addresspcanywhere
pcanywhere 时间:2021-04-03 阅读:()
TranscriptofEpisode#43OpenPortsDescription:ThisweekLeoandStevecoverthebroadsubjectof"openports"onInternet-connectedmachines.
Theydefineports,andwhatitmeansforthemtobeopen,closed,andstealth.
Theydiscusswhatopensthem,whatitmeanstohaveports"open"frombothafunctionalandsecuritystandpoint,howopenportscanbedetected,whetherstealthportsarereallymoresecurethanclosedports,anddifferencesbetweenTCPandUDPportdetection.
Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-043.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-043-lq.
mp3LeoLaporte:BandwidthforSecurityNow!
isprovidedbyAOLRadioatAOL.
com/podcasting.
ThisisSecurityNow!
withSteveGibson,Episode43forJune8,2006:Ports.
SecurityNow!
isbroughttoyoubyAstaro,makersoftheAstaroSecurityGateway,onthewebatwww.
astaro.
com.
SteveGibsonisreadytotalkaboutyourports.
SteveGibson:I'msoexcited.
Leo:Youreally,Imean,IthinkprobablyformanypeoplethefirstkindofintroductiontotheconceptofportscamefromShieldsUP!
andSteveGibson.
Steve:Well,andasfarasIknowIcoinedtheterm"stealth.
"ThatwasonethatIsortof,youknow,inthewholeShieldsUP!
StarTrekthemething,Ithought,okay,whatarewegoingtocallaTCPportwhichisneitheropennorclosedAndIthought,oh,stealth,like,youknow,thecloakingfieldandallthatstufffromStarTrek.
Leo:Andofcourse,asusual,allofthisstuffreallywasthebailiwickofbusinessandenterprisecomputing,networkingandallthatstuff.
Butasmoreandmorepeoplehavemultiplecomputersintheirhome,suddenlywe'reallbecomingnetworkingexperts,andthetopicofportsbecomesveryimportant.
Now,it'salittlebitofaconfusionbecausewe'vealwayshadportswithPCs,buttheyusedtobeserialportsandprinterports.
Andthat'snotthekindofportswe'retalkingabout.
Steve:You'reright.
Andinfactyoumentionedenterprise.
AndIremembertheday,ortheera,rather,where–andthiswasjust–itdemonstratessuchanevolutioninwhat'sgoingonontheInternet,whereitusedtobe,intheearlydaysoftheInternet,whentherewassomemischiefgoingon,thentheITguyswouldblockacertainportthatthismischiefwascomingintothenetworkon.
Inotherwords,therewassortofthispresumptionofeverythingbeingbenign,buttheexceptionswerethingsbeingbad.
Sointermsof,like,afirewallmethodology,andthewaypeoplewerethinking,youhadadefault"allowtrafficin,"andthenyourexceptionsweredenyingtraffic.
Leo:Boy,that'schanged.
Steve:And,Imean,ohmyGod,talkaboutgettingfiredquickly.
IfyouwereanITguythesedayswhodidthat,youknow,it'dbelike,whatareyouthinkingBecauseofcoursetodaytheworldiscompletelyinverted,wherebydefaultyoudenyeverything,andyouonlyallowtrafficintoyourborderthatyouknowyouwantbecause,youknow,theInternet'sjustcrawlingwithjunk.
Forexample,we'vegotthislegacyofWindowswormsstillcrawlingaroundthe'Net,probingoldvulnerabilitiesthathavelongsincebeenremoved.
But,youknow,they'restillouttheretryingtoinfectmachines.
Andasweknow,ifyoudidsticka–ifyoutookacomputeryouhadjustinstalledXPon,beforedoinganyWindowsupdate,beforeinstallinganyservicepacks,thatWindowsXPthatweweretoldwasgoingtobethemostsecureoperatingsystemMicrosoftevercreated,youputoneofthoseontheInternetandstartyourstopwatchtoseehowlongittakestojustbejusttakenoverbythejunkthat'scrawlingaroundthe'Net.
Imean,it's.
.
.
Leo:SasserandMSBlastandallthose.
Steve:Oh,yeah.
Imean,it'slikeamatterofminutes,andstuffiscrawlinginyourmachine.
Leo:Ilikenitalmosttoherpesor–it'saninfectionthat'sendemic.
It'severywhereonthe'Netandwillcontinuetobethere.
Nobody'ssendingitoutanymore,it'sjustthereareinfectedmachineswhocontinuetodoitand.
.
.
Steve:Yup.
Leo:.
.
.
probablywon'tgoawayuntilWindowsgoesaway.
Steve:Ithinkwewillprobablynevergetridofthosethings.
You'reright,they'reold,unmanagedcomputersthatarejustsittingonthe'NetinLordknowswhere,Imean.
.
.
Leo:Right,incorners.
Steve:.
.
.
instrangeplaces,likelongforgotten,andthey'vegotthisjunkinthemnow.
And,youknow,thewholepointofawormisthatit'sself-replicating.
Soonceitcrawledintothismachineandsetupshop,itthenbeganscanningforothers.
And,Imean,they'rejustalwaysgoingtobethere.
Leo:Andwhatthey'rescanningforis,infact,openports.
Maybeweshoulddefinewhataportis.
AndIthinktheterminology'snotgreat.
Ithinkawordlike"channel"mightbebetter.
Steve:Well,"channel"wouldbeagreattermbecause,Imean,aswe'vetalkedaboutwhatwe'vetalkedaboutabouttheissueofportsingeneral,whatIwantedtodothisweekisreallyjustfocusonthisissueofopenportsbecausealotofpeopleareconcernedaboutthem.
Wegetquestionsallthetime,likeIhavetohavethisportopen,isthataproblemHowdoIclosethisportWhatdoesitmeantohaveaportopenSo,yeah,Ireallywantedtojustfocusonthisissueofopenportsandsortofreallycoverthatwelltoresolvealotofthesequestions.
Butyou'recompletelyright.
AswetalkedaboutwhenweweretalkingaboutthebasicprotocolsoftheInternet–ICMP,UDP,andTCP–weglancedonthisbefore,theideathat,unfortunately,aport,peopleassociatethatwithaphysicalthing,youknow,likeaserialport,aparallelport,aUSBport,aFirewireportorwhatever.
Butinfactaportisnothingbuta16-bitnumberwhichiscarriedalongatthefrontintheheaderofInternetpacketswhichsortofspecifies,exactlyasyousaid,Leo,whichchannelormanychannelsof65,535possiblechannelsthispacketisaimedat.
Leo:Sothere'snophysicalitytothiskindofport.
It'snot–there'sno,like,electronic–65,000-channelelectronicswitcherorchangeroranythinglikethat.
Imean,there'snophysicalthing.
Steve:Right.
Well,thephysicalmanifestation,ofcourse,wouldbeyourEthernetport.
Andthereagainwe'vegotthatcollisionofnaming.
So,youknow,yourEthernetconnectionisthewaythatthisEthernettraffic,ofcourse,travelsintoandoutofyourmachine.
Andit'softendoingsothroughtheseso-called"openports.
"Leo:Butit'snotlikeapartofthecableisport1024.
Imean,it'sallcomingthroughthesameelectricalsignal.
Steve:Exactly.
Exactly.
Leo:AndIguessithelpsifyouunderstandthatallofthedataissentinlittlediscretechunkscalledpackets;andthateachpackethas,asyoumentioned,aheader.
Andinsidethisheaderisinformationaboutwherethatpacket'sgoing,whereitcamefrom,andwhatport,whatchannel,itssurfingnumber.
Steve:Well,yes.
Andthat,ofcourse,wasthegreatbreakthroughoftheInternet,wasinsteadofhavingaswitchedcircuitsystemwhereactualphysicalcircuitswerebeingswitched,westeppedbackfromit,andwehaveaswitchedpacketsystem,wherepacketswitchingisthewaymachinestalktoeachotheracrossanetworkoffixedcircuits.
Leo:Sotheline'salwaysopen,anddata'salwaysgoing,butit'sroutedaccordingtothepacketing.
IsthatBobMetcalfe'sinventionIknowheinventedEthernet.
Wasthatkindofthepartofthatinvention,ordidthatpredatethatSteve:No,thatactuallypredatestheactual–theEthernetisjustoneofanumberofelectricaltechnologiesthatcanbeusedtocarrypackets.
But,forexample,TokenRingwasIBM'snetwork.
Leo:Andtheyusedpackets,too.
Steve:Exactly.
Soyoucan.
.
.
Leo:IthinkVintCerfmighthave,Imean,certainlyhegetscreditforIP.
Iwonderif–well,maybenot,though.
Steve:Yeah.
Well,itwasalldone,youknow.
.
.
Leo:Alongtimeago.
Steve:.
.
.
atthebeginningofthe'Net,whenitwasallbeingputtogether.
Leo:Thebeginningoftime.
IguessPaulBaranistheguywhoinventedpacketswitching,oroneoftheguyswhoinventedpacketswitching.
Steve:SofundamentallywehavesortoflikethecoreforamachinewhichisontheInternetistheoperatingsystem.
Buttheoperatingsystemdoesn'titselfnativelyhaveanyports.
Thatis,itsupportstheprotocolandtheabilityfortheOStocommunicatebyprovidingservices,youknow,liketheso-calledTCP/IPstackandIPservices.
TheoperatingsystemwillsupportIPaddresseswhichallowittoacceptthesepackets.
Butsomethingthenaftertheoperatingsystem,somethingrunningintheoperatingsystemistheactualentitywhichcreatesandopenstheseports.
Now,forexample,inthecaseofWindows,itmaynotbeaseparateapplication.
Itmightbeaservice,whichreallyispartoftheoperatingsystem,butit'saseparablepart.
Imean,forexample,youcanstoptheserviceorremovetheserviceinordertoclosetheportsthatthatserviceopened.
Andthenthenextlevelofdistancefromtheoperatingsystemareactualapplicationswhicharerunningintheoperatingsystem,likeyouandIareusingSkyperightnow.
It'srunningasaprogramontopoftheoperatingsystem,usingtheoperatingsystem'slowerlevelnetworkingfacilitiestoallowittocommunicateoutontheInternetsothatourtwoSkypeclientsareabletoconnecttoeachother.
Leo:AndSkypeiskindofindependentofwhatportyou'reusing.
Infact,youcaninSkypesay,no,usethisportorusethatport.
Itworksexactlythesame.
It'snottiedtotheport.
Steve:Itdoesn'tcare,exactly.
Sothereare–alsoaswetalkedaboutbeforetherearesortofwhat'scalled"well-knownportnumbers,"where,forexample,DNS,thedomainnamesystemthatallowswebnamestobelookedupandmatchedtotheirIPaddresses,byagreementitusesport53.
AndsotheDNSserverislisteningforpacketscomingintoport53ofanycomputerthatit'srunningon.
Andyourownclientsaresendingtheirdataoutofport53,boundforwhateverDNSservicethey'vebeenconfiguredtooperatewith.
Andofcourseweknowthewebusesport80,and443forSSL-secureconnections,andonandon.
Sothere'salargearrayofwell-knownports,theideabeingthatsystemswillbydefaulthaveservicesrunninginthem,listeningforincomingtrafficonthoseports.
SoifwerememberwhatweweretalkingaboutwhenweweretalkingaboutTCPbefore,theTransmissionControlProtocol,theideaisthattheoperatingsystemisdoingtheworkfortheapplicationofestablishingandsortofgettingtheconnectiongoing.
