[Rant] GRC's Shields Up! and "true stealth" - firewall test or harmful FUD?

[doktornotor]

1/ ICMP echo request/reply

Facts:
RFC-1122

Quote:

3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. ... An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.

GRC's FUD: (most nonsensical parts emphasized by myself)

Quote:

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

You have trouble with your internet connection? Guess what, call your ISP and they'll start by pinging your box... Thank you, Mr. Gibson, for "highly recommending" an RFC breach.

- Blocking ICMP echo request is the ultimate way to invisibility, apparently, and will defeat all those nasty hackers there... Why do the lame guys use all the port scanners which scan whole network ranges, when they can use ping, d'oh!

- As a bonus, thanks to your Shields Up advise all security/firewall forums are flooded by scared newbies who complain about how their firewall "failed" to protect them from the nasty ICMP echo request/reply. "Oh noes, I'm not 'true stealthed' - your product faileees!".

2/ Reverse (PTR) DNS records

Facts:

RFC-1033

Quote:

In order to do the reverse translation easily, a domain was created that uses hosts' addresses as part of a name that then points to the data for that host. In this way, there is now an 'index' to hosts' RRs based on their address. This address mapping domain is called IN-ADDR.ARPA. Within that domain are subdomains for each network, based on network number. Also, for consistency and natural groupings, the 4 octets of a host number are reversed.

RFC-1912

Quote:

2.1 Inconsistent, Missing, or Bad Data

Every Internet-reachable host should have a name. The consequences
of this are becoming more and more obvious. Many services available on the Internet will not talk to you if you aren't correctly registered in the DNS. Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain.

GRC's FUD: (most nonsensical parts emphasized by myself)

Quote:

The text below might uniquely identify you on the Internet [emphasize not mine (!)]

Your Internet connection's IP address is uniquely associated with the following "machine name":

foo.example.com

The string of text above is known as your Internet connection's "reverse DNS." The end of the string is probably a domain name related to your ISP. This will be common to all customers of this ISP. But the beginning of the string uniquely identifies your Internet connection. The question is: Is the beginning of the string an "account ID" that is uniquely and permanently tied to you, or is it merely related to your current public IP address and thus subject to change?

The concern is that any web site can easily retrieve this unique "machine name" (just as we have) whenever you visit. It may be used to uniquely identify you on the Internet. In that way it's like a "supercookie" over which you have no control. You can not disable, delete, or change it. Due to the rapid erosion of online privacy, and the diminishing respect for the sanctity of the user, we wanted to make you aware of this possibility. Note also that reverse DNS may disclose your geographic location.

If the machine name shown above is only a version of the IP address, then there is less cause for concern because the name will change as, when, and if your Internet IP changes. But if the machine name is a fixed account ID assigned by your ISP, as is often the case, then it will follow you and not change when your IP address does change. It can be used to persistently identify you as long as you use this ISP.

There is no standard governing the format of these machine names, so this is not something we can automatically determine for you. If several of the numbers from your current IP address (111.222.222.111) appear in the machine name, then it is likely that the name is only related to the IP address and not to you. But you may wish to make a note of the machine name shown above and check back from time to time to see whether the name follows any changes to your IP address, or whether it, instead, follows you.

Just something to keep in mind as you wander the Internet.

So, according to Mr. Gibson:

- Without reverse DNS record, I can't be uniquely identified. I thought an IP might be enough to actually achieve this, wow I lived in lie for all the years. It's so much easier when you have PTR.

- Without reverse DNS record, website cannot easily retrieve information about me. Apparently, everything starting with IP address and ending with stuff such as OS, used browser and screen resolution is even not remotely so dangerous like having a reverse DNS record (which lots of sites don't even log due to performance reasons. Wow again.

- Without reverse DNS record, my geographical information won't be disclosed.

- Without reverse DNS record, noone can persistently identify me. Just because ISP's never log assigned IP addresses, and noone's using fixed IPs these days.

I suppose Mr. Gibson never used services like this or this that show all the details mentioned above. This will even show your location on the map quite accurately for lots of people. But pheeew, I'm so much more safe without PTR record, noone will spy on me. Good that GRC felt the need to warn me with one page worth of blurb before even sending me to the actual inbound firewall test. Many thanks.

