# stealth (ports)



## treezii (Jan 20, 2014)

What are "stealth" ports and what difference does it make in the router.
AT&T to be specific, I'm curious as to if this feature is pointless.  (I've disabled it thus far.)

I've searched various engines and the only advice I seem to get is from Gibson Research.

Very confusing as I use pf.   (Gibson failed me for unstealthy ports.)

Thanks,  (apologies in advance)


----------



## kpa (Jan 20, 2014)

*Re: stealth (port)*

Stealth port is a port that does not respond to anything sent to it, the outside world trying to probe it will not learn anything about it no matter what they try. It's debatable if stealthing ports actually increases security because if there's no service on the port listening for incoming connection you could just as well respond that the port is closed. Even if your incoming ports are all stealthed your machine is far from invisible in the net, every time it makes an outbound connection it will yell very loudly, "here I am at this IP address, come probe me".


----------



## treezii (Jan 24, 2014)

Thank you for the reply,
(Nothing against ((GRC)).


----------



## treezii (Jan 24, 2014)

Oh.  I forgot what about the  'stealthed ports' that are open.


----------



## SirDice (Jan 24, 2014)

That's not possible. If a port doesn't respond it's not 'open'. With TCP there are three scenarios:

 Client sends a SYN packet to a port, port responds with SYN/ACK. The port is "open".
 Client sends a SYN packet to a port, port responds with RST. The port is "closed".
 Client sends a SYN packet to a port, port doesn't respond. Client gets time-out. Port is "stealth" or "filtered".

When dealing with firewalls you really should be familiar with the way TCP/IP works. It helps immensely when trying to figure out how to firewall things and why a firewall would be blocking something.

So why do some people insist ports have to be stealth? Imagine the following setup:

```
( @ Internet )------[ Firewall ]-------[web server]
```
Suppose the firewall has all the ports "closed" except port 80, which is forwarded to the web server. Now, when an attacker sends a SYN packet to port 80 and 81, port 80 will respond with a SYN/ACK. Port 81 will respond with RST. Perfect you might think. Except the response from port 80 will have a different TTL than the port 81 response (port 80 is one hop further away). So by looking at the TTL of the responses I can deduce there's a firewall between the internet and the web server. However, if the firewall is "stealth" I do not get a response on any other port besides 80 I can come to the same conclusion. Because that's the only way I'm not getting any response.


----------



## kpa (Jan 24, 2014)

There are some "port knocking" systems that keep the ports stealthed until a correct sequence of probes is received. Such systems are of course not very standard and best avoided in general.

https://en.wikipedia.org/wiki/Port_knocking


----------

