Stealthing ports does not provide "invisibility" protection from hackers

[Guest]

[aweir14150]

because  a hacker would still know the computer was there because no Destination Unreachable message would be sent if the computer was connected to the internet.

I was hoping someone could elaborate on this and tell if it's true.

If someone port scanned a computer that did not exist, or if the IP address was not being allocated, the nearest router would send an ICMP 3 (destination unreachable). But if the address is being used, the packet makes it to the destination, but the firewall drops it and no Destination Unreachable is sent back. Therefore the hacker knows the IP address exists.

But the problem is that not all routers send destination unreachable ICMP resonses back, but it is a good idea to send the ICMP 3 because it prevents a computer from repeatedly attempting to connect to a non-existing computer.

So in essence if the closest router is supposed to send an ICMP 3 response, but none is returned, then stealthing ports would have no benefit to HIDING your presense because a hacker would know you existed. 

I could be completely wrong but this was the general idea that was posed by an "expert" on another forum...these are not my stements. He called most personal firewalls "firewall placebos" and "violating tools".

[pandlouk]

It has some true in it but is not completely correct.

1.the ICMP 3 response in this chase should be send from the ISP of the IP adress and not by the closest router.

2. There exist routers that have stealthing capabilities (mine has for example)

3. A hacker:
A) or should know your IP and that your pc exists there for attacking you and in this chase is true. Stealthing would not help at all.
B) or is trying to find existing IPs with a spybot ping utility. These applications scan multiple IPs at the same time. Do you think that he will try first to attack the stealthed IPs or the unstealthed IPs? I would certainly go first for the unstealthed.

[aweir14150]

But it's a paradox because if the ports appear closed, the hacker obviously knows you're there...and if they're steath, the hacker still knows you're there because he did not recieve an ICMP 3 response. 

[aweir14150]

Rather than create a whole new thread I was wondering if it was possible to make a router or software firewall send an ICMP 3 message instead of just dropping the packet, Would this  be benificial because instead of just dropping the packet, the firewall would send out a destination unreachable to fool the hacker into thinking the IP adress isn't in use?

I'm just brainstorming right now.

[panic]

Good idea, but how would you cater for someone running a server that needs to be contactable from the outside? In your scenario, no-one would ever be able to initiate an inbound connection.

Just playing Devils advocate. This is an interesting idea you've come up with - anti stealth. Please keep going with this train of thought.

Cheers,
Ewen :-)

[aweir14150]

Well of course it wouldn't work if you were running a web/mail server, that's why it should be an option within the firewall.  I would call it  "Cloak" (Send ICMP 3 Destination Unreachable)"

Possible problems:

some people say that stealthing ports creates more traffic on the web because of the repeated attempts to connect to unresponsive ports, but perhaps all those extra ICMP Destination Unreachables would create even MORE traffic.

Also if  a hacker already knows that you exist, the ICMP unreachables won't deter him becauser they would be comming from your computer, not your ISP.

And for the sake of network troubleshooting, the biggest problem, how would someone's ISP know if the ICMP unreachable was the result of a savvy firewall or a real connection problem? This could wreak havoc with the ISP because they would assume your IP address wasn't in use and try to give it to someone else 

I'm sure someone else has way more brains than me and could always come up with a better way. Which is why perhaps the firewall could determine if the port scan was coming from the IANA or your ISP's DNS servers and then just stealth it.

[panic]

Well of course it wouldn't work if you were running a web/mail server, that's why it should be an option within the firewall.  I would call it  "Cloak" (Send ICMP 3 Destination Unreachable)"

Possible problems:

some people say that stealthing ports creates more traffic on the web because of the repeated attempts to connect to unresponsive ports, but perhaps all those extra ICMP Destination Unreachables would create even MORE traffic.

Also if  a hacker already knows that you exist, the ICMP unreachables won't deter him becauser they would be comming from your destination computer, not the ISP.

And for the sake of network troubleshooting, the biggest problem, how would someone's ISP know if the ICMP unreachable was the result of a savvy firewall or a real connection problem? This could wreak havoc with the ISP because they would assume your IP address wasn't in use and try to give it to someone else 

I'm sure someone else has way more brains than me and could always come up with a better way.

The main problem with the concept of a firewall that sends ICMP 3 msgs back is precisely the one you have piointed out - DHCP leases not being renewed and your current IP being relet to someone else on the same subnet.

Also, P2P would fail, as would online gaming if someone was starting an online game on their local PC - BattleNet, COD etc.

Interesting thought though.

Cheers,
Ewen :-)

[Tags:]