[ale] How to test your public internet connection for open ports

[mhw at WittsEnd.com (Michael H. Warfield)]

On Fri, 2011-02-11 at 02:56 -0500, Ron Frazier wrote: 
> Hi David,
> 
> As you said, nothing personal meant in anything I say.  For the record, 
> I don't have any interest in Steve Gibson, other than that I find his 
> services, products, and advice useful in securing my computers and my 
> network.  See comments in line.
> 
> On 02/10/2011 08:51 PM, David Tomaschik wrote:
> 
> > So, apparently GMail's web interface ate my earlier post.  It's a shame.
> >
> > Note: This is not directed towards Ron or anyone else on the list, and I
> > hope it is not taken personally.  I'm also not going to call Steve
> > Gibson a hack, even if he might be called that by other audiences.  I'm
> > not interested in Steve Gibson, just the (poor) advice he gives.
> >
> > Yes, we need someone who can break down security issues into terms that
> > are useful for the average consumer.  That being said, it should be
> > someone who accurately describes security issues, countermeasures, and
> > implications.  Steve Gibson has, in my eyes, failed that on several
> > occasions.
> >
> > 1.) The description of "stealthed" vs. "closed" ports, and the security
> > implications of the two.  His description of a stealthed port as a "good
> > thing" and a closed port as a "bad" thing is ridiculous.  If the port is
> > closed, the most information an attacker will glean from that is that
> > there is a host on that IP address.  He'll get that from the lack of a
> > ICMP Host Unreachable response anyway.  (See MHW's post about that.)
> >
> >    

> There is a possibility that, during a system patch or configuration 
> change, ports that were previously closed may become open.  If Joe 
> Cracker's bot previously logged my address as having an active host, 
> then it's logical that it may come back periodically and recheck my 
> ports.  I'd just rather that it didn't find me at all.

> Now, you guys are telling me, that if the bot randomly scans my public 
> IP address, 76.97.???.???, and if my ports are stealthed and I don't 
> send ANY response, and if I don't respond to ICMP pings and such, that 
> the bot is still going to know I'm there?  Come on!  I'm not buying that 
> for 5 seconds unless someone explains exactly how that will occur.

Real bloody easy.  Too bloody easy.

ping IP-1
Result: ICMP UNREACH HOST_UNREACH

ping IP+1
Result: ICMP UNREACH HOST_UNREACH

ping IP
Result: Dropped packet.  No response.

Cool!  I have a NULL sink I can use as a source for spoofed SYN floods.
Feed that address into my DDoS bots and lets ROCK ON!

Now, if you are on a dynamic address, that address may change.  Then
again, I had always-on DSL and broadband addresses which did not change
for years.

> What I think you're saying is that all or most of the other addresses 
> that are scanned on the 76.97.???.??? space will have hosts and that 
> they will respond with a "closed" port and a host unreachable code or 
> something.

NO!  It means we get an error back from the router saying the host is
unreachable if there is nothing there.  That's the whole point.  That's
what you are not getting.  ICMP indicates when there are errors.  But
you are telling him you are there by NOT sending back the error he
should receive.  If you are there and you're dropping packets, we don't
get anything back.  Your presence is unmasked by the absence of an
error.

> Therefore, mine will be conspicuous by it's absence.  There 
> are two problems with that theory.  A) The address space may not be 
> full, and B) Most of the other users are going to be home users just 
> like me with with routers stealthing their ports too.  So, the port 
> scanner will see large blocks of non responses.

You're only half right and the half you are right may only be half
right.  You're assuming they're all dropping packets.  If they are all
dropping all packets, that whole subnet becomes useful as a DDoS bot
null sync.  I understand from your statements above that you don't
understand what that is any why it's significant but it is.  Don't feel
bad about that.  I know IT professionals that have a hard time
understanding that.

> If I were programming the bot, I do NOT think I would set it to pay 
> special attention and focus attacks on non responses.

Guess you wouldn't be a good hacker then.  Because they do.  They find
an address like that, they don't need to attack it but they can abuse it
as part of their other attacks.  I work with these things.  It does
happen.

> I believed last week, and I still believe this week, that my home 
> network is safer by operating with a stealth firewall at the edge, even 
> if the benefit is not tremendous over that of a non stealth firewall.

You haven't show any of us a single benefit and I've mentioned a couple
of benefits to rejecting packets appropriately.  Nice try.  Thank you
for playing.

> The consumer needs simple, direct advice.  So, my advice, derived from 
> Steve's is, buy a home router which stealths all the ports, configure it 
> according to the directions I've given, check it with ShieldsUp (or some 
> more comprehensive tool that's easy to use that I don't know about), and 
> that part of your network setup is done.  You're as safe as you can be 
> within your budget and knowledge level from unsolicited attacks.

The consumer needs simple direct advice that IS NOT INACCURATE.
Everything should be as simple as possible but not TOO SIMPLE.

This is what makes me so frustrated.  By making inaccurate, imprecise,
statements like "you need a router for security" and "you're secure
because you have a NAT device" has perpetuated this myth that NAT ==
security.  Then foolish consumers think "Oh, IPv6 must not be very
secure if it doesn't have NAT" when just the opposite is true!

As a security professional I'll go so far as to say you are more secure
on IPv6 with no firewall at all, than you are on IPv4 with a firewall or
NAT.  Why?  Because IPv6 is 4 billion times more difficult to
comprehensively brute force scan a single subnet than it is to scan the
IPv4 internet from end to end.  Note:  I'm being VERY precise in that
terminology.  Yes, IPv6 can be scanned, especially when people treat it
like IPv4 and assign sequential addresses, but you have to use
"intelligent" scans and heuristics to choose your targets, you can not
simply start at one end of even a single subnet and scan to the other
end.  Now put THAT behind a firewall, or have the addresses changing
periodically (privacy enhanced addresses) and try scanning for that.
Combine that with the deliberate sparse nature of v6 allocations.  IPv4
is like shooting fish in a barrel.  You hit a broadband or DSL subnet,
you can barely turn around and take a breath without hitting an
opportune target.  Now, replace each of those single IPv4 addresses with
an IPv6 /64 subnet.  Now you have only 1 change in 18 billion billion of
guessing a host address (times the number of machines).  The opportunity
to score drops real low and your attack yield is low because the
defenders attackable footprint is so much tinier.

Point on the curve.  Years ago a particularly nasty worm called the
Whitty worm cut loose on the net.  Its growth was explosive.  Within
minutes it overwhelmed routers and networks.  Within a half an hour it
had infected well over 12,000 hosts around the world.  It took days to
clean up.  I participated in a lot of that.  Because of the unique
nature of that worm, I was able to track it in my darknet net-telescope
as did CAIDA, a much larger (/8) net telescope.  It was a single packet
spoofed UDP based worm that was spoofed "from" a particular port making
is rather easy to track and easy to tell when it managed to "sneak"
behind a NAT router (I started seeing other ports and multiple ports
from teh same address - simple).  It wasn't part of a virus or trojan
package, so it only propagated by network traffic alone and it wasn't
something you tripped on browsing a web site.  A classical self
propagating worm.