How to stealth Port 113 in my NAT Router

[Johnny]

Archived from groups: comp.security.firewalls (More info?)

Hi folks,

I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
tells me that Port 113 is blocked, blowing its otherwise full-stealth
cover...:-(

I was looking on their description of Port 113 and found the
following:

The good news is . . . it is possible to configure NAT routers to
return them to full stealth. The trick is to use the router's own
"port forwarding" configuration options to forward just port 113 into
the wild blue yonder. Just tell the router to forward port 113 packets
to a completely non-existent IP address, one way up at the end of your
router's internal address range. The router will then NOT return a
port closed status. It will simply forward the port 113 packet
"nowhere" . . . and your network will be returned to full stealth
status.

I'm not an english native speaker: can you translate this to me into
better english:

"The trick is to use the router's own "port forwarding" configuration
options to forward just port 113 into the wild blue yonder. Just tell
the router to forward port 113 packets to a completely non-existent IP
address, one way up at the end of your router's internal address
range."

wild blue yonder.???
one way up at the end of...???

Thank you very much
Jo

 

[Jbob]

Archived from groups: comp.security.firewalls (More info?)

While Wolfgang, Lars and Greg are technically correct I do believe that a
Stealth setting appears to have some usefuleness. I have gathered this
information from many sources for the last year and this is what I can
conclude.

Having a "Stealth" setting can slow down port scanners(the bad guys) looking
for open ports to exploit. A closed port will respond quickly letting a
port scanner know that there is something there which they might come back
later to try and exploit while a Stealth port will delay response hopefully
sending port scanning software on to an easier target. I know these other
guys who have much more technical saavy than I will balk at this but so be
it. I think it might have been Steve Gibson that coined the phrase
"Stealth" over on GRC. What those other guys talk about is that a stealth
response is not a correct response that is supposed to occur in networking.
A true response would be a packet sent out asking "Are you there" and the
responses are either "Yes I am here but not accepting"(a Closed response) or
"No one is here by that name"(a response from a system that does not exist
or is off. A stealth response is no response at all thus letting someone
who is looking that there is something there but it isn't answering or told
not to answer. So you see that stealth is not really stealth at all. I
know the language is not very technical but that is it in a nutshell.

Now how to achieve a stealth response on a router? I don't use D-Link but
the procedures should be very similar. Go to the page on the routers web
management pages for forwarding and forward TCP port 113 to an unused IP
address. Preferably one not in the DHCP range of the LAN side being used.
Be advised that a stealth response on port 113 could break your email
though(as Greg suggested).

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>Now how to achieve a stealth response on a router? I don't use D-Link but
>the procedures should be very similar. Go to the page on the routers web
>management pages for forwarding and forward TCP port 113 to an unused IP
>address. Preferably one not in the DHCP range of the LAN side being used.

Thank you. While I agree that stealth is silly, some people think it is
important, and the guy deserved an answer, not a philosophy. I don't have a
router, so I couldn't answer the question. With any luck, a D-Link owner will
jump in.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 26 Jul 2004 12:44:38 -0700, Johnny spoketh

>Hi folks,
>
>I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
>tells me that Port 113 is blocked, blowing its otherwise full-stealth
>cover...:-(
>

"Stealth" has nothing to do with security. "Stealth" is over rated and
poorly named. Closed ports are closed, and so are "stealth" ports, so
don't worry about it ...


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 26 Jul 2004 12:44:38 -0700, jonasxy@web.de (Johnny) wrote:

>Hi folks,
>
>I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
>tells me that Port 113 is blocked, blowing its otherwise full-stealth
>cover...:-(

As it should be, I suggest you figure out what the ident service is, what
other internet based services use it and why the router sends back an RST
for connections to it.