Andthisiswherethisnotionreallyofanopenportcomesfrombecause,whenaconnectionwantstobeestablishedwithamachine,aSYN–whichisshortfor"synchronize"–packetissenttothatIPaddressthatthecomputerislisteningon.
Ifit'saTCPportwhichisopen,whichistosaythere'ssomethingthathassaid"Iwanttoacceptconnectionsthatarecomingintothisport,"oraswe'vesaid,reallysortofavirtualport,morelikeachannel,thentheoperatingsystemwillsendbackwhat'scalledaSYN/ACK,itsownSYNandanacknowledgeofthereceiptofthatincomingSYN.
Well,that'ssortofthiswholekeyofwhatmakestheportbeopenisthatanybody,literallyontheplanet,cansendoneoftheseSYNpacketsatsomeone'smachine.
AndifitrespondswithaSYN/ACK,thenweknowthatsomethingisthereatthatIPaddress,evenifit'sacrosstheplanet,whichisreadytoacceptaconnectionandhavesomesortoftransactionwithus.
Leo:Socool.
EverytimeyoudescribethesethingsIjustamimpressedwithhowtheythoughtthisstuffup.
Steve:Well,andthathassurvivedthetestoftime,Imean,sowell.
Andsothat'sreallywhatitwasthatgotmethinkingaboutShieldsUP!
.
Backthen–andwe'retalkingyearsago–IwassettingupanISDNconnectionformycomputer.
Leo:Thereyougo.
That'lltellyouhowlongitwas.
Steve:Exactly.
Leo:Pre-DSL,pre-cablemodem,youknow,ISDN.
Steve:Exactly.
ItwasanISDNconnection.
AndIwasawareofthiswholeissueofportsandsecurity.
AndsoIgotoneofthe–IjustdownloadedoneofthefreeonlinescannersthatwereavailableontheInternet,andstillare.
AndIjust–Iwascurious,like,whatwasgoingonintheneighborhoodoftheIPaddressthatwe'dbeenassigned.
SoIjustsetthescannerupto,like,scan,Idon'tknow,youknow,thehundredIPsplusorminuswheretheIPthatwe'dbeenassignedwas.
Andtherewereallthesecomputersthathad–andinfactthisparticularscannerwasscanningforWindowsfilesharing.
And,Imean,literallythenamesofmachinesandtheCandDdrives,wideopen,exposedontheInternet.
Leo:Thatmusthavebeenashock.
Wow.
Steve:Well,yeah.
Anditwasenoughofashockthatitwas–Ithought,youknow,nobodyknowsaboutthis.
ThisneedstoreceiveattentionbecausepeoplewereputtingtheirWindowsmachines,hookingthemdirectlytotheInternet–thiswasbeforepersonalfirewalls,beforeNATrouters–justliterallypluggingthemintotheInternet.
Andbydefault,Windowsmachinesallhadthisfilesharingportopen.
Meaningthat,eveniftheuserhadn'tsharedanyfiles,theystill–Windowshadalltheseservicesthatwererunninginthemachinebydefault,acceptingincomingconnectionsfromanyoneontheplanet.
Andsoitwasfinally,Imean,itwasthat,therecognitionthatthisreallyneededattention,thatcausedmetojustsay,okay,I'mgoingtodothisthingthat'sgoingtomakeitveryeasyforpeopletochecktheirsystemstoseeifthey'reinthiskindofdanger.
So,youknow,theveryfirstversionofShieldsUP!
primarilycheckedforWindowsfilesharing.
AndthenIexpandeditinseveralfollow-ongenerationstodo–like,forexample,nowitdoesafull1056portscantocheckfromportsactuallyevenincluding0,whichisnotalegalport,butitturnsouttherearesomevulnerabilitiesinroutersthatwillaccepttrafficonport0.
.
.
Leo:Oh,wow,interesting.
Steve:.
.
.
allthewayupthrough1056,inordertolookateventhelowclientportsunderWindows.
Butanyway,theideawasthat–orisofTCP–thatsoftwarerunninginthesystemwillinstructtheoperatingsystemtoopenaport.
Whatthatmeans,then,isthatthatportwillaffirmativelyrespondtoincomingtraffic.
Well,now,anopenportrespondsaffirmatively.
Butitturnsoutthatevenaclosedport,thatis,aportforwhichthereisnolisteningsoftwareassociatedwithit,thereisnoprogramthathastoldtheoperatingsystem,Iwantyoutoacceptonmybehalftrafficcominginanddothelow-levelhousekeepingworkformeofsettingupaconnection.
Inthatcase,apacketcominginandhittingastandardTCP/IPstackwillgenerateanaffirmativedenialofaconnectionattempt.
Normallyit'llgetbackareset,orsometimesanICMPmessagesayingthereisnoserviceavailableonthisportatthisIP.
Soalthoughyouhaven'tconfirmedthatyou'vefoundsomethingpotentiallyvulnerable,forexample,aservicethatyoumaybeabletoexploitbyvirtueofthefactthatit'sgoingtoacceptaconnectionfromyou,andyou'reabletomesswithit,whatyouhaveconfirmedisthere'sacomputerofsomesortlisteningforincomingtrafficonthatIP.
Sothoseportsareconsideredtobeclosed,butthey'restillknowntoexist.
Andofcoursethenthenextstageofthisisaso-called"stealthport,"whereincomingtraffichitsthemachine.
Iftheportisnotopenandwouldnormallyrespondinsomeaffirmativefashion,sayingnotrafficisbeingacceptedonthatport,insteadthemachineiscompletelymute.
Itjustsaysnothing.
So,andthat's,ofcourse,exactlytheresponsethatyougenerallygetforadeadconnection,wherethere'sjustnothingontheIPatall.
Leo:Andthat'syourso-called"stealthmode.
"Steve:Whichofcoursehasnowbecome,like,thewaytobeontheInternet.
It'sinteresting,Imean,therearepeoplewhoarguethatstealthisbogus.
Leo:WhatReallySteve:Oh,yeah.
Youknow,it'stheoldUNIXguys.
AndtheyalsodisliketheideathatstealthingamachinetechnicallybreakstheIPortheTCP.
.
.
Leo:Oh,Igetit.
It'soutofspec.
Steve:It'soutofspec,exactly,because.
.
.
Leo:Well,that'sapuristpointofview.
Butfrankly,ifyouthinkaboutit,ifbadguyscomeaknocking,what'sthebestresponseWedon'thaveanymoneyinhere,ornothingSteve:Yes,or,exactly,thereisno"inhere.
"Leo:Thereisno"inhere.
"Nothingexistsatthisaddress.
Moveon.
Steve:Right.
Leo:So,Imean,youcanbeapuristaboutit,butfranklyIthinkit'sprettyobviouswhatthebestchoiceis.
Steve:Well,yes.
Andthefactis,sinceitcostsnothingtobestealth,whynotbestealthImean,sinceitcostsnothingtobeinvisible,itseemstomeit'sbetter,exactlyasyousaid,tobecompletelyinvisibleonthe'Netthantosay,I'mhere,butalltheportsyou'vecheckedsofarareclosed.
Leo:Now,itdoescomeupfromtimetotimethat,well,thishappenedwiththeidentdport,wherearoutermanufacturerdecideditwasn'tagoodideatostealththatportbecausesomeserviceswerestillusingit,andaninvisibleportwouldn'tbeanappropriateresponse.
Steve:Well,it'saverygoodpoint.
Theexampleyoucite,theidentport,whathappensis,whenauseristryingtoconnecttoaserver–andthisisgenerally,Imean,justancientservers.
Imean,therearesomeIRCservers,somereallyoldwebservers,sometimessomeFTPservers.
Partoftheconnectionprotocoliswhenarequestcomesintotheserver,itsendsbackanidentpackettotheidentportatthatuser'sIP,becauseintheolddayspeoplewouldhavethesethingscalledidentserverswheretheywouldlistawholebunchofinformationaboutthemselves.
Imean,who'sgoingtodothattodayImean,nobody,becausebasicallyyou'resortofsaying,here,here'severythingyouwanttoknowaboutme.
Leo:Comeonin.
Steve:Exactly.
Leo:Yeah,yeah.
Steve:Soithadbeenforeversinceanyoneactuallyrananidentservice.
Butwhattheserverthatmakesthequerywantsisatleasttogetanaffirm.
.
.
Leo:Anacknowledgement.
Steve:Yes,somesortofaffirmativestatementthat,yes,there'samachinehere,butnobody'shome.
SowhatnormallyhappensistheidentusesTCPprotocol.
SotheserverwillsendaSYNpacket,tryingtoestablishaconnectioninthereversedirection,backtotheclient.
Well,asweknow,TCPisverypatientaboutgettingaconnectionestablished.
It'llsendaSYNpacket.
Ifitdoesn'thearanythingelse,it'llsendanotherone.
Thenitwaitstwiceaslongandsendsanotherone.
Thenitwaitstwiceaslongagainandsendsanotherone.
Somemachineswillsenduptofivepackets,andyoucanendupwaitingaminutebeforethethingfinallydecides,okay,there'snobodyhere.
Theproblemisthatallofthatsuspendsyourmainconnectiontotheserver,thatis,theserver,everythingjuststopsontheserverwhileit'stryingtoestablishthispainfullyslowprocessofgettingaTCPconnection.
Ifthefarenddidsayno,Ihavenoidentservice,bysendingbackanICMPorbysendingaTCPresetpacket,thenatleasttheserverwouldknow,oh,okay,noservice,butthere'ssomebodyhere.
Anditwouldtypicallyjustthen–itdoesn'treallycareabouttheident,it'sjustoldtechnologythatisstillinsomeserversontheInternet.
Leo:Sowhatistheharmindoingthat,thenImean,nowI'mgoingtoplaydevil'sadvocateandsay,well,inthatcase,whydowebotherstealthingthatportSteve:It'sjustthat,well,actuallyIthinkprobablyGRCisatfault.
Imean.
.
.
Leo:It'syourfault.
Steve:I'mnotkidding.
Imean,Iwasshowingeverybodythattheiridentportwasnotstealthed,andstealthbecameacoolthingtodo,andpeoplebeganaskingtheirroutermanufacturersandtheirpersonalfirewallmanufacturers,"Hey,Gibsonsaysmyidentportisnotstealth.
Iwanttobestealth.
"Andsojustreallyduetopopulardemandtheroutermanufacturerssaid,okay,fine,we'llstealththeport.
Well,theproblemthenisthatsomeconnectionswillstallwhenyouaregoingoutthrougharouteroroutthroughapersonalfirewallwhichstealthstheidentport.
Sothenthenextgenerationofthiscamealong,andthatwasadaptivestealthing,oradaptiveidentstealthing,wheretherouterwouldbesmart,anditwouldstealththeidentportfromanysourceIP,thatis,theremoteservertryingtoopenanidentconnectionbacktoyou.
ItwouldstealthitunlessitsawthatyouhadanoutgoingconnectiontothatIP.
Whichisaperfectsolution.
Leo:Thereyougo.
Steve:Soifyou'veestablishedaconnection,anditasksback,well,yougotanidentserver,youcanrespondtothat.
Thenyousayno,Idon't.
Butatleastthefarendserverishappythatyouexist.
