[Rant] GRC's Shields Up! and "true stealth" - firewall test or harmful FUD?

1/ ICMP echo request/reply

Facts:
RFC-1122

GRC's FUD: (most nonsensical parts emphasized by myself)

You have trouble with your internet connection? Guess what, call your ISP and they'll start by pinging your box... Thank you, Mr. Gibson, for "highly recommending" an RFC breach.

- Blocking ICMP echo request is the ultimate way to invisibility, apparently, and will defeat all those nasty hackers there... Why do the lame guys use all the port scanners which scan whole network ranges, when they can use ping, d'oh!

- As a bonus, thanks to your Shields Up advise all security/firewall forums are flooded by scared newbies who complain about how their firewall "failed" to protect them from the nasty ICMP echo request/reply. "Oh noes, I'm not 'true stealthed' - your product faileees!".

2/ Reverse (PTR) DNS records

Facts:

RFC-1033

RFC-1912

GRC's FUD: (most nonsensical parts emphasized by myself)

So, according to Mr. Gibson:

- Without reverse DNS record, I can't be uniquely identified. I thought an IP might be enough to actually achieve this, wow I lived in lie for all the years. It's so much easier when you have PTR.

- Without reverse DNS record, website cannot easily retrieve information about me. Apparently, everything starting with IP address and ending with stuff such as OS, used browser and screen resolution is even not remotely so dangerous like having a reverse DNS record (which lots of sites don't even log due to performance reasons. Wow again.

- Without reverse DNS record, my geographical information won't be disclosed.

- Without reverse DNS record, noone can persistently identify me. Just because ISP's never log assigned IP addresses, and noone's using fixed IPs these days.

I suppose Mr. Gibson never used services like this or this that show all the details mentioned above. This will even show your location on the map quite accurately for lots of people. But pheeew, I'm so much more safe without PTR record, noone will spy on me. Good that GRC felt the need to warn me with one page worth of blurb before even sending me to the actual inbound firewall test. Many thanks.

To conclude - I stopped suggesting Shields Up as a firewall test site quite some time ago and won't recommend it again until Mr. Gibson deletes the above nonsense and FUD.

Your alternative suggestions wrt online firewall/security tests are welcome.

 

Here's another one:

your machine responds with "closed" ports, even if only one while the rest are "stealthed", and Shields Up flashes back to the tester a big, red FAILED

This tends to freak out the misinformed, who think that closed ports are vulnerable, when in fact they are perfectly fine.

 

+1. I didn't want to mention this one, because the original post is already quite long... Maybe we could make another thread about stealth vs. closed madness.

I basically consider the whole site Shields Up site to be a FUD. If you want to be invisible on Internet, then pull the cable, or better yet pull the plug for the truly paranoid. But being "invisible" doesn't mean you are actually secure.

 

We had a long thread already about closed/stealth, and there's a bunch of other mentions scattered about. If you're stealthed, they aren't getting in, if you're closed, they aren't getting in

 

This is a good subject to bring up now and again, because Wilders gets a lot of threads from concerned members where their firewall/router "fails" the scan because of the points doktornotor raises or because of ports "only" being closed. Until I figured it out some time ago, I also used to feel panicky if my setup revealed a failed response; I was not satisfied until everything was stealthed and no response on pings (echo reply out). Even when I bought my router several years ago, I was concerned because port 113 showed "closed" so, of course, Shields Up awards me the big red FAILED score, which is nonsense.

 

Hello,

Well, doctor, since I know you're a fellow Linuxer... I guess we think the same.
Nothing wrong with healthy ping, types 0, 3, 8, essential for good networking.

And DNS, I agree, without reverse DNS, apps like ftp, mail, ssh and others might fail to work - or scream about forgery attempts ...

Is true stealth important - no, but it makes people feel good about themselves, so why ruin it ... besides, there are easier ways of trying to change the world. Instead of debunking someone's XYZ, I prefer to draw them into my clutches and show them the beauties of the free, open(-source) world.

And then the worries end on their own.

Mrk

 

Well, the funny thing is... people think that not responding to ping makes them invisible and the "hacker" will think there's no computer connected.

- If there was no computer with given address connected, they'd get ICMP Destination Unreachable (ICMP Type 3) with one of the codes (such as 0 - net unreachable, 1 - host unreachable ... etc).

- Whey they simply drop those packets (full stealth FTW), they get a request time-out instead, so the router is clearly suggesting that there actually is a computer out there with such address, but it's dropping the ICMP packets...

Yeah, that's a much better solution to these security problems...

 

Strong emotions here, it seems like a rant.
Steve Gibson is - presumably - human, and he doesn't know all.

Specific quote:

If the computer is truly stealthed, why wouldn't they get a ICMP Type 3 ? True stealth=seems like nothing is there. It's not as if the internet magically knows if there is a computer on the other end !

What IS full stealth ? It could be that full stealth is poorly implemented, but 'full stealth' should mean that any 'attacker' looking for a target would not be able to see the 'stealthed computer' in question.

You can claim stealth is 'out of spec', fine, but that doesn't mean it's useless.

 

Partial quote: '1/ ICMP echo request/reply

Facts:
RFC-1122


Quote:
3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. ... An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.



GRC's FUD: (most nonsensical parts emphasized by myself)


Quote:
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.'

AND

'You have trouble with your internet connection? Guess what, call your ISP and they'll start by pinging your box... Thank you, Mr. Gibson, for "highly recommending" an RFC breach. '

Maybe it can be a problem, but I have never encountered such a problem. And if it becomes an issue, it can be fixed, temporarily or not.

 

Because if there is no such computer, the router which is supposed to route the traffic to that IP will respond to ICMP echo request.