To conclude - I stopped suggesting Shields Up as a firewall test site quite some time ago and won't recommend it again until Mr. Gibson deletes the above nonsense and FUD.

Your alternative suggestions wrt online firewall/security tests are welcome.

Here's another one:

your machine responds with "closed" ports, even if only one while the rest are "stealthed", and Shields Up flashes back to the tester a big, red FAILED

This tends to freak out the misinformed, who think that closed ports are vulnerable, when in fact they are perfectly fine.

[doktornotor]

Quote:

Originally Posted by wat0114

This tends to freak out the misinformed, who think that closed ports are vulnerable, when in fact they are perfectly fine.

+1. I didn't want to mention this one, because the original post is already quite long... Maybe we could make another thread about stealth vs. closed madness.

I basically consider the whole site Shields Up site to be a FUD. If you want to be invisible on Internet, then pull the cable, or better yet pull the plug for the truly paranoid. But being "invisible" doesn't mean you are actually secure.

[dw426]

Quote:

Originally Posted by doktornotor

+1. I didn't want to mention this one, because the original post is already quite long... Maybe we could make another thread about stealth vs. closed madness.

I basically consider the whole site Shields Up site to be a FUD. If you want to be invisible on Internet, then pull the cable, or better yet pull the plug for the truly paranoid. But being "invisible" doesn't mean you are actually secure.

We had a long thread already about closed/stealth, and there's a bunch of other mentions scattered about. If you're stealthed, they aren't getting in, if you're closed, they aren't getting in

This is a good subject to bring up now and again, because Wilders gets a lot of threads from concerned members where their firewall/router "fails" the scan because of the points doktornotor raises or because of ports "only" being closed. Until I figured it out some time ago, I also used to feel panicky if my setup revealed a failed response; I was not satisfied until everything was stealthed and no response on pings (echo reply out). Even when I bought my router several years ago, I was concerned because port 113 showed "closed" so, of course, Shields Up awards me the big red FAILED score, which is nonsense.

[Mrkvonic]

Hello,

Well, doctor, since I know you're a fellow Linuxer... I guess we think the same.
Nothing wrong with healthy ping, types 0, 3, 8, essential for good networking.

And DNS, I agree, without reverse DNS, apps like ftp, mail, ssh and others might fail to work - or scream about forgery attempts ...

Is true stealth important - no, but it makes people feel good about themselves, so why ruin it ... besides, there are easier ways of trying to change the world. Instead of debunking someone's XYZ, I prefer to draw them into my clutches and show them the beauties of the free, open(-source) world.

And then the worries end on their own.

Mrk

[doktornotor]

Quote:

Originally Posted by Mrkvonic

Is true stealth important - no, but it makes people feel good about themselves, so why ruin it ...

Well, the funny thing is... people think that not responding to ping makes them invisible and the "hacker" will think there's no computer connected.

- If there was no computer with given address connected, they'd get ICMP Destination Unreachable (ICMP Type 3) with one of the codes (such as 0 - net unreachable, 1 - host unreachable ... etc).

- Whey they simply drop those packets (full stealth FTW), they get a request time-out instead, so the router is clearly suggesting that there actually is a computer out there with such address, but it's dropping the ICMP packets...

Quote:

Originally Posted by Mrkvonic

I prefer to draw them into my clutches and show them the beauties of the free, open(-source) world.

And then the worries end on their own.

Yeah, that's a much better solution to these security problems...

[Fly]

Quote:

Originally Posted by doktornotor

Well, the funny thing is... people think that not responding to ping makes them invisible and the "hacker" will think there's no computer connected.

- If there was no computer with given address connected, they'd get ICMP Destination Unreachable (ICMP Type 3) with one of the codes (such as 0 - net unreachable, 1 - host unreachable ... etc).

- Whey they simply drop those packets (full stealth FTW), they get a request time-out instead, so the router is clearly suggesting that there actually is a computer out there with such address, but it's dropping the ICMP packets...





Yeah, that's a much better solution to these security problems...

Strong emotions here, it seems like a rant.
Steve Gibson is - presumably - human, and he doesn't know all.

Specific quote:

Quote:

Originally Posted by doktornotor

'- If there was no computer with given address connected, they'd get ICMP Destination Unreachable (ICMP Type 3) with one of the codes (such as 0 - net unreachable, 1 - host unreachable ... etc).'