greg
--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Johnny" <jonasxy@web.de>
wrote in news:a7e341f.0407261144.15bea29b@posting.google.com:
> Hi folks,
>
> I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
> tells me that Port 113 is blocked, blowing its otherwise full-stealth
> cover...:-(
>
> I was looking on their description of Port 113 and found the
> following:
>
> The good news is . . . it is possible to configure NAT routers to
> return them to full stealth. The trick is to use the router's own
> "port forwarding" configuration options to forward just port 113 into
> the wild blue yonder. Just tell the router to forward port 113 packets
> to a completely non-existent IP address, one way up at the end of your
> router's internal address range. The router will then NOT return a
> port closed status. It will simply forward the port 113 packet
> "nowhere" . . . and your network will be returned to full stealth
> status.
>
> I'm not an english native speaker: can you translate this to me into
> better english:
>
> "The trick is to use the router's own "port forwarding" configuration
> options to forward just port 113 into the wild blue yonder. Just tell
> the router to forward port 113 packets to a completely non-existent IP
> address, one way up at the end of your router's internal address
> range."
>
> wild blue yonder.???
> one way up at the end of...???
>
> Thank you very much
> Jo

Look at the address range that the DHCP server in the D-Link router can
assign. Mine can assign 192.168.0.x where x ranges from 100 to 199
(although it could range from 1 to 254). Notice that the first 3 octets
are fixed (i.e., you cannot change them) which means it cannot assign
many IP addresses, like 192.168.12.89. So select an IP address that
cannot be assigned by the DHCP server in your NAT router. I use
192.168.255.254. Then I use Advanced -> Virtual Server to define one at
this unassignable IP address. It is unimportant what port you specify
for that virtual server host because it doesn't exist, anyway, so I just
reuse 113.

Basically this is used to open a port to a host through the router's
firewall but you are pointing it to a host that can never exist because
the DHCP server in the NAT router will never be able to assign that IP
address. So any ancient mail server that still uses the auth/ident
protocol via port 113 will send it to your router which routes it to a
host that doesn't exist so there will never be a response to it. When
you next run GRC's stealth test you will then see port 113 never gets
responded to (as opposed to immediately returning a status of closed
which also declares that something exists to announce that status).

Not responding to a connection attempt is different than returning a
status of closed. One doesn't reveal that there is anything at the
other end. The other obviously must require something to exist to
report back the closed status. Sure the hacker might go away if they
find all the attempted ports are closed but they'll still know you
exist. No response means the hacker won't know if your network doesn't
exist or if it is powered down. I'd rather leave them in the dark and
possible avoid later intrusion attempts. For those that argue that
stealthing a port (by not responding to a connect attempt) is no better
protection than immediately and actively reporting a closed status on
the port, I argue that if stealthing doesn't hurt and might help then
there's no point not to do it.

--
__________________________________________________
*** Post replies to newsgroup. Share with others.
(E-mail: domain = ".com", add "=NEWS=" to Subject)
__________________________________________________

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Mon, 26 Jul 2004 19:45:12 -0400, "Crash" Dummy spoketh

>>Now how to achieve a stealth response on a router? I don't use D-Link but
>>the procedures should be very similar. Go to the page on the routers web
>>management pages for forwarding and forward TCP port 113 to an unused IP
>>address. Preferably one not in the DHCP range of the LAN side being used.
>
>Thank you. While I agree that stealth is silly, some people think it is
>important, and the guy deserved an answer, not a philosophy. I don't have a
>router, so I couldn't answer the question. With any luck, a D-Link owner will
>jump in.

One solution could be to forward port 113 to either:
a) A computer with a desktop firewall that "stealths" the port, or
b) to a non-existing IP address on the LAN.

I think the point that some of us are trying to make is that there's
little point in chasing the pie in the sky. Jbob is correct; a "stealth"
device will slow down port scanning, as the scanner will have to wait
for a timeout rather than just getting a quick "we're closed" response
and move on. It does not, however, make the target less visible as
implied by the mo inker...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Johnny]

Archived from groups: comp.security.firewalls (More info?)

Hhm Hhm. Well, but what does
wild blue yonder and
one way up at the end of...mean (just for my english)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen (badnews@hansenonline.net) wrote:
: On Mon, 26 Jul 2004 19:45:12 -0400, "Crash" Dummy spoketh

: >>Now how to achieve a stealth response on a router? I don't use D-Link but
: >>the procedures should be very similar. Go to the page on the routers web
: >>management pages for forwarding and forward TCP port 113 to an unused IP
: >>address. Preferably one not in the DHCP range of the LAN side being used.
: >
: >Thank you. While I agree that stealth is silly, some people think it is
: >important, and the guy deserved an answer, not a philosophy. I don't have a
: >router, so I couldn't answer the question. With any luck, a D-Link owner will
: >jump in.