No. The attacker will know that the box there exactly for the reasons stated above. Dropping all inbound packets instead of rejecting them merely tells the attacker that there's a firewall, it doesn't hide the existence of a computer. There's no such thing as "poorly implemented stealth", this is pure marketing blurb. Stealth = packet dropped; closed = packet rejected. Stealthed ports do not increase your security in any way, period.

 

Hello all,

This has been discussed many times, and no doubt will come up many times again.

I and other have put forward there is no thing as "invisible" on the internet, but as I and others have put forward, it does give some that "warm fuzzy feeling" with a result of "stealth" from such very basic scans.

The only good thing for me from the start of this (stealth), was the fact firewall vendors put in place better filtering for ICMP,... now if only it could be done for the rest of the various layers?


- Stem

 

Steve tends to be FUD-ish. In reality, responding to ping and having closed ports wont make you less secure.

 

Some low-level security...

BTW, apparently KIS 2009 finally abandoned this "stealth" hype...

 

While in agreement that closed ports currently pose no threat to security. I do like "warm and fuzzy". I still prefer to not let the bad guy know a house (PC) is even there by allowing the door (port) to be seen if at all possible.

 

But as pointed out already, anyone can tell you're there even with your stealth, so it's pointless....

 

This gets a bit too technical for me.

You speak of 'the router'. What type of router are we speaking of, Cisco, NAT ?

How does the router know if a certain IP exists, or if the IP in question is actually in use (=connected to a working computer) ?

Let's not make an argument of this. I've seen whole threads devoted to 'pro-stealth' and 'stealth is bad'.

My technological knowledge is limited.

I myself am behind a NAT router that has some, but not all, ports stealthed.
I'd prefer stealth above non-stealth, properly implemented of course.

 

One more time:

I understand that, regarding the 'stealth' issue, there are people on both sides of the fence.

Is anyone able to give a definitive answer regarding making your computer truly invisible (and I don't mean turning off your computer ), and whether current implementations are truly effective ?

 

We don't need to talk about specific vendors, and it's not overly complicated really, but it does require some additional explanation. Routers don't simply route layer 3 IP addresses, they -- like all devices with a network stack running on Ethernet -- have to ultimately convert an IP address to a physical Media Access Control (MAC) address for a destination device. The MAC address is often referred to as a layer 2 address.

Routing works sort of like the whole "six degrees of separation" thing. I may not know Kevin Bacon myself, but somebody I know eventually might through a chain of connections. So, as a router if I get a packet coming in destined to 72.14.215.99, I have to do several things. The first thing I do is use the subnet mask against the destination IP. Lets say that my subnet mask is a typical 255.255.255.0. When I do my bitwise logical AND with the destination I get 72.14.215.0. I compare this number to my own IP address that has been bitwise AND'ed with the subnet mask. For example, lets say my IP address is 207.46.192.254, and masked it would 207.46.192.0. Clearly that is different. So, the destination is not on the same layer 2 subnet. What do I do with it now? I have to find someone that is "closer" to the destination, and I do that by looking at my routing table... and either I have a route in place that includes the destination IP with a "gateway" address or a use what's called a "default route" or a "default gateway" (that's the bucket where I throw everything I don't know about). The thing is, these "gateways" -- either default or for specific routes -- are addresses on the same subnet. They have actual MACs that I can send the traffic to, and are "local" to me.

Through a combination of default routes and specific routes through various routers in the path, eventually I will reach a router that has the destination IP address on it's subnet. When that happens, I will use a protocol called Address Resolution Protocol (ARP) to determine what the device's actual MAC address is... because remember every packet on an Ethernet network has to have a MAC addresss in addition to a destination IP address (and other networking topologies have a similar mechanism). When I ARP for an IP address, I will send out a broadcast to the subnet and ask "Who has this IP?" By RFC, and for networking to work, if I do have that IP address... I have to respond and tell the device asking my MAC. So -- YES -- in point of fact the router will know whether that specific IP address is on a live device or not. If he is alive and responds to an ARP, I will forward the packet to him... what he does with it is his problem. If he isn't live, then I will not get an ARP and I will send back a destination/host unreachable message.

So, yes, the whole concept of a stealthed port is entirely a fiction. But it isn't a fiction without some merit. There is one very practical difference between a "stealthed" port and a "closed" port. If I'm scanning ports, I want to do so quickly... because I have 65536 of them per device I'm scanning (for just TCP, maybe another 65536 if I'm interested in UDP)... and a closed response is essentially immediate, whereas a sleathed port requires me to wait some period of time. That's because a stealth port means that a host is actually getting it, they just are dropping it and ignoring you. But it takes some period of time, even if small, for you to decide whether they are ignoring you or whether you just haven't received a response yet due to network/server/application latency.

 

Alec, you explained things very nicely, in detail without all the technobabble. Thank you!

 

Thank you for the explanation ! It was a bit hard to understand, but I think I get the essence.

But I suppose that having your ports stealthed won't cause problems, most of the time. Some (but not all) of the ports on my router are stealthed, and I can't change that.

A note about Steve Gibson and and what he once described as 'evil port monitors' (www.grc.com): hardware/software (?) firewalls that show themselves as stealthed, but were (using certain techniques/software) NOT fully closed, 'giving an attacker the impression that instead of a simple PC a mainframe or server was there to be exploited' (paraphrased).

Unfortunately, for as far as I know, he never identified the 'evil port monitors' (firewalls/routers ?).

 

There are many forms/types of scanning. Even a so called fully stealthed/invisible PC will respond to a TCP~FIN packet with a TCP~ RST/ACK

- Stem