Port 113 Stealthing and Belkin 4-port DSL router

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Hi,

I just bought a Belkin 4-port DSL router for our network to share DSL to
several computers. I noticed that after installing it, connecting to
one of my web site's FTP servers (hosted remotely) causes a delay of 10
seconds, then connects and runs fine.

I figured out eventually that the FTP server is sending back an IDENT
packet on port 113, which is stealthed by the router (yeah), but the FTP
server waits (i.e. "times out") until it receives a response of some
sort, thus the delay (boo).

I tried the "workaround" posted in several newsgroups where you use the
router config screen to set up port 113 forwarding and forward it to a
non-existent IP on the internal network (like 192.168.1.254 or something
like that), but it doesn't work. The FTP delay still occurs. BUT, if I
set up port 113 to forward to MY pc's IP address, the FTP connection is
instantaneous. If i set it up this way, the grc.com port scan shows 113
as visible, but "closed".

So, does anyone know of any way I can configure this router to truly
"stealth" port 113 so it won't appear to the outside world at all, but
still respond to the FTP server so it won't wait for a timeout? I'm
guessing this is something Belkin would have to add support for in their
firmware.

Thanks,
-- Vinnie
 
Archived from groups: comp.security.firewalls (More info?)

On Sat, 08 May 2004 16:41:17 GMT, Vinnie Murdico spoketh


>
>I tried the "workaround" posted in several newsgroups where you use the
>router config screen to set up port 113 forwarding and forward it to a
>non-existent IP on the internal network (like 192.168.1.254 or something
>like that), but it doesn't work. The FTP delay still occurs. BUT, if I
>set up port 113 to forward to MY pc's IP address, the FTP connection is
>instantaneous. If i set it up this way, the grc.com port scan shows 113
>as visible, but "closed".
>
>So, does anyone know of any way I can configure this router to truly
>"stealth" port 113 so it won't appear to the outside world at all, but
>still respond to the FTP server so it won't wait for a timeout? I'm
>guessing this is something Belkin would have to add support for in their
>firmware.
>

No, you cannot eat your cake and have it too. If you want "stealth",
then you'll have to live with the oddities that comes with it. "Closed"
is just as secure as "stealth", so there's no security issue here...



Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
Archived from groups: comp.security.firewalls (More info?)

This worked for my BEFSR41 ver 3, firmware 1.05.00:

go to the linksys setup screen, for me http://192.168.1.1

applications & gaming

fill in the top line as follows;
application > leave blank
start > 113
end > 113
protocol > both
ip address blank > 99
enable > check the block

save the settings and close

when I went to www.grc.com, all ports were shown as stealth



On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
<invalid@invalid.com> wrote:

>Hi,
>
>I just bought a Belkin 4-port DSL router for our network to share DSL to
>several computers. I noticed that after installing it, connecting to
>one of my web site's FTP servers (hosted remotely) causes a delay of 10
>seconds, then connects and runs fine.
>
>I figured out eventually that the FTP server is sending back an IDENT
>packet on port 113, which is stealthed by the router (yeah), but the FTP
>server waits (i.e. "times out") until it receives a response of some
>sort, thus the delay (boo).
>
>I tried the "workaround" posted in several newsgroups where you use the
>router config screen to set up port 113 forwarding and forward it to a
>non-existent IP on the internal network (like 192.168.1.254 or something
>like that), but it doesn't work. The FTP delay still occurs. BUT, if I
>set up port 113 to forward to MY pc's IP address, the FTP connection is
>instantaneous. If i set it up this way, the grc.com port scan shows 113
>as visible, but "closed".
>
>So, does anyone know of any way I can configure this router to truly
>"stealth" port 113 so it won't appear to the outside world at all, but
>still respond to the FTP server so it won't wait for a timeout? I'm
>guessing this is something Belkin would have to add support for in their
>firmware.
>
>Thanks,
>-- Vinnie
>
 
Archived from groups: comp.security.firewalls (More info?)

Sorry, I can't read. I was debating between a Belkin and Linksys
router, and forgot I bought a Linksys.


On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
<invalid@invalid.com> wrote:

>Hi,
>
>I just bought a Belkin 4-port DSL router for our network to share DSL to
>several computers. I noticed that after installing it, connecting to
>one of my web site's FTP servers (hosted remotely) causes a delay of 10
>seconds, then connects and runs fine.
>
>I figured out eventually that the FTP server is sending back an IDENT
>packet on port 113, which is stealthed by the router (yeah), but the FTP
>server waits (i.e. "times out") until it receives a response of some
>sort, thus the delay (boo).
>
>I tried the "workaround" posted in several newsgroups where you use the
>router config screen to set up port 113 forwarding and forward it to a
>non-existent IP on the internal network (like 192.168.1.254 or something
>like that), but it doesn't work. The FTP delay still occurs. BUT, if I
>set up port 113 to forward to MY pc's IP address, the FTP connection is
>instantaneous. If i set it up this way, the grc.com port scan shows 113
>as visible, but "closed".
>
>So, does anyone know of any way I can configure this router to truly
>"stealth" port 113 so it won't appear to the outside world at all, but
>still respond to the FTP server so it won't wait for a timeout? I'm
>guessing this is something Belkin would have to add support for in their
>firmware.
>
>Thanks,
>-- Vinnie
>
 
Archived from groups: comp.security.firewalls (More info?)