: One solution could be to forward port 113 to either:
: a) A computer with a desktop firewall that "stealths" the port, or
: b) to a non-existing IP address on the LAN.

: I think the point that some of us are trying to make is that there's
: little point in chasing the pie in the sky. Jbob is correct; a "stealth"
: device will slow down port scanning, as the scanner will have to wait
: for a timeout rather than just getting a quick "we're closed" response
: and move on. It does not, however, make the target less visible as
: implied by the mo inker...


And thinking about it also. For the small user in which 'stealth' seems to be
important for some people it really does not add that much. The time cost will
be minimal.

Now, for larger enterprise level systems, the difference between rejection and
drop can be significant. If you simply drop the packet, your do not have to
construct the rejection packet and, when dealing in 100MB to 1GB, this does become
a useful reduction in the code path for new streams. From a security standpoint,
there is *no difference* in the information returned from a 'closed' port vs a
'stealthed' port. Anyone who is really interested knows that a machine does exist
on a particular IP and that port is not open for business even if the port is
stealthed.

The general recommendation for Checkpoint is to use drop in a rejection rule rather
than reject. It is faster. [Even faster is to not log the event]. The recommended
practice now for microsoft-ds and RPC as well as sql is to drop without logging
since there is so much of this traffic it will impact the performance of your enforcement
module.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jonasxy@web.de (Johnny) wrote:

> I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
> tells me that Port 113 is blocked, blowing its otherwise full-stealth
> cover...:-(

As the others have told you, "Stealth" doesn't have anything to do with
security, it's only marketing hype (and I've just read one article
where somebody complained that the XP SP2 firewall doesn't block ARP-
requests...).

Port 113 isn't "stealthed" for a simple and good reason: Many servers,
especially FTP, IRC and SMTP-servers, send an IDENT-request to your PCs
port 113 when you try to connect to them. It's the equivalent of you
knocking at a door and them asking "Who's there?".

If you drop that request ("Stealth your machine"), that request gets
lost. So the server will wait for a reply until hitting a timeout, and
will only let you proceed once it has found out that you aren't willing
or able to reply (and normally, timeout can be between 30 seconds and 2
minutes...).

If port 113 is closed instead of "stealthed", your machine will
immediately reply with "Port 113? What's that supposed to do?", so the
server will immediately know that you don't use the IDENT protocoll and
act accordingly.

Juergen Nieveler
--
Never try to understand Einstein's Theory of Relativity.
Relativity is like an erection, the more you think about it, the harder
it gets.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 27 Jul 2004 07:30:44 GMT, Juergen Nieveler
<juergen.nieveler.nospam@arcor.de> wrote:

>jonasxy@web.de (Johnny) wrote:
>
>> I have the D-Link DI-604 Router. Nice thing. But grc.com shieldsup
>> tells me that Port 113 is blocked, blowing its otherwise full-stealth
>> cover...:-(
>
>As the others have told you, "Stealth" doesn't have anything to do with
>security, it's only marketing hype (and I've just read one article
>where somebody complained that the XP SP2 firewall doesn't block ARP-
>requests...).

Its articles like that which makes one want to deploy an extra large clue
bat.


greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <C4udnQ8UlvUTCZjcRVn-pg@comcast.com>, Jbob wrote:
>While Wolfgang, Lars and Greg are technically correct I do believe that a
>Stealth setting appears to have some usefuleness.

The only usefulness I've ever seen is reducing the possibility of
operating system fingerprinting - it's hard to identify a system
that doesn't respond. It's still vulnerable to non-standard
packet attacks (oversize, mangled, etc.), security holes in the
operating system, and configuration blunders.

>Having a "Stealth" setting can slow down port scanners(the bad guys)
>looking for open ports to exploit.

