WHY HACKERS WIN !?

Discussion in 'other firewalls' started by Aggressor, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    OK comrades, just read a most disburbing piece of info on the www:

    it concerns so-called firewall "stealth".

    Sorry if it's a newb question, but I bet someone will correct me if I'm wrong, right? :D

    So here goes:

    - firewalls in stealth mode drop ALL unsolicited packets, eg. TCP and UDP scans.
    - a TCP scan on a stealthed port will get no answer, exactly like a non-existent port, so the scanner will "think" that no one is behind the IP being probed. So far, so good. BUT:
    - a UDP scan on a stealthed port get no answer, exactly like an open port! (on a non-existent system, the scan will get a "non-reacheable" msg, or something like that) - so even though UDP is an unreliable protocol, the scanner will "know" that a system is PROBABLY behind the probed IP.

    => therefore, the stealthed system is revealed, and (especially) if the IP is static, then boom, sooner or later the hacker wins! :mad:
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    What's the problem here?
    The meaning of not publishing ports is that no external system can reach your computer and any listening process on your computer behind the port.

    Every ip-address may contain a computer and right now probably will. By closing ports and stealthing them you remove any vulnerability from sight. When a TCP port is nominated as closed, an attacker might guess what vulnerability might be there but it's not reachable. A stealthed port removes any guessing as well: no port, that means that there's not even the remotest way of attacking the system if you don't know what system is there.

    For udp to be stealthed or closed, the case is not very different. UDP is not reliable, but it still needs an open port for any service to be available. No service visible, means no vulnerability visible. A hacker could try a DoS-attack, but what's the use?

    Hackers can't win, because there's no vulnerability. There may be a system, but for all they know it could be an army mainframe. Better not try to DoS that one.

    btw: nice question, I may be totally wrong. Good to have you on board :)
     
  3. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    WHAT THE PROBLEM IS?

    Isn't it obvious? I thought that the sole purpose of stealthing is to make hackers think that there is NO system behind an IP - otherwise, might as well leave all ports closed & not stealthed. I bet there are plenty of unused IPs out there..

    Since a UDP scan on a "stealthed" system, unlike a TCP scan, WILL reveal its presence, "stealth" is compromised, and the scanned system unknowingly sheds its cloaking, therefore the "bad guy" knows that there's a PC behind the address!

    EDIT:
    Why not? the baddies, if they've got guts, can tackle the army for all I care, that way, this'll keep 'em busy 4 a while & they won't bother us private users hehe.. :D
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Even though I know stealth is BS, but not for the reasons your specified, you can be completely stealth, including udp.

    When it comes to udp, if the os doesn't get the packet, there is no reason to send out the icmp 3,3 response, and your assumption is completely flawed. You can even block the icmp 3,3 response from being sent, but that also means your configuration was so loose it let the udp packet in anyway.

    If anything, a misconfigured stealth system is more interesting than a unprotected system with all the ports reported back as closed, and yes there are firewalls that allow you to send the normal closed responses instead of dropping the packet with no reply.
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    And if your running a firewall that blocks inbound unsolicited traffic, it really doesn't matter if someone knows you're there or not. "Compromised" is a term used when a PC has actually been infected. If the firewall is blocking, it's not compromised just because someone might figure out there's a box there. They really aren't going to knock the door down and get in from the outside. (And most port scans are automated, not some guy pushing a button watching for the slightest hint of a box online.)

    I have a W98 box with no services running on the net, ports all closed. Don't need a firewall for inbound since the ports are closed. So, a scan showed my pc is online. So what? The ports are closed. I haven't had any problems when running without a firewall like that.

    The stuff about stealth sells firewalls but it's not as necessary as some people make it out to be.

    Most "compromises" are from the inside....the user has lax browser settings, allowing spyware or malicious code to download and execute on their machine. Or they download crap or open email attachments they're not expecting from someone they know out of curiousity. Or P2P or accept files from strangers on IRC, etc. Or they don't have an AV, or don't keep it up to date, or their AV doesn't always catch the bad guy.

    If you're running a properly configured router or a firewall the greatest danger and risk from compromise comes from the user who thinks because they're stealth they're safe and need not worry about their own practices and activities online.

    JMO ;)
     
  6. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Blitz>

    OK danke schön for the details ;) . But when U say:

    U mean if there is NO machine (therefore no OS) on the receiving end, then there's (still) no need to send the response? Because if there IS an OS, and if the port is stealthed, then (as I read) no response is sent (and this LACK of response reveals the IP), as though it were open. So I gather that what U are saying is that even a UDP scan on a truly non-existent IP can also be WITHOUT an 'icmp 3.3' reply?


    -> I'd also like to know - if (normally) a UDP scan on a non-existent IP gets an icmp reply, since there's no system to scan, who or what sends the reply? o_O

    Which ones?? :D


    sig>

    Yeah I know in fact the closed/stealth debate has been going on for aeons and apparently is not about to be closed..

    Still, it is logical to think that one is safer when in true stealth, for no hacker will try to take on a phantom machine, ie. one that (he thinks) does NOT exist. That's supposed to be the purpose of stealth. But a real machine, even if it's a fortress, is still a viable target, especially if it has a static IP - a well-garded PC may even attract anyone looking for some practice to hone their skills, or seeking a challenge hehe..