If the computer is truly stealthed, why wouldn't they get a ICMP Type 3 ? True stealth=seems like nothing is there. It's not as if the internet magically knows if there is a computer on the other end !

Quote:

Originally Posted by doktornotor

'- Whey they simply drop those packets (full stealth FTW), they get a request time-out instead, so the router is clearly suggesting that there actually is a computer out there with such address, but it's dropping the ICMP packets...'

What IS full stealth ? It could be that full stealth is poorly implemented, but 'full stealth' should mean that any 'attacker' looking for a target would not be able to see the 'stealthed computer' in question.

You can claim stealth is 'out of spec', fine, but that doesn't mean it's useless.

[Fly]

Partial quote: '1/ ICMP echo request/reply

Facts:
RFC-1122


Quote:
3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. ... An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.



GRC's FUD: (most nonsensical parts emphasized by myself)


Quote:
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.'

AND

'You have trouble with your internet connection? Guess what, call your ISP and they'll start by pinging your box... Thank you, Mr. Gibson, for "highly recommending" an RFC breach. '

Maybe it can be a problem, but I have never encountered such a problem. And if it becomes an issue, it can be fixed, temporarily or not.

[doktornotor]

Quote:

Originally Posted by Fly

If the computer is truly stealthed, why wouldn't they get a ICMP Type 3 ? True stealth=seems like nothing is there. It's not as if the internet magically knows if there is a computer on the other end !

Because if there is no such computer, the router which is supposed to route the traffic to that IP will respond to ICMP echo request.

Quote:

Originally Posted by Fly

What IS full stealth ? It could be that full stealth is poorly implemented, but 'full stealth' should mean that any 'attacker' looking for a target would not be able to see the 'stealthed computer' in question.

No. The attacker will know that the box there exactly for the reasons stated above. Dropping all inbound packets instead of rejecting them merely tells the attacker that there's a firewall, it doesn't hide the existence of a computer. There's no such thing as "poorly implemented stealth", this is pure marketing blurb. Stealth = packet dropped; closed = packet rejected. Stealthed ports do not increase your security in any way, period.

[Stem]

Hello all,

This has been discussed many times, and no doubt will come up many times again.

I and other have put forward there is no thing as "invisible" on the internet, but as I and others have put forward, it does give some that "warm fuzzy feeling" with a result of "stealth" from such very basic scans.

The only good thing for me from the start of this (stealth), was the fact firewall vendors put in place better filtering for ICMP,... now if only it could be done for the rest of the various layers?


- Stem

[jrmhng]

Steve tends to be FUD-ish. In reality, responding to ping and having closed ports wont make you less secure.

[doktornotor]

Quote:

Originally Posted by Stem

The only good thing for me from the start of this (stealth), was the fact firewall vendors put in place better filtering for ICMP,... now if only it could be done for the rest of the various layers?

Some low-level security...

BTW, apparently KIS 2009 finally abandoned this "stealth" hype...

Quote:

Particularities of the firewall in version 2009

No stealth mode
First thing some users will notice is that there is no stealth mode. This can be observed on tests like Shields Up or PC Flank. Having no stealth mode does not make you vulnerable, it simply means that your PC will report an error when an outside pc attempts to connect to you (in stealth mode it will do nothing). While this may seem good, it's not, the automated attacks like port scans or various worms are not interested, they will probe random IP addresses whether they are stealthed or not (a good example is Helkern, even if the firewall is stealthed the Intrusion Detection System still blocks Helkern attempts to infiltrate the PC).
Also stealth mode can create problems with different Server type applications, P2P applications or even file transfers on certain programs.
If you insist on having stealth mode go to the Network Packages section and set these two rules to block:

* Any Incoming TCP stream
* Any Incoming UDP stream


Also if you have a router it will stealth you and any changes you make in KIS will have no effect on the router's performance.

[ThunderZ]

While in agreement that closed ports currently pose no threat to security. I do like "warm and fuzzy". I still prefer to not let the bad guy know a house (PC) is even there by allowing the door (port) to be seen if at all possible.

[Kerodo]

Quote:

Originally Posted by ThunderZ

While in agreement that closed ports currently pose no threat to security. I do like "warm and fuzzy". I still prefer to not let the bad guy know a house (PC) is even there by allowing the door (port) to be seen if at all possible.

