basis for discussion.

Here's a more meaningful challenge: Actually learn, from the horse's
mouth, how the protocols work.  Actually study _real_ security.  Spend
time thinking about how to defeat mechanisms in place, and defenses
against those types of attacks that don't involve breaking established
standards.  Actually *know* what you're talking about before unleashing
another useless waste of time and bandwidth on this mailing list.

> My only motive in making these posts is to help other people.  It 
> doesn't do me any good in any other way, to sit in this chair with a 
> sore back, to spend dozens of hours typing this.  So, hopefully, it will 
> be helpful.  I do appreciate the dialog, by the way.

Then go.  Learn how IP, TCP, UDP, IP routers, firewalls, etc. all work.
You will then _actually_ be able to help others without misleading them.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/121f9095/attachment-0001.bin 


More information about the Ale mailing list