    As for threats from within, like OS/application exploits (cf. open ports) or sh*tty software, you're right, that's an entirely different ball game :doubt:
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Again, most port scans automated; i.e., not a hacker eyeballing as hundreds or thousands of IPs are scanned for hours, looking for the slightest glimmer of a stealth cloaking device to indicate the presence of a hidden PC. Most often the port scans are run by infected PC's belonging to people who don't have a clue what they're PC is up to. So it's port scanning by proxy or proxies. (It's a dumb hacker indeed that scans from his own box/IP.) The port scans are looking for vulnerable boxes with open ports and services to be exploited. If ports respond that they are closed, there's nothing more to see, nothing more to do but move on looking for a vulnerable system.

    That's it. People have this idea that some scary "hacker" is sitting there scrutinizing each port scan, port by port, IP by IP. It doesn't work that way. MSBlaster doesn't care whether your ports are stealth or closed....all it looks for is an open port and a specific service that if unpatched is vulnerable to exploit. If it finds what it's looking for, the box is infected. If the port is closed, it's safe: there is nothing for msblaster to do since it can't get in.

    And just think, how "invisible" is your PC to every website you visit while you're surfing? Do you know how much info your PC might offer up indiscriminately to each site? People think nothing of going to unknown sites with ActiveX and scripting enabled, not having a clue what they might open themselves up to. But they sure do want to be "stealth" on the net because they "know" they're not safe if they're not. LOL

    The "stealth is best" mantra or the idea that one cannot be secure against port probes without one's PC being "invisible" on the net is primarily marketing hype and myth, not logic or reason.
     
  8. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Well you never know, actually - it's a crazy world these days, U know :D

    Of cos' ! By definition, (true) stealth is supposed to render a PC invisible to unsolicited packets only. For connections the user establishes himself, well that's another matter since no power in the universe can allow a PC to hide its IP "all by itself" - this would call 4 good ole' anonymous proxy method, no other choice - unless the Romulans were willing to share their cloaking device technology lolol :D
    As for activeX, well I have them blocked, along with VBscript. The only time I ever needed ActiveX was for an ADSL speedtest site!

    And don't forget this - stealth slows down port scans considerably, thereby slowing down hacker activity..
     
  9. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I personally believe that "Stealth" will protect you from 95% or more of all hackers, but not from the true "pro". They say that a professional burglar can break into any home, no matter how secure the home is made; the same is true with computing. Does that mean that we stop computing, No! Every time you hop into an automobile there is a chance that you are going to get killed, but that doesn't mean that you stop driving. So all we can do is protect ourselves from everyone except the true pros who are probably looking for more interesting targets than our boring pcs anyway.

    http://www.hansenonline.net/Networking/stealth.html

    Acadia
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hackers don’t normally like to waste time and effort scanning particular machine ports, they mainly use boxes to scan IP ranges, if the port or ports aren’t seen as opened the machines IP will not be recorded.

    Advantage of a stealthed machine is it blocks unsolicited packets which reserves on bandwidth, if machine is being flooded it can withstand a heck of a lot more than if it wasn’t stealthed.

    As for “anonymous proxy method”, not recommended for those on xDSL, Cable+ and want to have full performance of their Internet habits such as surfing.

    And another thing that needs to be clarified is that if an open port is properly firewalled to block all unsolicited packets to it there is no way for PRO to break-In through it, now a machine with great Software Firewall and configured properly to block ALL Incoming packets regardless if its over IP & Non-IP or Other Protocols will be IMPOSSIBLE for a PRO to remotely break-In.
     
  11. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Phantom>

    Maybe, but I guess private users stuck with a STATIC IP don't have much choice if they don't want to be sitting ducks, all the more so than according to acadia's link, so-called "stealth" is NOT stealth..

    Don't ALL decent software FWs, when set to 'stealth', block ALL incoming packets (IP or not)?
    IF not, which ones do so, and do it best??

    Acadia>

    Thx for this most interesting link! Though it is a most disturbing piece of news, for according to this article, there is no such thing as TRUE stealth - such a firewall would need to "emulate" stealth by sending back a "unreacheable"-type response, and I've never heard of a firewall that does this :'(.

    As U said, a pro can rob any home (with time). A burglar would never break into a house that (he thinks) does NOt exist, but then again, since there's apparently no true stealth these days, that means that all homes are visible. Yipes!!
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
     
  13. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    No, no, I am paying attention to the rest, but the topic I started WAS about "invisibility" in the first place! I mean, isn't it obvious that IF you can completely conceal yourself from the outside world (without disconnecting, of cos'), then "no seen, no fear"? After all, the best way to win a battle is to avoid one in the first place, and the best way to avoid one is not to draw attention to oneself, simple as that..

    All of the following (block non-IP)?

    -Kerio
    -LnS
    -OPP
    -ZA
    -TPF
    -NPF
    ?
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
     
  15. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Yeah - I guess that's the way it's done...in MOST cases
     
  16. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    ...i think i heard somewhere that another objective of stealthing is to hide a default response that can indicate what particular software is being run at the address. I imagine different o/s running different software may have recognizeble responses in the blocked mode, vs. no reaction which can be indicative of many different configurations...I imagine a hacker would like to be able to know what you are running so he can look you up when a good exploit presents itself. Just a thought.

    HandsOff
     
Loading...
Thread Status:
Not open for further replies.