Youacknowledgethatimmediately,andthenyougetonwithyourmainconnectionestablishment.
Leo:Ah.
Buthere'sthething.
WouldyoumarkthatasastealthedportSteve:Yes,infact,Idoitonpurpose.
ShieldsUP!
,itcheckstheuser'smachinefromanIPdifferentthantheyareconnectingtousfrom.
Leo:Toavoidthisthing.
Steve:Exactly.
SoIdoitonpurposeinordertogivethemcreditforandtoshowthattheirrouterisstealthingidentforrandomsourcesofIPaddressesoutontheInternet,nottheonesthatthey'reactuallytryingtoconnectto.
Soitendsupbeingaveryusefulthing.
Now.
.
.
Leo:Weshouldjustmentionthatthereasonthatyouwantittobestealthisanyindicator,evenonacompletelysafeportliketheidentport,anyindicatorthatyouexistcouldbeamessagetoahacker,well,atleastthere'ssomethinghereyoumightwanttokeepinvestigating.
Steve:Well,here'saperfectexample,Leo,andthatisdenial-of-serviceattacks.
IfyoupissoffsomebodyontheInternetwho'sgotcontrolofevenasmallbotnet,andtheydecidethey'rejustgoingtoDDoSyouintooblivion,well,they'llblastyouforawhile,andthentypicallystoptheattacksothattheycanseeifyou'restillthere.
Well,youknow,you'dverymuchlikethemnottobeabletotellthatyou'restillthere.
Leo:Yes,yeah.
Steve:Onlyifyou'restealthcanyoupullthatoff.
Ifthey'reabletopingyouortobouncepacketsoffyouortrytoopenaconnectionandgetbackanaffirmativeclosedstatefromyou,thenthey'llknowyou'restillthere.
Leo:Andit'sfairlytrivialtoactuallytesteachandeveryofthe65,000ports.
Imean,computersarefast.
Soevenifthere'sbutoneopen,ornotevenopen,closedbutnotstealth,they'llknowyou'rethere.
Steve:Well,yeah.
Andinfact,ifyou'rerunningasystemthatisnotstealthingyou,everyportwillatleastsayeitherit'sopenorit'sclosed.
Soinordertobecompletelyoffthe'Netinappearance,youreallydoneedthetechnologywhichisgoingtostealthyou.
Andasamatteroffact,I'veseendialogueswherehackersknowthatidentisoftennotstealthed.
Sothey'respecificallytryingtoopenanidentconnectionbecause,unlessit'sadaptivelystealthed,asallthelatestfirmwareandpersonalfirewallsaregenerallynowabletodo,itwilllooklikeit'sclosed,andthey'llknowyou'restillthere.
Leo:SothankstoGRC.
comandShieldsUP!
,allrouters,allconsumer-graderoutersthatshipthesedays,shipwithstealthturnedon.
Steve:Yeah.
Yeah.
It's,Imean,it'stherightwaytogo.
There'sjustnogoodreasonnottobestealthwhereyoucanbe.
Leo:Now,amIthrowingallthevalueofstealthout,though,byhavingsomeopenportsSteve:Probablynotbecauseyoudon'tknowwhatitisthatmightbelookingforyou.
Youmighthave,youknow,ahackermightspecificallybescanningforanewvulnerabilitywhichhasjustbeenfound,likeinMySQL.
AndsoitmightbelookingtoseewhetheryouhaveaSQLdatabaseserverportopen,soitwouldbespecificallycheckingforthatport.
Leo:Andifyoulookatthehackertools,theyusuallywillsay,whatportdoyouwanttohit,andwhatrangeofIPaddressesdoyouwanttotestSteve:Right.
Leo:Andyoucouldtestarangeofports.
Butforefficiency'ssaketheymayjustbegoingafterthatoneport.
Steve:Well,now,it'salsonecessary,sincewereallywanttocoverthetopicofopenportswellinthisparticularepisode,it'snecessarytotalkaboutthefactthatUDPprotocoliseverybitasviableasTCP.
Butbecauseitdoesn'thavethiswholeintroductoryhandshakinggoingon,whereyousendtheSYNandtheSYN/ACKcomesback,oryousendtheSYNandaresetcomesback,UDPportswillgenerallyoperateormayoperatedifferently.
Thatistosaythat,asweknow,UDPdoesn'thavethisconnectionestablishmenthandshake,whichisreallythebenefitforveryshort-termconnections.
Forexample,theDNSprotocolfordomainnameservices,generallyyoujustsendasinglepacketofftoaDNSserver,anditsendsyouasingle-packetreply.
Soit'sextremelyefficient.
SinceDNSisgoingtobetransactingsuchsmallamountsofinformation,youwouldn'twanttogothroughallthetroubleofhavingathree-waypackethandshake,thensendyourrequest,thengetthereply,thenhavetoshutdownthatexistingorestablishedconnectionthroughanotherseriesofpackets.
Leo:SoDNSusesUDP.
Steve:Exactly.
Well,DNS.
.
.
Leo:Ididn'tknowthat.
Steve:Itactuallyusesboth.
It'lluseUDP.
Butthere'salimit.
OneofthereasonsthatUDPactuallyisn'tconvenientisifyouneedtosendalotofdatabecausegenerallyUDPissortofpacketoriented.
Now,again,allofthesethingssortofhavecaveats.
Forexample,youandIareusingUDPrightnowforstreamingsubstantialamountsofdatabetweeneachotherduringthispodcast.
Butwhat'shappenedisaprotocolontopofit,well,Imean,thetypicalVoIPprotocoliscalledSIP[SessionInitiationProtocol],whichisusedontopofUDPtosortofgiveittheabilitytodomore.
ButinthecaseofDNSitispossibletoconnectwithTCPtoaDNSserverandthenmakeyourqueriesthatwayifyouneededtoforsomereason.
Andforexamplethere'ssomethinginDNScalleda"zonetransfer,"whereyoubasicallysaytellmeeverythingthereistoknowaboutGRC.
com,forexample.
Andifzonetransfersareallowed,whichformanysecuritypurposesnowadaystheyarenot,butintheolddaysyouonlycoulduseTCPforoneoftheseso-called"zonetransfers,"whereyou'resayingIwanttoknowaboutallthemachineswithintheGRC.
comdomain,theMXor,youknow,theemailservers,andeverythinggoingon.
Giveitalltome.
AndyoucannotdothatoverUDP.
Soingeneral,UDPisamuchmorequick,simple,lightweightprotocol.
ItalsomeansthatyoumighthaveaUDPserverwithanopenUDPport,asopposedtoanopenTCPport.
Andyouwouldnotreallybeabletotellthatitwasthereunlessyouaskeditinitsownparticularprotocol.
Forexample,ifyouwantedtofindoutifsomeonewasrunningaDNSserver,you'dhavetosendaDNSquerytoport53andseeifyougotaresponse.
WhereasthewholeopeningconnectiondancewithTCPisgeneric.
Youdothesamethree-wayhandshakenomatterwhatservice,whetherit'swebor,forexample,DNSoverTCPorFTPoranyotherTCP-basedprotocol.
Leo:Soifyou'reahackersniffingTCPports,youcouldjustsendaSYNtoeveryport,oneaftertheother.
Steve:Exactly.
Leo:Andsayhello.
Andthat'lltellyouthatport'sthere.
ButifyouwanttosniffUDPports,you'dactuallyhavetousetheappropriateprotocoloneachport.
Steve:Exactly,inordertosatisfytheserverthatmayormaynotbelistening.
Now.
.
.
Leo:Soit'smuchmorecomplicatedtosniffUDPports,then.
Steve:It'salotmorecomplicated.
Although,again,theoriginalspecfortheUNIXmachines,youknow,whereallthisoriginated,doessaythatifaUDPpacketarriveswherethereisnoservicelisteningandthathastoldtheoperatingsystemthatitwantsittoforwardpacketsthatarriveonacertainporttoit,thentheoperatingsystemshouldsendbackanICMP,aspecificICMPmessagesayingthere'snothinglisteningtothisport.
SoUDPportscan,bydefault,showthemselvesasbeingclosed,thatis,yougetbacksomethingsayingthere'snobodyhere.
Soagain,you'dliketostealththatbehavior.
Andofcoursethat'swhatpersonalfirewallsandroutersdo.
Leo:Ithinkthisisgreat.
Youknow,whenyou–wedealwiththisallthetime.
Whenyougointoyourrouter,forinstance,toportforward,tomakesomeportwork,let'ssayyou'vegotarouterthat's,youknow,rightlyso,blockingallports,butyouwanttousea,youknow,youwanttosetupaserverforWorldofWarcraft,you'llseeallthis.
You'llseeUDPversusTCP,andwhichportnumber,andallsortsofstuff.
Butnowyouknowwhatitmeans.
Nowyouknowwhatyou'redoing.
Steve:Well,it'sinteresting,too.
Youweretalkingaboutportforwarding.
AndIrememberedthatthatalsobearsontheidentportbecausetherearestillsomeolderrouterswhosefirmwaredoes–itwillnotstealththeidentport.
Itwillrespondthatthere'snobodyhere.
Butareallyfunworkaroundistoforwardthatidentport–which,bytheway,is113–youforwardthattoanonexistentIPaddressbehindtherouter,thatis,onyourownnetwork.
So,forexample,ifyourIPaddresswas192.
168.
0.
,youknow,1to100,youcouldtelltherouter,forwardthatto.
0.
200,amachinethatyouknowwillneverexist.
AndwhattherouterdoesisdutifullyacceptthatincomingICMPpacketandsticksitonyournetwork,aimedatanIPthatdoesn'texist.
Well,sinceitdoesn'texist,there'snobodytheretoanswerthecall,andyouendupstealthingyouridentportifyourrouterotherwisewouldnotdosoforyou.
So,Imean–andofcoursethatworksforanythingthatyouwantitto.
Youcouldnameanyportsthatyouwantedtostealth,iftherouterwasn't,justoffintothetwilightzone,toanIPinsideyournetworkthatdoesn'thaveamachinelisteningonit,andthosepacketsarejustgoingtogonowhere.
Theyjustendupbeingdropped.
Leo:Well,Ithinkyou–havewecoveredthesubjectDoweknoweverythingweneedtoknowaboutportsSteve:TheonethingthatIthinkisworthmentioningtopeopleisthatallofthisproblem–whichhasbeenlotsofhistory,youknow,wetalkedfirstaboutthisnotionoffirewallsbydefaultallowingtrafficandthenITguysblockingonlythemischiefandhowthat'scompletelyflippedaround.
Well,theolddaysofMicrosoftWindows,andforthatmatterotheroperatingsystems,generallyhadlotsofthingslisteningbecausetherewasn'tacompellingreasonnotto.
AndofcourseinMicrosoft'scase,Microsoftalwayswantedtodefaulttowardsallowingtrafficbecausetheyjustwantedthingstowork.
Imean,andtheysuredid,boy.
Youknow,youstuckyourWindowsmachineontheInternet,andyoucouldshareyourfileswitheverybodyintheworld.
Leo:Workedalittletoowell.
Steve:Whetherthat'swhatyouhadinmindornot.
Andtheywant,youknow,theywantedWindowssothat,whenyouclickyourmachinestogetherintoanetwork,theycanallseeeachother,andtheycanallhappilysharefiles.
