- Posts: 1
- Thank you received: 0
ICMP "host unreachable" message
20 years 5 months ago #4395
by Death
ICMP "host unreachable" message was created by Death
Which Software would give the ICMP "host unreachable" message to attackers (hackers). What would port scans say if host is unreachable?
I want to really and completely be stealth and make hackers believe I'm really offline or unreachable by all means whatsoever.
So does this software really exist or is there one close to this? (Like your average stealth firewall or stealth software or stealth proxy server)
I use a router.
Maybe an IP Filter Software that blocks PINGS and Traces to computer or something!
List all or most or some possible ones starting with the best.
I just want to be INVISIBLE.....Stealth.....FOR REAL.
www.hansenonline.net/Networking/stealth.html - Take a look at this.....
I want to really and completely be stealth and make hackers believe I'm really offline or unreachable by all means whatsoever.
So does this software really exist or is there one close to this? (Like your average stealth firewall or stealth software or stealth proxy server)
I use a router.
Maybe an IP Filter Software that blocks PINGS and Traces to computer or something!
List all or most or some possible ones starting with the best.
I just want to be INVISIBLE.....Stealth.....FOR REAL.
www.hansenonline.net/Networking/stealth.html - Take a look at this.....
20 years 5 months ago #4396
by nske
Replied by nske on topic Re: ICMP "host unreachable" message
Hi Death,
You can use any packet filtering software, like linux IPtables or openbsd PF set up to drop or reject the specific requests (i.e. all types of icmp requests from every remote host). Still icmp requests are but one basic method for network mapping/diagnosis. It won't really discourage a serrious attacker, especially if he happens to target you specifically (you may just escape some mass scans).
That depends on the tricks the scanner uses (just check the man page of nmap and do some research for each method to see how inventive they can be to draw the wanted information!). It also depends on your packet filtering configuration. i.e. if you choose to DROP packets, your software sillently drops the packet so some scanners might keep trying for ever till they time out, if you choose to REJECT packets there is an immediate reply "destination port unreachable". The result is the same, packet is blocked. Of course you can't block everything and you can improve your filtering script/rules for ever to fit your configuration needs (I believe Chris has scheduled a decent paper on the subject, particurarly iptables!). Thing is that you'll never be 100% stealthy.
Which Software would give the ICMP "host unreachable" message to attackers (hackers).
You can use any packet filtering software, like linux IPtables or openbsd PF set up to drop or reject the specific requests (i.e. all types of icmp requests from every remote host). Still icmp requests are but one basic method for network mapping/diagnosis. It won't really discourage a serrious attacker, especially if he happens to target you specifically (you may just escape some mass scans).
What would port scans say if host is unreachable?
That depends on the tricks the scanner uses (just check the man page of nmap and do some research for each method to see how inventive they can be to draw the wanted information!). It also depends on your packet filtering configuration. i.e. if you choose to DROP packets, your software sillently drops the packet so some scanners might keep trying for ever till they time out, if you choose to REJECT packets there is an immediate reply "destination port unreachable". The result is the same, packet is blocked. Of course you can't block everything and you can improve your filtering script/rules for ever to fit your configuration needs (I believe Chris has scheduled a decent paper on the subject, particurarly iptables!). Thing is that you'll never be 100% stealthy.
20 years 5 months ago #4399
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: ICMP "host unreachable" message
Well if you return an ICMP host unreachable message, nothing will work.. since it implies that there is no way to get to the remote machine.. however you can't just run around generating these messages..
What you need to do to be 'totally invisible', is to install a personal firewall such as zonealarm or sygate. What they will do will make sure your system does not respond to any probes initiated from the outside... it will not reply to pings, traceroutes (well.. technically unless its a packet forwarder that wont make much of a difference anyway).. etc etc.
This is the best way to stay totally invisible.
Your other option is to flood the scanner with confusing results.. you can whip up a quick script with nemesis that will send a SYN-ACK to any incoming SYN, regardless of what port.. this will make it look like you have every single port open.. something that is a total information overoad.. however the first approach is better.
Bear in mind that there are ways to always identify whether a machine is alive or not.. for example, you can block pings, but if an attacker on your LAN uses ARP to ping you.. there is no way you can block that..
Still, knowing a system is alive doesnt necessarily make life any easier.. just install a personal firewall and you'll be fine.
Cheers,
What you need to do to be 'totally invisible', is to install a personal firewall such as zonealarm or sygate. What they will do will make sure your system does not respond to any probes initiated from the outside... it will not reply to pings, traceroutes (well.. technically unless its a packet forwarder that wont make much of a difference anyway).. etc etc.
This is the best way to stay totally invisible.
Your other option is to flood the scanner with confusing results.. you can whip up a quick script with nemesis that will send a SYN-ACK to any incoming SYN, regardless of what port.. this will make it look like you have every single port open.. something that is a total information overoad.. however the first approach is better.
Bear in mind that there are ways to always identify whether a machine is alive or not.. for example, you can block pings, but if an attacker on your LAN uses ARP to ping you.. there is no way you can block that..
Still, knowing a system is alive doesnt necessarily make life any easier.. just install a personal firewall and you'll be fine.
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.127 seconds