Skip to main content

ICMP "host unreachable" message

More
20 years 5 months ago #4395 by Death
Which Software would give the ICMP "host unreachable" message to attackers (hackers). What would port scans say if host is unreachable?

I want to really and completely be stealth and make hackers believe I'm really offline or unreachable by all means whatsoever.

So does this software really exist or is there one close to this? (Like your average stealth firewall or stealth software or stealth proxy server)

I use a router.

Maybe an IP Filter Software that blocks PINGS and Traces to computer or something!

List all or most or some possible ones starting with the best.

I just want to be INVISIBLE.....Stealth.....FOR REAL.

www.hansenonline.net/Networking/stealth.html - Take a look at this.....
More
20 years 5 months ago #4396 by nske
Hi Death,

Which Software would give the ICMP "host unreachable" message to attackers (hackers).


You can use any packet filtering software, like linux IPtables or openbsd PF set up to drop or reject the specific requests (i.e. all types of icmp requests from every remote host). Still icmp requests are but one basic method for network mapping/diagnosis. It won't really discourage a serrious attacker, especially if he happens to target you specifically (you may just escape some mass scans).

What would port scans say if host is unreachable?


That depends on the tricks the scanner uses (just check the man page of nmap and do some research for each method to see how inventive they can be to draw the wanted information!). It also depends on your packet filtering configuration. i.e. if you choose to DROP packets, your software sillently drops the packet so some scanners might keep trying for ever till they time out, if you choose to REJECT packets there is an immediate reply "destination port unreachable". The result is the same, packet is blocked. Of course you can't block everything and you can improve your filtering script/rules for ever to fit your configuration needs (I believe Chris has scheduled a decent paper on the subject, particurarly iptables!). Thing is that you'll never be 100% stealthy.
More
20 years 5 months ago #4399 by sahirh
Well if you return an ICMP host unreachable message, nothing will work.. since it implies that there is no way to get to the remote machine.. however you can't just run around generating these messages..

What you need to do to be 'totally invisible', is to install a personal firewall such as zonealarm or sygate. What they will do will make sure your system does not respond to any probes initiated from the outside... it will not reply to pings, traceroutes (well.. technically unless its a packet forwarder that wont make much of a difference anyway).. etc etc.

This is the best way to stay totally invisible.

Your other option is to flood the scanner with confusing results.. you can whip up a quick script with nemesis that will send a SYN-ACK to any incoming SYN, regardless of what port.. this will make it look like you have every single port open.. something that is a total information overoad.. however the first approach is better.

Bear in mind that there are ways to always identify whether a machine is alive or not.. for example, you can block pings, but if an attacker on your LAN uses ARP to ping you.. there is no way you can block that..

Still, knowing a system is alive doesnt necessarily make life any easier.. just install a personal firewall and you'll be fine.

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.127 seconds