Unfortunately,puttingWindowsontotheInternetwasthesameasputtingitonyournetwork.
Leo:Right.
Steve:Soit'sreallyworthmentioningthatthisisallchangednow,finally.
Imean,andittook–Idon'tknowwhyittooksolong,butitdid.
It'schangedwithServicePack2ofWindowsXP,wherethereisabuilt-infirewall,anditisonbydefault.
And,youknow,therearepeoplewhoarestilldownloadingmyDCOMbobulatorandmyUnPlugn'Prayutilities.
ThosearethingswhichIcreatedinaday,immediatelyafteranewvulnerabilityhadcomeoutandwellbefore,insomecasesmonthsbefore,Microsoftdidanythingtodealwithit.
AndthosethingsIcreatedto,like,killoffthoseportsorshutdownthoseproblemsbecausewestilldidn't–manypeopledidnothavepersonalfirewalls.
XPdidn'thaveapersonalfirewallinthebeginningthatwasturnedonallthetime.
EarlierversionsofWindowsneverdid.
Imean,backthenpeoplewerestillusing,youknow,95and98.
Butit'sreallythecasethattheseproblemshavebeensolvedjustby,firstofall,bypeoplehavingNATrouters.
Imean,ifyou'vegotaNATrouterinfrontofyoursystem,itmatterstoafarlesserdegreewhatportsareopenonyourmachineitself.
Andyoucanseethatbecause,ifyouuseShieldsUP!
atGRC,it'llshowyoueverythingisstealth,evenifyou'vegotopenportsonthecomputersinyourownnetwork.
Thereasonbeing,nothinggetsthroughyourNATrouter.
We'retestingyourpublicIP,notthoseprivateIPsthatnoonecanaccessanywaybecausethey'renotroutableontheInternet.
There'snowayIcansendtrafficto192.
168.
0.
1inordertotestitbecausethatIPwon'tgoanywhere.
Ican't,youknow,tensofthousandsofpeoplehavethatIPontheirmachinesbehindtheirrouters.
Leo:Probablymillionsbynow.
Steve:Millions,I'msureitis,yes.
So,youknow,many,manytensofthousands.
Soitreallyisthecasethatthisproblemwithcomputershavingopenportshasreallybeenmitigated,firstbytheadventofrouters,andsecondly,forthosewhoarenotbehindarouter,certainlywithapersonalfirewallwhichisonanddoingitsjobas,youknow,thebuilt-infirewallinWindowsXPdoes.
Whichreallymeans,then,thatthefrontierfortheconcernforopenportsisportsopenedinrouters.
Andsothelastthingworthtalkingaboutisthepeoplewhoareworriedthat,forwhateverreason,theyhavetohaveexposedopenports.
Youknow,whatdoesthatmean,tohaveanexposedopenportSomething,youknow,wherethey'rejustnotabletobestealthbecausetheyneedtohaveservicesthatareavailableoutonthepublicInternet.
Andthisisinterestingbecauseitfactorsexactlyintothediscussionwe'vehadaboutbufferoverruns.
Becauseunfortunatelytheexposureofanopenportisthattrafficisgoingtobeflowingbackinthroughyourrouter,thentowhatevermachineyouhavedesignatedontherouterwillreceivethattraffic.
Andpresumablyyouhavesomethingthereonthatmachine,someapplicationwhichisthengoingtobeacceptingthetraffic.
Theproblemis,asweknow,itisverydifficulttowriteperfectsoftware.
Youknow,theclassicboondoggleofanopenportwaspcAnywhere,whichmanypeoplewereusingintheearlydaysoftheInternetbecauseitallowedthemtoconnecttotheirmachinesathomeanddowhatevertheywantedto.
That'swhyitwascalledpcAnywhere.
Theproblemwas.
.
.
Leo:Anythinganywhere.
Steve:.
.
.
ithad,yeah,ithadserioussecurityproblemsthatwerebeingfoundoneafteranotherafteranother.
Manypeopledidn'teventakethetroubletoputastrongpasswordonpcAnywhere.
Soeveryoneknewwhatthedefaultpasswordwas.
Andpeople,youknow,badguyswouldscanthe'NetforthestandardpcAnywhereportandconnecttopeople'smachineswhonevertookthetimetochangethedefaultpassword.
Sotheproblemis,ifyou'vegotportsexposed,ifyou'vegotportsopen,itissomethingyouneedtorecognizeasapotentialproblem,andthatisthatyouarethendependinguponthesecurityofandtheproperfunctioningofwhateversoftwarepackageitiswhichislisteningtothoseports.
Andinfact,whenIfiredupSkypejustnow,Leo,inordertoestablishourconnection,IgotamessagetellingmethattherewasanewversionavailablebecauseasecurityproblemhadbeenfoundandfixedinSkype.
Soit'slike,okay,I'mgoingtoupdatemyselfrightnow.
Leo:Right,right,right.
Anytimeyou'rerunningaserviceofanykind,inorderforthatservicetoworkyouhavetoopenaport.
Andthatopensupyoursystemtotroubleiftheservicehasabug.
Andasyoupointout,it'sinevitable.
There'salwaysbugs.
Steve:Yeah.
It'sjustsodifficultnot,Imean,thiswasthehugeproblemthatMicrosofthadwithalloftheirservices.
Imean,virtuallyeverysingleoneofthem.
.
.
Leo:Somethingwaswrongwiththem.
Steve:.
.
.
hadmultipleproblemsthatwerefoundandexploited.
And,Imean,that'swherethewormscamefromthatweweretalkingaboutbeforeisspecificallyfromthesekindsofproblems.
So,youknow,thegoodnewsis,securityisoneveryone'smind.
Certainlysecurityisforemostinthemindsofanyonewritingapplications.
Iwouldsaytheonlypieceofadvice,ifyouhavetohaveportsopen,istrytouserobust,well-testedservicesthatyouhaveeveryreasonpossibletobelievearenotgoingtohaveproblems.
Andinfact,youknow,ifyoureallywantedtogoastepfurther,andyouhadtheabilityto,Iwouldsayrunthosemachinesseparately.
Thatis,youknow,itmaybethecasethatyou'vegotanoldcomputer.
Letitbetheoneonthefrontlineintheso-called"DMZ,"whereit'sgoingtobereceivingthattraffic,andnotrunthoseservicesonyourmainmachine,whereyoureallyhavemuchmorevaluabledata,andyouwanttomakesurenothingisabletocrawlintoit.
Leo:Andit'sanotherreasonwhypeopleshouldgooutandgetrouters,iftheydon'talreadyhavethem,andusethem.
Andtheminuteyoudo,infacteverytimeIinstallarouter,andassoonasI'vechangedthepasswordandturnedoffUniversalPlugandPlay,I'llgotoGRC.
comandrunShieldsUP!
andmakesurethatIdon'thaveanyunstealthedports.
Andthat'swhatagreatservicethatis.
Steve:Youalsowanttomakesurewhenyou'resettingupanewrouterthatyouremembertoturnoffanythingthat's,like,WAN-sidestuff.
Manyroutershave,like,WAN-sideadministrationwhere.
.
.
Leo:Unh-unh.
Thatmeanstheotherguycanadministrateyourrouter.
Steve:Exactly.
AnyoneontheInternet.
Leo:Badidea.
Steve:That'snotagoodthingtohave.
Leo:Notagoodthingtohave.
Steve:Imean,again,ifyouhavetouseitforwhateverreason,thenyouwanttotakethetimetodoareallygood–tochooseareallystrongpasswordthatnooneisgoingtobeabletoguessbecause,ifyourrouterisacceptingaconnectiononitsstandardWAN-port,thensomebodyouttherecouldjustsittherepoundingawayonit,doingabrute-forcepasswordattack,tryingtogetcontrolofyourrouter.
It'scertainlybetter,firstofall,nottorunitonthestandardport.
Moveit,alwaysmovethosethingstoadifferentport,ifyouhavetohavethematall,andthenrunareallystrongpassword.
Leo:Yeah.
Andyoucouldbesurethat,ifit'soutthere,somebody'sbangingonit.
That'stheotherthingwe'velearnedonthe'Netisthatyoucan'tjustkindofskateanymore.
Peopleareoutthereallthetime.
Steve:Well,forexample,thewayI'vegotmyequipmentatLevel3configuredfortheGRCnetwork,Ineedtobeable,iftheworsthappenedandIneededtorebootamachine,Ineedtobeabletopowercyclethemachineorgetconsoleaccessremotely.
SoI'vegotsomeequipmentwhichareneatlittlerack-mountedboxes.
Butalltheyhaveistelnet.
Theydon'thaveanyprovisionforstrongerauthentication.
Ican'tdoSSHorSSL.
Leo:Ooh,that'snotgood.
Steve:No,it'shorrible.
Andthere'snoprovisionforchangingfromthedefaulttelnetportof23.
SoI'vegotthesethreeboxessittingtherethatIhavetohaveaccesstofromtheoutside.
Imean,that'sthewholepointofthemisI'mabletogettothemfrommyhomenetworkorwhenI'montheroad.
Sotheproblemis,theywillonlylistentoport23.
Theydoprovideapassword,butit'sjusteightcharacters.
Leo:Oh,man.
Steve:And,Imean,andit'smynetwork.
It'stheGRCnetwork.
Leo:That'sterrible.
Steve:Andifsomeoneaccessedit,youknow,theycouldturnofftheequipmentatGRC.
Leo:Yeah,yeah.
Steve:SoobviouslytheonlyreasonI'msayingthisonapodcastisI'vesolvedtheproblem.
Leo:Iwasgoingtosay,you'reaskingfortroublehere.
WhatdidyoudoSteve:WhatIdidwas,Ifoundareallynicemanagedswitch.
IhaveaDellmanagedswitch,whichissurprisinglyinexpensive,whichallowsmetofilterthoseportsandonlyallowspecificIPrangestoseethematall.
Soonly.
.
.
Leo:SoonlysomebodyfromyourIPaddresscanloginatport23.
Steve:Exactly.
Andinfactthatequipment,itdoesn'texistforanyoneoutsideofspecificnetworkswhichIhavepre-designatedasbeingallowedtosendtrafficin.
Leo:That'sagoodwaytodoit.
That'ssuperstealth.
Steve:Well,and,Imean,youhaveto.
Becauseyoujustcan'thaveaserviceexposedontheInternet,especiallyawell-knownservice,especiallyfromawell-knowncompany.
It'sjustgoingtogetattacked.
Someone'sgoingtowritesomethingthatsitsthereandstartswithAandthenBandthenC.
.
.
Leo:It'snotgoingtotakelong.
EightlettersSteve:Exactly,anddoesabrute-forceattack.
Leo:Well,Ijustwanttocirclebackandsaythatwecanthankinparticulartwodifferentpeopleforpackets,thenotionofpackets.
IdidsayPaulBaran.
Hedidthisresearchintheearly'60satRandCorporationandwroteapaperontheideaofapacket-switchnetwork.
AndaBritnamedDonaldWatts-Daviswhosimultaneously,butindependentofBaran,wrotesomepaperson–infact,he'stheonewhocoinedtheterm"packetswitching"anddescribingthatidea.
AnditreallydoesgobacktooneofthegreatpioneersoftheInternet,LenKleinrock,whowrotesomepaperstheorizingthatthebestwaytodothiswouldbewithpacketsand,infact,createdtheideaofanotionofdatablockstosolvethatissueofdataflow.