But as pointed out already, anyone can tell you're there even with your stealth, so it's pointless....

[Fly]

Quote:

Originally Posted by doktornotor

Because if there is no such computer, the router which is supposed to route the traffic to that IP will respond to ICMP echo request.



No. The attacker will know that the box there exactly for the reasons stated above. Dropping all inbound packets instead of rejecting them merely tells the attacker that there's a firewall, it doesn't hide the existence of a computer. There's no such thing as "poorly implemented stealth", this is pure marketing blurb. Stealth = packet dropped; closed = packet rejected. Stealthed ports do not increase your security in any way, period.

This gets a bit too technical for me.

You speak of 'the router'. What type of router are we speaking of, Cisco, NAT ?

How does the router know if a certain IP exists, or if the IP in question is actually in use (=connected to a working computer) ?

Let's not make an argument of this. I've seen whole threads devoted to 'pro-stealth' and 'stealth is bad'.

My technological knowledge is limited.

I myself am behind a NAT router that has some, but not all, ports stealthed.
I'd prefer stealth above non-stealth, properly implemented of course.

[Fly]

One more time:

I understand that, regarding the 'stealth' issue, there are people on both sides of the fence.

Is anyone able to give a definitive answer regarding making your computer truly invisible (and I don't mean turning off your computer ), and whether current implementations are truly effective ?

[Alec]

Quote:

Originally Posted by Fly

How does the router know if a certain IP exists, or if the IP in question is actually in use (=connected to a working computer) ?

We don't need to talk about specific vendors, and it's not overly complicated really, but it does require some additional explanation. Routers don't simply route layer 3 IP addresses, they -- like all devices with a network stack running on Ethernet -- have to ultimately convert an IP address to a physical Media Access Control (MAC) address for a destination device. The MAC address is often referred to as a layer 2 address.

Routing works sort of like the whole "six degrees of separation" thing. I may not know Kevin Bacon myself, but somebody I know eventually might through a chain of connections. So, as a router if I get a packet coming in destined to 72.14.215.99, I have to do several things. The first thing I do is use the subnet mask against the destination IP. Lets say that my subnet mask is a typical 255.255.255.0. When I do my bitwise logical AND with the destination I get 72.14.215.0. I compare this number to my own IP address that has been bitwise AND'ed with the subnet mask. For example, lets say my IP address is 207.46.192.254, and masked it would 207.46.192.0. Clearly that is different. So, the destination is not on the same layer 2 subnet. What do I do with it now? I have to find someone that is "closer" to the destination, and I do that by looking at my routing table... and either I have a route in place that includes the destination IP with a "gateway" address or a use what's called a "default route" or a "default gateway" (that's the bucket where I throw everything I don't know about). The thing is, these "gateways" -- either default or for specific routes -- are addresses on the same subnet. They have actual MACs that I can send the traffic to, and are "local" to me.

Through a combination of default routes and specific routes through various routers in the path, eventually I will reach a router that has the destination IP address on it's subnet. When that happens, I will use a protocol called Address Resolution Protocol (ARP) to determine what the device's actual MAC address is... because remember every packet on an Ethernet network has to have a MAC addresss in addition to a destination IP address (and other networking topologies have a similar mechanism). When I ARP for an IP address, I will send out a broadcast to the subnet and ask "Who has this IP?" By RFC, and for networking to work, if I do have that IP address... I have to respond and tell the device asking my MAC. So -- YES -- in point of fact the router will know whether that specific IP address is on a live device or not. If he is alive and responds to an ARP, I will forward the packet to him... what he does with it is his problem. If he isn't live, then I will not get an ARP and I will send back a destination/host unreachable message.

So, yes, the whole concept of a stealthed port is entirely a fiction. But it isn't a fiction without some merit. There is one very practical difference between a "stealthed" port and a "closed" port. If I'm scanning ports, I want to do so quickly... because I have 65536 of them per device I'm scanning (for just TCP, maybe another 65536 if I'm interested in UDP)... and a closed response is essentially immediate, whereas a sleathed port requires me to wait some period of time. That's because a stealth port means that a host is actually getting it, they just are dropping it and ignoring you. But it takes some period of time, even if small, for you to decide whether they are ignoring you or whether you just haven't received a response yet due to network/server/application latency.

