[Wolves] Ok now i'm slightly worried.

[Simon Morris]

On 23/09/05, chris procter <chris-procter at talk21.com> wrote:
> > >
> > > Secure
> > > 443 (HTTPS)
> > > This port is completely invisible to the outside
> > > world.
> > >
> >
> > ??? I don't have a definite explanation for this
> > message they are giving you
>
> Some firewalls can be configured so that rather then
> telling you the port is blocked they just drop the
> packets silently. Knowing a port is blocked can tell
> you that its a valid IP address and you can reach it
> on the network so it may be worth attempting other
> attacks, if you dont get a message back it could be
> because theres nothing there, hence an invisible port.
>

OK - so doing some research with tcpdump :)

How does it know a port is blocked rather than simply not open?

This is a connection attempt to a port that isn't open

16:56:47.229776 IP localhost.localdomain.33274 >
localhost.localdomain.12345: S 2897767433:2897767433(0) win 32767 <mss
16396,sackOK,timestamp 16393760 0,nop,wscale 2>

16:56:47.229805 IP localhost.localdomain.12345 >
localhost.localdomain.33274: R 0:0(0) ack 2897767434 win 0

So SYN answered with RST for non-existant ports

This is a connection attempt to a blocked port (blocked with IPCop)

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:02:36.626902 IP 192.168.1.83.33280 > penguin.telnet: S
3262581874:3262581874(0) win 5840 <mss 1460,sackOK,timestamp 16743209
0,nop,wscale 2>
17:02:39.624555 IP 192.168.1.83.33280 > penguin.telnet: S
3262581874:3262581874(0) win 5840 <mss 1460,sackOK,timestamp 16746209
0,nop,wscale 2>
17:02:45.623640 IP 192.168.1.83.33280 > penguin.telnet: S
3262581874:3262581874(0) win 5840 <mss 1460,sackOK,timestamp 16752209
0,nop,wscale 2>


So SYN followed by nothing.. my earlier explaination was way off :(

I'm sure some firewalls actively reject connections rather than drop them though

~sm