Soit'sbeenaroundforalongtime.
AndIhaveapoemIwanttoread.
Steve:Okay.
Leo:DoyoumindSteve:No.
Leo:Thisis–I'mgoingtotellyouthestoryaboutthispoeminalittlebit.
Butit'sbeengoingaroundtheInternetforyears.
I'mjustgoingtoreadoneoftheverses:"Ifapackethitsapocketonasocketonaport,andthebusisinterruptedasaverylastresort,andtheaddressofthememorymakesyourfloppydiskabort,thenthesocketpacketpockethasanerrortoreport.
"JustthoughtI'dpassthatalongtoyou.
Steve:That'sprettygood.
Ilikethat.
Leo:Actuallyit'squiteabitlonger.
It'swrittenbyaguynamedGeneZiegler,whoisatCornell.
Wroteitin'64,andit'sbeengoing–or'94,Ishouldsay.
Butit'sbeengoingaroundtheInternetaswrittenbyAnonymous.
Butit'salongparodyofDr.
Seussthatisreallyquitefunny.
AndI'llputalinkintheshownotes.
Steve:Iwasjustgoingtosay,putalinkintheshownotes,yeah.
Leo:MaybewhatI'lldoisI'llreadit,givingcredittoGeneZiegler,andputacopyoftherecordingup.
Ireadityearsagoon"TheSite"asDevNull,thevirtualcharacter.
Anditgoeson,Imean,I'lljustreadthelastverse.
"Whenacopyofyourfloppy'sgettingsloppyonthedisk,andthemicrocodeinstructionscauseunnecessaryrisk,thenyou'llhavetoflashyourmemory,andyou'llwanttoRAMyourROM.
Quickly,turnoffyourcomputerandbesuretotellyourmom.
"Andthepageis"AGrandchild'sGuidetoUsingGrandpa'sComputer.
"HewroteitafterhisgrandkidsmesseduphisMac.
Steve:That'sverycool.
Leo:Andwealso,ofcourse,wanttoremindpeoplethatGRC.
comisavailable24hoursadaytocheckyourports,baby.
ShieldsUP!
isoneofthemanyresources,valuablesecurityresources,Stevemakesavailableforfree.
Butit'sallsupportedbyhisgreatprogram,SpinRite,theultimatediskrecoveryandmaintenanceutility,whicheveryoneshouldhaveacopyofinthisentireworld.
Andifyoudon't,gotoGRC.
comandgetyourselfone.
Andalso,ifyouwant16KBversionsoftheshow,thankstoourtranscriptionist,Elaine,thosearealsoavailableatGRC.
com/–I'mgoingtodothis–securitynow.
Steve:Yup.
Leo:They'rewaitingforthehtm.
Nohtmnecessary.
Steve:Yup.
Nowww,nohttp,anything.
Leo:Hey,Iwantto–wegotanotefromAlexNeihauswhoisatAstaro,ourgreatsponsor.
AndyourememberthatlastepisodeweweretalkingaboutNATtraversal,maybetwoepisodes–no,Iguessitwaslastepisode.
Steve:Yeah,itwaslastepisode.
WetalkedabouthowNATtraversalworksandthenthenotionoffriendlyversusnon-friendlyrouters.
Leo:Right.
Steve:Thatwouldbehaveornot,dependinguponhowtheymappedtheportsthroughtherouter.
Leo:AndofcourseAstaromakes,youknow,theSecurityGatewaysoftware.
Soheactuallysentanotetohisengineerssayingdowedothis,andtheyactuallydoit,itsoundslikequiteright.
Now,Ididn'tfullyunderstandthat.
But.
.
.
Steve:Actuallytheydoitsorightthat,Imean,it'slikethebestwayyoucould.
Whattheydois–andthisistheAstaroSecurityGateway.
Whenit'srunninginaNATmode,theywillleavethesourceportunchangedasitmovesacrosstheNAT.
Leo:Mostroutersdonotdothat;rightTheychangetheport.
Steve:Correct.
Mostroutersjustmakeuparandomportandassignitinatable,sothey'realwayschangingthesourceport.
Andwhatyou'rehopingforisthatthesourceportwillbethesame,evenifthedestinationIPisdifferent.
That'sthecriticalfeaturethatyouneedforpeer-to-peer-friendlyNAT.
Well,theAstaroNATis,like,thebestitcanbebecauseitwillleavethesourceportaloneasitcrossesthroughtheNATtranslation,onlychangingthesourceIPfromthemachinebehindtheNATtotheNATaddressitself,sothatthepacketisabletocomeback.
Andwhat'sverycoolisthattheonlytimewhenitwillchangethesourceportisifyouhappentohavetwodifferentmachines,bothcommunicatingonthesamesourceport,bothtothesameremoteIP,becausethereit'sveryclearyouwouldneed.
.
.
Leo:Youcouldhaveacollision.
Steve:.
.
.
youwouldhavetochangethesourceportinordertodisambiguatethosetwomachinesfromtheoutside.
Butunlessthat'snecessary,thesourceportisnotchanged,whichmeansthattheAstaroNATislike,Imean,it'sgoingtobethefriendliestNATyoucouldeverhave.
Leo:That'sslick.
That'sreal–andbytheway.
.
.
Steve:Andit'sfree.
Leo:.
.
.
I'musingone.
Yeah,it'sfree.
Youcangetthesoftwareforfree.
I'musingonerightnow,andI'mreallyhappywithit.
Ifeelkindofpowerful.
IdowanttomentionAstarois,ofcourse,oursponsor.
Andwe'vementionedbeforethatyoucangettheAstaroSecurityGatewaysoftwareforhomeusersabsolutelyfree.
Foralittlebitmoreyoucanupgradeittospam,antivirusprotection,anditreallyispowerfulstuff.
ButIalsowanttomentionthatthereisanewmanagedsystem,theAstaroCommandCenter.
I'vebeenlookingatthescreenshotsofthis.
Itissoslick-looking.
ACCv1.
ItisfreeforusersofAstaroSecurityGateway,soI'mgoingtodownloadit.
Andit'sreallydesignedfornetworkadministratorswhohavemultiplegateways.
Itallowsyoutomanageandcontrolthosegatewaysfromasingleslick-lookingdashboard.
Imean,thisthingisgorgeous,reallylooksgood.
Includesaworldmapsoyoucanseewhereyourgatewaysareallovertheworld.
Youcan,youknow,ithasthismonitoringsoyoucanseewhatthethreatlevelsare,Imean,Idon'tknowaboutthreatlevels,butresourceusage.
Youcan'tseethethreatlevels,butlet'shopeyoudon'thaveanythreatlevels.
Buttheresourceusageforallthegatewaysinthenetwork,andyoucancoordinatethemandmanagethem,youknow,startup,shutdown,andmaintenanceandallofthatstuff.
Steve:Well,youknow,I'vegotsomefriendsthatmanagethesecurityfor,like,abunchofsmallnetworks.
Andthissoundslikeit'dbejustthethingforthem.
Leo:Exactly.
Exactly.
Soifyou'realreadyusingASG,justgotoAstaro.
com,andyoucandownloadtheAstaroCommandCenterv1fromtheProductssection.
Which,youknow,Imean,Ithinkit'soneofthenicethingsaboutusingsoftwarelikethis,opensourcesoftwarelikethis,isitgetsbetterallthetime.
Andit'sjustwonderful.
Imean,youreallygetarealbenefitfromit.
Steve:It'sthefuture.
Leo:IalmostwishIhadabigmanagednetwork.
Itwouldn'tbeanygoodforme.
Ijustusethehomeversion.
Astaro.
com.
Andwethankthemfortheirsupport.
AndofcoursewethankthefolksatAOLforsupportingtheshowwithbandwidth,whichisalwaysanissuewithashowlikethis,withhundredsofthousandsoflisteners.
Thatbillcanaddup,butAOL'sbeenverygenerous.
AndweencourageyoutofindoutmoreaboutpodcastingatAOLontheAOLRadioChannelbygoingtoAOL.
com/podcasting.
Steve,I'msogladyoudidthis.
Ithinkportsare,youknow,probablythesinglemostconfusingandinterestingtopic,andcertainlythethingthatweallhavetodealwithallthetime.
Steve:Well,yes.
AndIthinkit'sthatthey'resovisible.
Imean,it'sthethingpeoplecansee,anditcausesconcern.
SoIjustreallywantedtocoverthatreallywell.
Leo:Andit'soneofthosethingsinthecomputerworldthatreallyIdon'tthinkanybodyeverintendedend-userswouldhavetodealwith.
Itwasn'tdesignedforend-users.
Butwedo.
Steve:Oh,Imean,neitherwashttp://.
Leo:Exactly.
Exactly.
TimBerners-Leeisembarrassedthatanybodyhastoseethat.
Butthat'showthingsevolve,andthat'sthewayitis.
Great,Steve,we'llseeyounextweek.
Youhaveanyideawhatwe'llbetalkingabout,or.
.
.
Steve:Absolutely.
It'sEpisode44.
Leo:Iwasgoingtosay,itmustbeaMod4.
Steve:Yup.
Sowe'lldoQ&A.
Anybodywho'sgotanyquestions,theycangotoGRC.
com/securitynow.
Downatthebottomofthepageisaform.
Sendyourquestionstous.
I'llreadthem,andwe'llpickfromthemandanswer12.
Leo:Allright.
Andofcoursethat'salsoagoodplacetogotothediscussiongroups,thesecuritydiscussiongroupsatGRC.
com.
AndyoucangetyourquestionsansweredbySteveandotherexperts.
It'sreallyareallywonderfulresource:GRC.
com.
Thanks,Steve.
Steve:Alwaysapleasure,Leo.
Talktoyounextweek.
Copyright(c)2006bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:http://creativecommons.
org/licenses/by-nc-sa/2.
5/
Theydefineports,andwhatitmeansforthemtobeopen,closed,andstealth.
Theydiscusswhatopensthem,whatitmeanstohaveports"open"frombothafunctionalandsecuritystandpoint,howopenportscanbedetected,whetherstealthportsarereallymoresecurethanclosedports,anddifferencesbetweenTCPandUDPportdetection.
Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-043.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-043-lq.
mp3LeoLaporte:BandwidthforSecurityNow!
isprovidedbyAOLRadioatAOL.
com/podcasting.
ThisisSecurityNow!
withSteveGibson,Episode43forJune8,2006:Ports.
SecurityNow!
isbroughttoyoubyAstaro,makersoftheAstaroSecurityGateway,onthewebatwww.
astaro.
com.
SteveGibsonisreadytotalkaboutyourports.
SteveGibson:I'msoexcited.
Leo:Youreally,Imean,IthinkprobablyformanypeoplethefirstkindofintroductiontotheconceptofportscamefromShieldsUP!
andSteveGibson.
Steve:Well,andasfarasIknowIcoinedtheterm"stealth.
"ThatwasonethatIsortof,youknow,inthewholeShieldsUP!
StarTrekthemething,Ithought,okay,whatarewegoingtocallaTCPportwhichisneitheropennorclosedAndIthought,oh,stealth,like,youknow,thecloakingfieldandallthatstufffromStarTrek.
Leo:Andofcourse,asusual,allofthisstuffreallywasthebailiwickofbusinessandenterprisecomputing,networkingandallthatstuff.
