Closed Ports Vs Stealth Ports, Drop Rules Vs Reject Rules - Which is better

Picture of LAN, WAN, and DMZ Network layout

So today, we are going to talk about a networking topic. If your a network administrator, or manage a network somewhere, this topic may be of interest to you. You, like myself, can probably relate to some of the frustrations I deal with when concerning this topic we are going to discuss. So lets get started:

Stealth vs Closed or Drop vs Reject 

You will hear many infosec people on the internet, and others talk about how "Stealth Ports" and not replying to ICMP messages is the only way to have network security, and if yours is not set up this way your insecure. This is absolute nonsense for many reasons. I have found the people who say these things simply don't understand how the TCP protocols work. 

The whole "Stealth" port phenomenon started back in the 1990's with Steve Gibson, and his GRC Security Now podcasts and Shields Up service.  To be clear, having Stealth Ports isn't exactly going to hurt, but it makes ZERO sense to have stealth ports on a web server, mail server, etc since everyone will know its online anyways with a simple port scan. 

The primary difference between Stealth and Closed is as follows:

Stealth - This means the router just silently drops traffic on closed ports with no error responses.

Reject/Closed - This setting means the router will return an RST telling the scanning system the port is closed, or an ICMP Destination Unreachable packet back to the sender saying its closed. 

In both cases the port is closed. However, when it comes to network applications, the difference is a program will hang for over 100 seconds with stealth ports while your users wonder why the application is frozen, to eventually give an error message. However, if your ports are closed the user will instantly get back an error messages of some sort instead of waiting 100 seconds for an error message.

Path MTU Discovery(PMTUD) - Using  stealth ports also breaks Path MTU Discovery in IPv4 networks which slows network traffic considerably when it comes to fragmented packets. There are still many networks on the internet today that do NOT support the 1500 MTU ethernet standard. There are valid reasons for this. You should only accept the packet sizes you need for your network application and nothing more. So if you only need a 1400 packet size, allowing the server to accept larger packets is a security risk, instead the firewall in front of it would drop it and send back a message to the sending machine telling it to send a smaller packet, this is how PMTUD is supposed to work. If your stealth, then your forced to fall back on UDP and it will keep sending packets smaller, and smaller, till it works and its much much slower than PMTUD. Ever visit a web site and its always slow and the browser loads for a long time before it finally renders? This is because someone is blocking PMTUD. If PMTUD was was allowed to work like its supposed to, you wouldn't have these long delays.

ICMP Types - This goes hand in hand with Closed vs Stealth. ICMP Echo Request, Echo Reply, Destination Host Unreachable, and Time Exceeded should always be allowed. These allow your network to properly function, and allow Path MTU Discovery to work correctly. 

Stealth offers a false sense of security. For example, If someone ports scans your system, if your system is stealth it silently drops the packets. However, a lack of a response IS A RESPONSE! If there was truly no system online at the address that was scanned, then the upstream router would have responded with an ICMP Destination Host Unreachable Message since the machine in question would not be listed as an active connection in the routers IP Address Table. So the scanner knows a system is online at that address, and programs like NMAP are more than capable of scanning stealth systems.

We had some long discussions about this in the DSLR Reports Forums back in the day which can be found here, and here respectively. The majority of port scans today are automated, with closed ports they quickly scan my system get told to buzz off, and move on. However, with a stealth system you just get hammered with packets until its satisfied. To add further, many people with Stealth Ports were knocked off line for days because of the Code Red and Blaster Worms hammering peoples systems because standard closed port responses were not received. 

Responding to Pings does not make you any less secure than someone who don't. The ping of death vulnerabilities from back in the 90's were patched long ago. Furthermore, any edge router device worth its salt supports rate limiting which allows you to rate limit how many ping requests you will respond to per second. As for DDOS, ping is the least of your worries. Stealth systems can be knocked offline with these attacks too. Disabling ping does very little, more robust solutions like packet scrubbing services from large CDN like Akamai, Cloud Flare type service protection, or simply buying so much bandwidth or IP Address Spaces that most attackers would not be able to overwhelm is a much better solution than breaking RFC network functionality that is not a security risk if used properly. Google is pingable, are they not secure? ICMP is an important tool to allow network administrators to do their jobs, some ICMP codes were depreciated, and shouldn't be used, but others are useful for propert efficent network operation. 
Disclaimer: I am not responsible for anything that may happen to your PC when changing settings or changing registry values. If you choose to make changes, you do so at your own risk.. You are solely responsible for any damage to your computer , data, or other hardware due to user error, inadequate cooling, too high of voltages, incorrect software settings, and any other factors. Please remember to back up your computer before attempting this. If overclocking, Do not Overclock on the stock AMD or Intel CPU Heatsink and fans. Use Aftermarket cooling heat sinks of sufficient TDP or water cooling to ensure best chance of not having premature hardware failure. As always, remember to backup your data before attempting any change. I am not responsible for data loss or damage of any kind.  

Leave a Reply

Total Pageviews