Alec, you explained things very nicely, in detail without all the technobabble. Thank you!

[Fly]

Quote:

Originally Posted by Alec

We don't need to talk about specific vendors, and it's not overly complicated really, but it does require some additional explanation. Routers don't simply route layer 3 IP addresses, they -- like all devices with a network stack running on Ethernet -- have to ultimately convert an IP address to a physical Media Access Control (MAC) address for a destination device. The MAC address is often referred to as a layer 2 address.

Routing works sort of like the whole "six degrees of separation" thing. I may not know Kevin Bacon myself, but somebody I know eventually might through a chain of connections. So, as a router if I get a packet coming in destined to 72.14.215.99, I have to do several things. The first thing I do is use the subnet mask against the destination IP. Lets say that my subnet mask is a typical 255.255.255.0. When I do my bitwise logical AND with the destination I get 72.14.215.0. I compare this number to my own IP address that has been bitwise AND'ed with the subnet mask. For example, lets say my IP address is 207.46.192.254, and masked it would 207.46.192.0. Clearly that is different. So, the destination is not on the same layer 2 subnet. What do I do with it now? I have to find someone that is "closer" to the destination, and I do that by looking at my routing table... and either I have a route in place that includes the destination IP with a "gateway" address or a use what's called a "default route" or a "default gateway" (that's the bucket where I throw everything I don't know about). The thing is, these "gateways" -- either default or for specific routes -- are addresses on the same subnet. They have actual MACs that I can send the traffic to, and are "local" to me.

Through a combination of default routes and specific routes through various routers in the path, eventually I will reach a router that has the destination IP address on it's subnet. When that happens, I will use a protocol called Address Resolution Protocol (ARP) to determine what the device's actual MAC address is... because remember every packet on an Ethernet network has to have a MAC addresss in addition to a destination IP address (and other networking topologies have a similar mechanism). When I ARP for an IP address, I will send out a broadcast to the subnet and ask "Who has this IP?" By RFC, and for networking to work, if I do have that IP address... I have to respond and tell the device asking my MAC. So -- YES -- in point of fact the router will know whether that specific IP address is on a live device or not. If he is alive and responds to an ARP, I will forward the packet to him... what he does with it is his problem. If he isn't live, then I will not get an ARP and I will send back a destination/host unreachable message.

So, yes, the whole concept of a stealthed port is entirely a fiction. But it isn't a fiction without some merit. There is one very practical difference between a "stealthed" port and a "closed" port. If I'm scanning ports, I want to do so quickly... because I have 65536 of them per device I'm scanning (for just TCP, maybe another 65536 if I'm interested in UDP)... and a closed response is essentially immediate, whereas a sleathed port requires me to wait some period of time. That's because a stealth port means that a host is actually getting it, they just are dropping it and ignoring you. But it takes some period of time, even if small, for you to decide whether they are ignoring you or whether you just haven't received a response yet due to network/server/application latency.

Thank you for the explanation ! It was a bit hard to understand, but I think I get the essence.

But I suppose that having your ports stealthed won't cause problems, most of the time. Some (but not all) of the ports on my router are stealthed, and I can't change that.

A note about Steve Gibson and and what he once described as 'evil port monitors' (www.grc.com): hardware/software (?) firewalls that show themselves as stealthed, but were (using certain techniques/software) NOT fully closed, 'giving an attacker the impression that instead of a simple PC a mainframe or server was there to be exploited' (paraphrased).

Unfortunately, for as far as I know, he never identified the 'evil port monitors' (firewalls/routers ?).

[Stem]

Quote:

Originally Posted by Alec

But it isn't a fiction without some merit. There is one very practical difference between a "stealthed" port and a "closed" port. If I'm scanning ports, I want to do so quickly... because I have 65536 of them per device I'm scanning (for just TCP, maybe another 65536 if I'm interested in UDP)... and a closed response is essentially immediate, whereas a sleathed port requires me to wait some period of time. That's because a stealth port means that a host is actually getting it, they just are dropping it and ignoring you. But it takes some period of time, even if small, for you to decide whether they are ignoring you or whether you just haven't received a response yet due to network/server/application latency.

There are many forms/types of scanning. Even a so called fully stealthed/invisible PC will respond to a TCP~FIN packet with a TCP~ RST/ACK

- Stem