Butasmoreandmorepeoplehavemultiplecomputersintheirhome,suddenlywe'reallbecomingnetworkingexperts,andthetopicofportsbecomesveryimportant.
Now,it'salittlebitofaconfusionbecausewe'vealwayshadportswithPCs,buttheyusedtobeserialportsandprinterports.
Andthat'snotthekindofportswe'retalkingabout.
Steve:You'reright.
Andinfactyoumentionedenterprise.
AndIremembertheday,ortheera,rather,where–andthiswasjust–itdemonstratessuchanevolutioninwhat'sgoingonontheInternet,whereitusedtobe,intheearlydaysoftheInternet,whentherewassomemischiefgoingon,thentheITguyswouldblockacertainportthatthismischiefwascomingintothenetworkon.
Inotherwords,therewassortofthispresumptionofeverythingbeingbenign,buttheexceptionswerethingsbeingbad.
Sointermsof,like,afirewallmethodology,andthewaypeoplewerethinking,youhadadefault"allowtrafficin,"andthenyourexceptionsweredenyingtraffic.
Leo:Boy,that'schanged.
Steve:And,Imean,ohmyGod,talkaboutgettingfiredquickly.
IfyouwereanITguythesedayswhodidthat,youknow,it'dbelike,whatareyouthinkingBecauseofcoursetodaytheworldiscompletelyinverted,wherebydefaultyoudenyeverything,andyouonlyallowtrafficintoyourborderthatyouknowyouwantbecause,youknow,theInternet'sjustcrawlingwithjunk.
Forexample,we'vegotthislegacyofWindowswormsstillcrawlingaroundthe'Net,probingoldvulnerabilitiesthathavelongsincebeenremoved.
But,youknow,they'restillouttheretryingtoinfectmachines.
Andasweknow,ifyoudidsticka–ifyoutookacomputeryouhadjustinstalledXPon,beforedoinganyWindowsupdate,beforeinstallinganyservicepacks,thatWindowsXPthatweweretoldwasgoingtobethemostsecureoperatingsystemMicrosoftevercreated,youputoneofthoseontheInternetandstartyourstopwatchtoseehowlongittakestojustbejusttakenoverbythejunkthat'scrawlingaroundthe'Net.
Imean,it's.
.
.
Leo:SasserandMSBlastandallthose.
Steve:Oh,yeah.
Imean,it'slikeamatterofminutes,andstuffiscrawlinginyourmachine.
Leo:Ilikenitalmosttoherpesor–it'saninfectionthat'sendemic.
It'severywhereonthe'Netandwillcontinuetobethere.
Nobody'ssendingitoutanymore,it'sjustthereareinfectedmachineswhocontinuetodoitand.
.
.
Steve:Yup.
Leo:.
.
.
probablywon'tgoawayuntilWindowsgoesaway.
Steve:Ithinkwewillprobablynevergetridofthosethings.
You'reright,they'reold,unmanagedcomputersthatarejustsittingonthe'NetinLordknowswhere,Imean.
.
.
Leo:Right,incorners.
Steve:.
.
.
instrangeplaces,likelongforgotten,andthey'vegotthisjunkinthemnow.
And,youknow,thewholepointofawormisthatit'sself-replicating.
Soonceitcrawledintothismachineandsetupshop,itthenbeganscanningforothers.
And,Imean,they'rejustalwaysgoingtobethere.
Leo:Andwhatthey'rescanningforis,infact,openports.
Maybeweshoulddefinewhataportis.
AndIthinktheterminology'snotgreat.
Ithinkawordlike"channel"mightbebetter.
Steve:Well,"channel"wouldbeagreattermbecause,Imean,aswe'vetalkedaboutwhatwe'vetalkedaboutabouttheissueofportsingeneral,whatIwantedtodothisweekisreallyjustfocusonthisissueofopenportsbecausealotofpeopleareconcernedaboutthem.
Wegetquestionsallthetime,likeIhavetohavethisportopen,isthataproblemHowdoIclosethisportWhatdoesitmeantohaveaportopenSo,yeah,Ireallywantedtojustfocusonthisissueofopenportsandsortofreallycoverthatwelltoresolvealotofthesequestions.
Butyou'recompletelyright.
AswetalkedaboutwhenweweretalkingaboutthebasicprotocolsoftheInternet–ICMP,UDP,andTCP–weglancedonthisbefore,theideathat,unfortunately,aport,peopleassociatethatwithaphysicalthing,youknow,likeaserialport,aparallelport,aUSBport,aFirewireportorwhatever.
Butinfactaportisnothingbuta16-bitnumberwhichiscarriedalongatthefrontintheheaderofInternetpacketswhichsortofspecifies,exactlyasyousaid,Leo,whichchannelormanychannelsof65,535possiblechannelsthispacketisaimedat.
Leo:Sothere'snophysicalitytothiskindofport.
It'snot–there'sno,like,electronic–65,000-channelelectronicswitcherorchangeroranythinglikethat.
Imean,there'snophysicalthing.
Steve:Right.
Well,thephysicalmanifestation,ofcourse,wouldbeyourEthernetport.
Andthereagainwe'vegotthatcollisionofnaming.
So,youknow,yourEthernetconnectionisthewaythatthisEthernettraffic,ofcourse,travelsintoandoutofyourmachine.
Andit'softendoingsothroughtheseso-called"openports.
"Leo:Butit'snotlikeapartofthecableisport1024.
Imean,it'sallcomingthroughthesameelectricalsignal.
Steve:Exactly.
Exactly.
Leo:AndIguessithelpsifyouunderstandthatallofthedataissentinlittlediscretechunkscalledpackets;andthateachpackethas,asyoumentioned,aheader.
Andinsidethisheaderisinformationaboutwherethatpacket'sgoing,whereitcamefrom,andwhatport,whatchannel,itssurfingnumber.
Steve:Well,yes.
Andthat,ofcourse,wasthegreatbreakthroughoftheInternet,wasinsteadofhavingaswitchedcircuitsystemwhereactualphysicalcircuitswerebeingswitched,westeppedbackfromit,andwehaveaswitchedpacketsystem,wherepacketswitchingisthewaymachinestalktoeachotheracrossanetworkoffixedcircuits.
Leo:Sotheline'salwaysopen,anddata'salwaysgoing,butit'sroutedaccordingtothepacketing.
IsthatBobMetcalfe'sinventionIknowheinventedEthernet.
Wasthatkindofthepartofthatinvention,ordidthatpredatethatSteve:No,thatactuallypredatestheactual–theEthernetisjustoneofanumberofelectricaltechnologiesthatcanbeusedtocarrypackets.
But,forexample,TokenRingwasIBM'snetwork.
Leo:Andtheyusedpackets,too.
Steve:Exactly.
Soyoucan.
.
.
Leo:IthinkVintCerfmighthave,Imean,certainlyhegetscreditforIP.
Iwonderif–well,maybenot,though.
Steve:Yeah.
Well,itwasalldone,youknow.
.
.
Leo:Alongtimeago.
Steve:.
.
.
atthebeginningofthe'Net,whenitwasallbeingputtogether.
Leo:Thebeginningoftime.
IguessPaulBaranistheguywhoinventedpacketswitching,oroneoftheguyswhoinventedpacketswitching.
Steve:SofundamentallywehavesortoflikethecoreforamachinewhichisontheInternetistheoperatingsystem.
Buttheoperatingsystemdoesn'titselfnativelyhaveanyports.
Thatis,itsupportstheprotocolandtheabilityfortheOStocommunicatebyprovidingservices,youknow,liketheso-calledTCP/IPstackandIPservices.
TheoperatingsystemwillsupportIPaddresseswhichallowittoacceptthesepackets.
Butsomethingthenaftertheoperatingsystem,somethingrunningintheoperatingsystemistheactualentitywhichcreatesandopenstheseports.
Now,forexample,inthecaseofWindows,itmaynotbeaseparateapplication.
Itmightbeaservice,whichreallyispartoftheoperatingsystem,butit'saseparablepart.
Imean,forexample,youcanstoptheserviceorremovetheserviceinordertoclosetheportsthatthatserviceopened.
Andthenthenextlevelofdistancefromtheoperatingsystemareactualapplicationswhicharerunningintheoperatingsystem,likeyouandIareusingSkyperightnow.
It'srunningasaprogramontopoftheoperatingsystem,usingtheoperatingsystem'slowerlevelnetworkingfacilitiestoallowittocommunicateoutontheInternetsothatourtwoSkypeclientsareabletoconnecttoeachother.
Leo:AndSkypeiskindofindependentofwhatportyou'reusing.
Infact,youcaninSkypesay,no,usethisportorusethatport.
Itworksexactlythesame.
It'snottiedtotheport.
Steve:Itdoesn'tcare,exactly.
Sothereare–alsoaswetalkedaboutbeforetherearesortofwhat'scalled"well-knownportnumbers,"where,forexample,DNS,thedomainnamesystemthatallowswebnamestobelookedupandmatchedtotheirIPaddresses,byagreementitusesport53.
AndsotheDNSserverislisteningforpacketscomingintoport53ofanycomputerthatit'srunningon.
Andyourownclientsaresendingtheirdataoutofport53,boundforwhateverDNSservicethey'vebeenconfiguredtooperatewith.
Andofcourseweknowthewebusesport80,and443forSSL-secureconnections,andonandon.
Sothere'salargearrayofwell-knownports,theideabeingthatsystemswillbydefaulthaveservicesrunninginthem,listeningforincomingtrafficonthoseports.
SoifwerememberwhatweweretalkingaboutwhenweweretalkingaboutTCPbefore,theTransmissionControlProtocol,theideaisthattheoperatingsystemisdoingtheworkfortheapplicationofestablishingandsortofgettingtheconnectiongoing.
Andthisiswherethisnotionreallyofanopenportcomesfrombecause,whenaconnectionwantstobeestablishedwithamachine,aSYN–whichisshortfor"synchronize"–packetissenttothatIPaddressthatthecomputerislisteningon.
Ifit'saTCPportwhichisopen,whichistosaythere'ssomethingthathassaid"Iwanttoacceptconnectionsthatarecomingintothisport,"oraswe'vesaid,reallysortofavirtualport,morelikeachannel,thentheoperatingsystemwillsendbackwhat'scalledaSYN/ACK,itsownSYNandanacknowledgeofthereceiptofthatincomingSYN.
Well,that'ssortofthiswholekeyofwhatmakestheportbeopenisthatanybody,literallyontheplanet,cansendoneoftheseSYNpacketsatsomeone'smachine.
AndifitrespondswithaSYN/ACK,thenweknowthatsomethingisthereatthatIPaddress,evenifit'sacrosstheplanet,whichisreadytoacceptaconnectionandhavesomesortoftransactionwithus.
Leo:Socool.
EverytimeyoudescribethesethingsIjustamimpressedwithhowtheythoughtthisstuffup.
Steve:Well,andthathassurvivedthetestoftime,Imean,sowell.
Andsothat'sreallywhatitwasthatgotmethinkingaboutShieldsUP!
.
Backthen–andwe'retalkingyearsago–IwassettingupanISDNconnectionformycomputer.
Leo:Thereyougo.
That'lltellyouhowlongitwas.
Steve:Exactly.
Leo:Pre-DSL,pre-cablemodem,youknow,ISDN.
Steve:Exactly.