Hate to tell you this, but NO port scanners send a packet and then
wait for the response any more - the better ones may send thousands of
probes IN PARALLEL limited only by the attacker's bandwidth and the
amount of RAM in his computer. Even the common worms run parallel attacks.

>I know these other guys who have much more technical saavy than I
>will balk at this but so be it.

Knowledge is often more useful than assumptions based on misinformation.

>"No one is here by that name"(a response from a system that does not
>exist or is off.

HUH??? Maybe you want to rephrase that. The "host unreachable"
response comes from the router upstream - not out of thin air.

See if you can follow this. (NOTE: IPs munged to protect the lusers.)
First, a trace to a working web server:

21 XXX.XXX.0.142 (XXX.XXX.0.142) 360.166 ms 319.288 ms 429.845 ms
22 yamaha.tpi.XXX (XXX.XXX.121.194) 329.807 ms 309.331 ms 309.864 ms
23 www.tpnet.XXX (XXX.XXX.121.237) 329.744 ms 329.413 ms 299.859 ms
[compton ~]$

The trace ends at the web site, without an error indication. Next,
a trace to a non-existent or dead host:

14 slkcic02.eli.XXX (XXX.XXX.52.53) 360.166 ms 319.288 ms 429.845 ms
15 XXX.XXX.218.10 (XXX.XXX.218.10) 402.974 ms 390.329 ms 440.299 ms
16 XXX.XXX.219.251 (XXX.XXX.219.251) 412.118 ms !h
[compton ~]$

The '!h' indicate that the listed host (some kind of router, maybe a
Cyclades) sent back an ICMP Type 3 Code 1 (Host Unreachable) error.
http://www.iana.org/assignments/icmp-parameters lists most of the other
types/codes, but see also RFC0792.

And the trace to a stealthed web server:

14 r-rm6-vl19.opb.interbusiness.XXX (XXX.XXX.5.14) 309.55 ms 351.245 mx
399.422 ms
15 XXX.XXX.81.42 (XXX.XXX.81.42) 300.842 ms 239.133 ms 239.409 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *

By using a different tool that users don't think about, I know that
host 16 is a Cisco 7000 series router, host 17 is a firewall of some
kind, and the web server is host 18.

Your headers suggest you are using windoze - probably XP, which
means you are using the b0rken version of "tracerout" (a very
crippled version of the original Unix "traceroute"). That only
uses a ping (ICMP echo) that many hosts drop, so if you try this,
you may see even stranger things. Broken tools = poor results.

>So you see that stealth is not really stealth at all.

You got it. "I'm standing right in front of you in plain sight, but
you can't see me because I'm keeping my mouth closed." Yeah, right.

>Go to the page on the routers web management pages for forwarding and
>forward TCP port 113 to an unused IP address.

That _may_ take care of TCP port 113 - but what about the _other_ 65533
valid TCP ports (and the 65534 valid UDP ports, and the other 133
protocols _besides_ TCP and UDP).

>Preferably one not in the DHCP range of the LAN side being used.

But make sure it's one the same network - you don't want the router
trying to send an ICMP Type 5 error.

>Be advised that a stealth response on port 113 could break your email
>though(as Greg suggested).

Among other things. This is in spite of the third paragraph of Section
6 of RFC1413.

Old guy

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Jbob wrote:

> While Wolfgang, Lars and Greg are technically correct

Once you've admitted that, you simply could have saved the time to type the
rest of your posting.

> I do believe [...]

Belief and technical correctness are something different.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 26 Jul 2004 12:44:38 -0700, jonasxy@web.de (Johnny) wrote:

>
>wild blue yonder.???
wild blue yonder means into the sky. They mean to send to nowhere, or
to not respond to the request by sending it to a non existant machine

>one way up at the end of...???

"packets to a completely non-existent IPaddress,
one way up at the end of your router's internal address
range."

If you have three adrdresse
xxx.xxx.xxx.001
xxx.xxx.xxx.002
xxx.xxx.xxx.003

You sent it to the end of the address range
xxx.xxx.xxx.999

or, really, any nuber greater than 3

>Thank you very much

You are welcome.. I noticed no one actually answered your english
question