Hi Vinnie -

On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
<invalid@invalid.com> wrote:

>So, does anyone know of any way I can configure this router to truly
>"stealth" port 113 so it won't appear to the outside world at all, but
>still respond to the FTP server so it won't wait for a timeout? I'm
>guessing this is something Belkin would have to add support for in their
>firmware.

I'm not familiar with Belkin routers, but can you configure rules such
that you could forward port 113 just for the IP addresses of the FTP
servers and not for other IP addresses?

If not, just forward it all, it's not that big of a deal.

--
Ken
http://www.ke9nr.net/
 
Archived from groups: comp.security.firewalls (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Vinnie Murdico" <invalid@invalid.com> writes:

>So, does anyone know of any way I can configure this router to truly
>"stealth" port 113 so it won't appear to the outside world at all, but
>still respond to the FTP server so it won't wait for a timeout? I'm
>guessing this is something Belkin would have to add support for in their
>firmware.

Those two requirements are mutually contradictory.

I guess, in principle, one could have the router send a RST for a
port 113 packet when there is an existing connection to the source IP
of that packet, and otherwise drop it. But I don't know of any
system that implements such a strategy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SunOS)

iD8DBQFAnQ7DvmGe70vHPUMRAsbCAKDHjj9TlP1IP59QMuy5+6nQ0qA17gCg2D8Q
QWJwwH1Y5KX8j0kCOv1SGXk=
=QKyV
-----END PGP SIGNATURE-----
 
Archived from groups: comp.security.firewalls (More info?)

"Vinnie Murdico" <invalid@invalid.com> wrote in news:N48nc.97079$G_.24372
@nwrddc02.gnilink.net:

> Hi,
>
> I just bought a Belkin 4-port DSL router for our network to share DSL
to
> several computers. I noticed that after installing it, connecting to
> one of my web site's FTP servers (hosted remotely) causes a delay of 10
> seconds, then connects and runs fine.
>
> I figured out eventually that the FTP server is sending back an IDENT
> packet on port 113, which is stealthed by the router (yeah), but the
FTP
> server waits (i.e. "times out") until it receives a response of some
> sort, thus the delay (boo).
>
> I tried the "workaround" posted in several newsgroups where you use the
> router config screen to set up port 113 forwarding and forward it to a
> non-existent IP on the internal network (like 192.168.1.254 or
something
> like that), but it doesn't work. The FTP delay still occurs. BUT, if
I
> set up port 113 to forward to MY pc's IP address, the FTP connection is
> instantaneous. If i set it up this way, the grc.com port scan shows
113
> as visible, but "closed".
>
> So, does anyone know of any way I can configure this router to truly
> "stealth" port 113 so it won't appear to the outside world at all, but
> still respond to the FTP server so it won't wait for a timeout? I'm
> guessing this is something Belkin would have to add support for in
their
> firmware.
>
> Thanks,
> -- Vinnie
>
>

The port is *closed* be happy with it.

Duane :)
 
Archived from groups: comp.security.firewalls (More info?)

Bob wrote:
> This worked for my BEFSR41 ver 3, firmware 1.05.00:
>
> go to the linksys setup screen, for me http://192.168.1.1
>
> applications & gaming
>
> fill in the top line as follows;
> application > leave blank
> start > 113
> end > 113
> protocol > both
> ip address blank > 99
> enable > check the block
>
> save the settings and close
>
> when I went to www.grc.com, all ports were shown as stealth

This is essentially the solution discussed on grc.com that I was
referring to in my original post -- that is, forwarding incoming traffic
on port 113 to a non-existent IP address within your LAN. The problem I
had with this solution wasn't about port 113 being stealthed, the
problem I was asking about was that this solution doesn't resolve the
FTP connection timeout while the FTP server waits for an IDENT response,
which the non-existent PC can't give.

So, my original post was really asking: Can I configure my router to
have the port truly stealthed to outside scans, and yet still have the
FTP server get its response so it can continue quickly. The answer, in
short, is that you can't have both. If the port doesn't appear to the
outside world, the FTP server can't very well get a response from it.
If you make the port visible (but closed), it makes my IP visible to any
port scans (although not necessarily at high risk because the port *is*
closed).

I actually gave up my Linksys router for a new Belkin because the
Linksys was experiencing a repetitive lockup problem that, as it turns
out, has recently been experienced by many Linksys router users as per a
discussion on the dslreports.com forum.
 
Archived from groups: comp.security.firewalls (More info?)

>
> So, my original post was really asking: Can I configure my router to
> have the port truly stealthed to outside scans, and yet still have the
> FTP server get its response so it can continue quickly. The answer, in
> short, is that you can't have both. If the port doesn't appear to the
> outside world, the FTP server can't very well get a response from it.
> If you make the port visible (but closed), it makes my IP visible to any
> port scans (although not necessarily at high risk because the port *is*
> closed).

What IP are you talking about here? It's the modem that gets the public IP
issued by the ISP. The router doesn't get the IP nor does any machine
behind the router get the public IP.

So how can the public IP that is issued by the ISP and is assigned to the
modem that must be known for any Internet traffic to even reach your
network not be known? How can it not be scanned by anything that is doing
port scans?

If Port 113 is not being port forwarded to a valid private side IP/machine
behind the router which opens port 113 to the public Internet, then how is
port 113 an issue?

If the FTP server is expecting traffic on port 113, then it will instruct
the router to open port 113 to the solicited inbound traffic and
close/block port 113 to all unsolicited inbound traffic.

The router is setting there blocking all unsolicted inbound traffic to the
router and the network on the ports for all ports that are not being port
forwarded.

So what's the problem here?

I suggest you try some other scans.

Duane :)