ItwasanISDNconnection.
AndIwasawareofthiswholeissueofportsandsecurity.
AndsoIgotoneofthe–IjustdownloadedoneofthefreeonlinescannersthatwereavailableontheInternet,andstillare.
AndIjust–Iwascurious,like,whatwasgoingonintheneighborhoodoftheIPaddressthatwe'dbeenassigned.
SoIjustsetthescannerupto,like,scan,Idon'tknow,youknow,thehundredIPsplusorminuswheretheIPthatwe'dbeenassignedwas.
Andtherewereallthesecomputersthathad–andinfactthisparticularscannerwasscanningforWindowsfilesharing.
And,Imean,literallythenamesofmachinesandtheCandDdrives,wideopen,exposedontheInternet.
Leo:Thatmusthavebeenashock.
Wow.
Steve:Well,yeah.
Anditwasenoughofashockthatitwas–Ithought,youknow,nobodyknowsaboutthis.
ThisneedstoreceiveattentionbecausepeoplewereputtingtheirWindowsmachines,hookingthemdirectlytotheInternet–thiswasbeforepersonalfirewalls,beforeNATrouters–justliterallypluggingthemintotheInternet.
Andbydefault,Windowsmachinesallhadthisfilesharingportopen.
Meaningthat,eveniftheuserhadn'tsharedanyfiles,theystill–Windowshadalltheseservicesthatwererunninginthemachinebydefault,acceptingincomingconnectionsfromanyoneontheplanet.
Andsoitwasfinally,Imean,itwasthat,therecognitionthatthisreallyneededattention,thatcausedmetojustsay,okay,I'mgoingtodothisthingthat'sgoingtomakeitveryeasyforpeopletochecktheirsystemstoseeifthey'reinthiskindofdanger.
So,youknow,theveryfirstversionofShieldsUP!
primarilycheckedforWindowsfilesharing.
AndthenIexpandeditinseveralfollow-ongenerationstodo–like,forexample,nowitdoesafull1056portscantocheckfromportsactuallyevenincluding0,whichisnotalegalport,butitturnsouttherearesomevulnerabilitiesinroutersthatwillaccepttrafficonport0.
.
.
Leo:Oh,wow,interesting.
Steve:.
.
.
allthewayupthrough1056,inordertolookateventhelowclientportsunderWindows.
Butanyway,theideawasthat–orisofTCP–thatsoftwarerunninginthesystemwillinstructtheoperatingsystemtoopenaport.
Whatthatmeans,then,isthatthatportwillaffirmativelyrespondtoincomingtraffic.
Well,now,anopenportrespondsaffirmatively.
Butitturnsoutthatevenaclosedport,thatis,aportforwhichthereisnolisteningsoftwareassociatedwithit,thereisnoprogramthathastoldtheoperatingsystem,Iwantyoutoacceptonmybehalftrafficcominginanddothelow-levelhousekeepingworkformeofsettingupaconnection.
Inthatcase,apacketcominginandhittingastandardTCP/IPstackwillgenerateanaffirmativedenialofaconnectionattempt.
Normallyit'llgetbackareset,orsometimesanICMPmessagesayingthereisnoserviceavailableonthisportatthisIP.
Soalthoughyouhaven'tconfirmedthatyou'vefoundsomethingpotentiallyvulnerable,forexample,aservicethatyoumaybeabletoexploitbyvirtueofthefactthatit'sgoingtoacceptaconnectionfromyou,andyou'reabletomesswithit,whatyouhaveconfirmedisthere'sacomputerofsomesortlisteningforincomingtrafficonthatIP.
Sothoseportsareconsideredtobeclosed,butthey'restillknowntoexist.
Andofcoursethenthenextstageofthisisaso-called"stealthport,"whereincomingtraffichitsthemachine.
Iftheportisnotopenandwouldnormallyrespondinsomeaffirmativefashion,sayingnotrafficisbeingacceptedonthatport,insteadthemachineiscompletelymute.
Itjustsaysnothing.
So,andthat's,ofcourse,exactlytheresponsethatyougenerallygetforadeadconnection,wherethere'sjustnothingontheIPatall.
Leo:Andthat'syourso-called"stealthmode.
"Steve:Whichofcoursehasnowbecome,like,thewaytobeontheInternet.
It'sinteresting,Imean,therearepeoplewhoarguethatstealthisbogus.
Leo:WhatReallySteve:Oh,yeah.
Youknow,it'stheoldUNIXguys.
AndtheyalsodisliketheideathatstealthingamachinetechnicallybreakstheIPortheTCP.
.
.
Leo:Oh,Igetit.
It'soutofspec.
Steve:It'soutofspec,exactly,because.
.
.
Leo:Well,that'sapuristpointofview.
Butfrankly,ifyouthinkaboutit,ifbadguyscomeaknocking,what'sthebestresponseWedon'thaveanymoneyinhere,ornothingSteve:Yes,or,exactly,thereisno"inhere.
"Leo:Thereisno"inhere.
"Nothingexistsatthisaddress.
Moveon.
Steve:Right.
Leo:So,Imean,youcanbeapuristaboutit,butfranklyIthinkit'sprettyobviouswhatthebestchoiceis.
Steve:Well,yes.
Andthefactis,sinceitcostsnothingtobestealth,whynotbestealthImean,sinceitcostsnothingtobeinvisible,itseemstomeit'sbetter,exactlyasyousaid,tobecompletelyinvisibleonthe'Netthantosay,I'mhere,butalltheportsyou'vecheckedsofarareclosed.
Leo:Now,itdoescomeupfromtimetotimethat,well,thishappenedwiththeidentdport,wherearoutermanufacturerdecideditwasn'tagoodideatostealththatportbecausesomeserviceswerestillusingit,andaninvisibleportwouldn'tbeanappropriateresponse.
Steve:Well,it'saverygoodpoint.
Theexampleyoucite,theidentport,whathappensis,whenauseristryingtoconnecttoaserver–andthisisgenerally,Imean,justancientservers.
Imean,therearesomeIRCservers,somereallyoldwebservers,sometimessomeFTPservers.
Partoftheconnectionprotocoliswhenarequestcomesintotheserver,itsendsbackanidentpackettotheidentportatthatuser'sIP,becauseintheolddayspeoplewouldhavethesethingscalledidentserverswheretheywouldlistawholebunchofinformationaboutthemselves.
Imean,who'sgoingtodothattodayImean,nobody,becausebasicallyyou'resortofsaying,here,here'severythingyouwanttoknowaboutme.
Leo:Comeonin.
Steve:Exactly.
Leo:Yeah,yeah.
Steve:Soithadbeenforeversinceanyoneactuallyrananidentservice.
Butwhattheserverthatmakesthequerywantsisatleasttogetanaffirm.
.
.
Leo:Anacknowledgement.
Steve:Yes,somesortofaffirmativestatementthat,yes,there'samachinehere,butnobody'shome.
SowhatnormallyhappensistheidentusesTCPprotocol.
SotheserverwillsendaSYNpacket,tryingtoestablishaconnectioninthereversedirection,backtotheclient.
Well,asweknow,TCPisverypatientaboutgettingaconnectionestablished.
It'llsendaSYNpacket.
Ifitdoesn'thearanythingelse,it'llsendanotherone.
Thenitwaitstwiceaslongandsendsanotherone.
Thenitwaitstwiceaslongagainandsendsanotherone.
Somemachineswillsenduptofivepackets,andyoucanendupwaitingaminutebeforethethingfinallydecides,okay,there'snobodyhere.
Theproblemisthatallofthatsuspendsyourmainconnectiontotheserver,thatis,theserver,everythingjuststopsontheserverwhileit'stryingtoestablishthispainfullyslowprocessofgettingaTCPconnection.
Ifthefarenddidsayno,Ihavenoidentservice,bysendingbackanICMPorbysendingaTCPresetpacket,thenatleasttheserverwouldknow,oh,okay,noservice,butthere'ssomebodyhere.
Anditwouldtypicallyjustthen–itdoesn'treallycareabouttheident,it'sjustoldtechnologythatisstillinsomeserversontheInternet.
Leo:Sowhatistheharmindoingthat,thenImean,nowI'mgoingtoplaydevil'sadvocateandsay,well,inthatcase,whydowebotherstealthingthatportSteve:It'sjustthat,well,actuallyIthinkprobablyGRCisatfault.
Imean.
.
.
Leo:It'syourfault.
Steve:I'mnotkidding.
Imean,Iwasshowingeverybodythattheiridentportwasnotstealthed,andstealthbecameacoolthingtodo,andpeoplebeganaskingtheirroutermanufacturersandtheirpersonalfirewallmanufacturers,"Hey,Gibsonsaysmyidentportisnotstealth.
Iwanttobestealth.
"Andsojustreallyduetopopulardemandtheroutermanufacturerssaid,okay,fine,we'llstealththeport.
Well,theproblemthenisthatsomeconnectionswillstallwhenyouaregoingoutthrougharouteroroutthroughapersonalfirewallwhichstealthstheidentport.
Sothenthenextgenerationofthiscamealong,andthatwasadaptivestealthing,oradaptiveidentstealthing,wheretherouterwouldbesmart,anditwouldstealththeidentportfromanysourceIP,thatis,theremoteservertryingtoopenanidentconnectionbacktoyou.
ItwouldstealthitunlessitsawthatyouhadanoutgoingconnectiontothatIP.
Whichisaperfectsolution.
Leo:Thereyougo.
Steve:Soifyou'veestablishedaconnection,anditasksback,well,yougotanidentserver,youcanrespondtothat.
Thenyousayno,Idon't.
Butatleastthefarendserverishappythatyouexist.
Youacknowledgethatimmediately,andthenyougetonwithyourmainconnectionestablishment.
Leo:Ah.
Buthere'sthething.
WouldyoumarkthatasastealthedportSteve:Yes,infact,Idoitonpurpose.
ShieldsUP!
,itcheckstheuser'smachinefromanIPdifferentthantheyareconnectingtousfrom.
Leo:Toavoidthisthing.
Steve:Exactly.
SoIdoitonpurposeinordertogivethemcreditforandtoshowthattheirrouterisstealthingidentforrandomsourcesofIPaddressesoutontheInternet,nottheonesthatthey'reactuallytryingtoconnectto.
Soitendsupbeingaveryusefulthing.
Now.
.
.
Leo:Weshouldjustmentionthatthereasonthatyouwantittobestealthisanyindicator,evenonacompletelysafeportliketheidentport,anyindicatorthatyouexistcouldbeamessagetoahacker,well,atleastthere'ssomethinghereyoumightwanttokeepinvestigating.
Steve:Well,here'saperfectexample,Leo,andthatisdenial-of-serviceattacks.
IfyoupissoffsomebodyontheInternetwho'sgotcontrolofevenasmallbotnet,andtheydecidethey'rejustgoingtoDDoSyouintooblivion,well,they'llblastyouforawhile,andthentypicallystoptheattacksothattheycanseeifyou'restillthere.
Well,youknow,you'dverymuchlikethemnottobeabletotellthatyou'restillthere.
Leo:Yes,yeah.
Steve:Onlyifyou'restealthcanyoupullthatoff.
Ifthey'reabletopingyouortobouncepacketsoffyouortrytoopenaconnectionandgetbackanaffirmativeclosedstatefromyou,thenthey'llknowyou'restillthere.
Leo:Andit'sfairlytrivialtoactuallytesteachandeveryofthe65,000ports.
Imean,computersarefast.
Soevenifthere'sbutoneopen,ornotevenopen,closedbutnotstealth,they'llknowyou'rethere.
Steve:Well,yeah.
Andinfact,ifyou'rerunningasystemthatisnotstealthingyou,everyportwillatleastsayeitherit'sopenorit'sclosed.
Soinordertobecompletelyoffthe'Netinappearance,youreallydoneedthetechnologywhichisgoingtostealthyou.
Andasamatteroffact,I'veseendialogueswherehackersknowthatidentisoftennotstealthed.
Sothey'respecificallytryingtoopenanidentconnectionbecause,unlessit'sadaptivelystealthed,asallthelatestfirmwareandpersonalfirewallsaregenerallynowabletodo,itwilllooklikeit'sclosed,andthey'llknowyou'restillthere.
Leo:SothankstoGRC.
comandShieldsUP!
,allrouters,allconsumer-graderoutersthatshipthesedays,shipwithstealthturnedon.
Steve:Yeah.
Yeah.
It's,Imean,it'stherightwaytogo.
There'sjustnogoodreasonnottobestealthwhereyoucanbe.
Leo:Now,amIthrowingallthevalueofstealthout,though,byhavingsomeopenportsSteve:Probablynotbecauseyoudon'tknowwhatitisthatmightbelookingforyou.
Youmighthave,youknow,ahackermightspecificallybescanningforanewvulnerabilitywhichhasjustbeenfound,likeinMySQL.
AndsoitmightbelookingtoseewhetheryouhaveaSQLdatabaseserverportopen,soitwouldbespecificallycheckingforthatport.
Leo:Andifyoulookatthehackertools,theyusuallywillsay,whatportdoyouwanttohit,andwhatrangeofIPaddressesdoyouwanttotestSteve:Right.
Leo:Andyoucouldtestarangeofports.
Butforefficiency'ssaketheymayjustbegoingafterthatoneport.
Steve:Well,now,it'salsonecessary,sincewereallywanttocoverthetopicofopenportswellinthisparticularepisode,it'snecessarytotalkaboutthefactthatUDPprotocoliseverybitasviableasTCP.
Butbecauseitdoesn'thavethiswholeintroductoryhandshakinggoingon,whereyousendtheSYNandtheSYN/ACKcomesback,oryousendtheSYNandaresetcomesback,UDPportswillgenerallyoperateormayoperatedifferently.
Thatistosaythat,asweknow,UDPdoesn'thavethisconnectionestablishmenthandshake,whichisreallythebenefitforveryshort-termconnections.
Forexample,theDNSprotocolfordomainnameservices,generallyyoujustsendasinglepacketofftoaDNSserver,anditsendsyouasingle-packetreply.
Soit'sextremelyefficient.
SinceDNSisgoingtobetransactingsuchsmallamountsofinformation,youwouldn'twanttogothroughallthetroubleofhavingathree-waypackethandshake,thensendyourrequest,thengetthereply,thenhavetoshutdownthatexistingorestablishedconnectionthroughanotherseriesofpackets.
Leo:SoDNSusesUDP.
Steve:Exactly.
Well,DNS.
.
.
Leo:Ididn'tknowthat.
Steve:Itactuallyusesboth.
It'lluseUDP.
Butthere'salimit.
OneofthereasonsthatUDPactuallyisn'tconvenientisifyouneedtosendalotofdatabecausegenerallyUDPissortofpacketoriented.
Now,again,allofthesethingssortofhavecaveats.
Forexample,youandIareusingUDPrightnowforstreamingsubstantialamountsofdatabetweeneachotherduringthispodcast.
Butwhat'shappenedisaprotocolontopofit,well,Imean,thetypicalVoIPprotocoliscalledSIP[SessionInitiationProtocol],whichisusedontopofUDPtosortofgiveittheabilitytodomore.
ButinthecaseofDNSitispossibletoconnectwithTCPtoaDNSserverandthenmakeyourqueriesthatwayifyouneededtoforsomereason.
Andforexamplethere'ssomethinginDNScalleda"zonetransfer,"whereyoubasicallysaytellmeeverythingthereistoknowaboutGRC.
com,forexample.
Andifzonetransfersareallowed,whichformanysecuritypurposesnowadaystheyarenot,butintheolddaysyouonlycoulduseTCPforoneoftheseso-called"zonetransfers,"whereyou'resayingIwanttoknowaboutallthemachineswithintheGRC.
comdomain,theMXor,youknow,theemailservers,andeverythinggoingon.
Giveitalltome.
AndyoucannotdothatoverUDP.
Soingeneral,UDPisamuchmorequick,simple,lightweightprotocol.
ItalsomeansthatyoumighthaveaUDPserverwithanopenUDPport,asopposedtoanopenTCPport.
Andyouwouldnotreallybeabletotellthatitwasthereunlessyouaskeditinitsownparticularprotocol.
Forexample,ifyouwantedtofindoutifsomeonewasrunningaDNSserver,you'dhavetosendaDNSquerytoport53andseeifyougotaresponse.
WhereasthewholeopeningconnectiondancewithTCPisgeneric.
Youdothesamethree-wayhandshakenomatterwhatservice,whetherit'swebor,forexample,DNSoverTCPorFTPoranyotherTCP-basedprotocol.
Leo:Soifyou'reahackersniffingTCPports,youcouldjustsendaSYNtoeveryport,oneaftertheother.
Steve:Exactly.
Leo:Andsayhello.
Andthat'lltellyouthatport'sthere.
ButifyouwanttosniffUDPports,you'dactuallyhavetousetheappropriateprotocoloneachport.
Steve:Exactly,inordertosatisfytheserverthatmayormaynotbelistening.
Now.
.
.
Leo:Soit'smuchmorecomplicatedtosniffUDPports,then.
Steve:It'salotmorecomplicated.
Although,again,theoriginalspecfortheUNIXmachines,youknow,whereallthisoriginated,doessaythatifaUDPpacketarriveswherethereisnoservicelisteningandthathastoldtheoperatingsystemthatitwantsittoforwardpacketsthatarriveonacertainporttoit,thentheoperatingsystemshouldsendbackanICMP,aspecificICMPmessagesayingthere'snothinglisteningtothisport.
SoUDPportscan,bydefault,showthemselvesasbeingclosed,thatis,yougetbacksomethingsayingthere'snobodyhere.
Soagain,you'dliketostealththatbehavior.
Andofcoursethat'swhatpersonalfirewallsandroutersdo.
Leo:Ithinkthisisgreat.
Youknow,whenyou–wedealwiththisallthetime.
Whenyougointoyourrouter,forinstance,toportforward,tomakesomeportwork,let'ssayyou'vegotarouterthat's,youknow,rightlyso,blockingallports,butyouwanttousea,youknow,youwanttosetupaserverforWorldofWarcraft,you'llseeallthis.
You'llseeUDPversusTCP,andwhichportnumber,andallsortsofstuff.
Butnowyouknowwhatitmeans.
Nowyouknowwhatyou'redoing.
Steve:Well,it'sinteresting,too.
Youweretalkingaboutportforwarding.
AndIrememberedthatthatalsobearsontheidentportbecausetherearestillsomeolderrouterswhosefirmwaredoes–itwillnotstealththeidentport.
Itwillrespondthatthere'snobodyhere.
Butareallyfunworkaroundistoforwardthatidentport–which,bytheway,is113–youforwardthattoanonexistentIPaddressbehindtherouter,thatis,onyourownnetwork.
So,forexample,ifyourIPaddresswas192.
168.
0.
,youknow,1to100,youcouldtelltherouter,forwardthatto.
0.
200,amachinethatyouknowwillneverexist.
AndwhattherouterdoesisdutifullyacceptthatincomingICMPpacketandsticksitonyournetwork,aimedatanIPthatdoesn'texist.
Well,sinceitdoesn'texist,there'snobodytheretoanswerthecall,andyouendupstealthingyouridentportifyourrouterotherwisewouldnotdosoforyou.
So,Imean–andofcoursethatworksforanythingthatyouwantitto.
Youcouldnameanyportsthatyouwantedtostealth,iftherouterwasn't,justoffintothetwilightzone,toanIPinsideyournetworkthatdoesn'thaveamachinelisteningonit,andthosepacketsarejustgoingtogonowhere.
Theyjustendupbeingdropped.
Leo:Well,Ithinkyou–havewecoveredthesubjectDoweknoweverythingweneedtoknowaboutportsSteve:TheonethingthatIthinkisworthmentioningtopeopleisthatallofthisproblem–whichhasbeenlotsofhistory,youknow,wetalkedfirstaboutthisnotionoffirewallsbydefaultallowingtrafficandthenITguysblockingonlythemischiefandhowthat'scompletelyflippedaround.
Well,theolddaysofMicrosoftWindows,andforthatmatterotheroperatingsystems,generallyhadlotsofthingslisteningbecausetherewasn'tacompellingreasonnotto.
AndofcourseinMicrosoft'scase,Microsoftalwayswantedtodefaulttowardsallowingtrafficbecausetheyjustwantedthingstowork.
Imean,andtheysuredid,boy.
Youknow,youstuckyourWindowsmachineontheInternet,andyoucouldshareyourfileswitheverybodyintheworld.
Leo:Workedalittletoowell.
Steve:Whetherthat'swhatyouhadinmindornot.
Andtheywant,youknow,theywantedWindowssothat,whenyouclickyourmachinestogetherintoanetwork,theycanallseeeachother,andtheycanallhappilysharefiles.
Unfortunately,puttingWindowsontotheInternetwasthesameasputtingitonyournetwork.
Leo:Right.
Steve:Soit'sreallyworthmentioningthatthisisallchangednow,finally.
Imean,andittook–Idon'tknowwhyittooksolong,butitdid.
It'schangedwithServicePack2ofWindowsXP,wherethereisabuilt-infirewall,anditisonbydefault.
And,youknow,therearepeoplewhoarestilldownloadingmyDCOMbobulatorandmyUnPlugn'Prayutilities.
ThosearethingswhichIcreatedinaday,immediatelyafteranewvulnerabilityhadcomeoutandwellbefore,insomecasesmonthsbefore,Microsoftdidanythingtodealwithit.
AndthosethingsIcreatedto,like,killoffthoseportsorshutdownthoseproblemsbecausewestilldidn't–manypeopledidnothavepersonalfirewalls.
XPdidn'thaveapersonalfirewallinthebeginningthatwasturnedonallthetime.
EarlierversionsofWindowsneverdid.
Imean,backthenpeoplewerestillusing,youknow,95and98.
Butit'sreallythecasethattheseproblemshavebeensolvedjustby,firstofall,bypeoplehavingNATrouters.
Imean,ifyou'vegotaNATrouterinfrontofyoursystem,itmatterstoafarlesserdegreewhatportsareopenonyourmachineitself.
Andyoucanseethatbecause,ifyouuseShieldsUP!
atGRC,it'llshowyoueverythingisstealth,evenifyou'vegotopenportsonthecomputersinyourownnetwork.
Thereasonbeing,nothinggetsthroughyourNATrouter.
We'retestingyourpublicIP,notthoseprivateIPsthatnoonecanaccessanywaybecausethey'renotroutableontheInternet.
There'snowayIcansendtrafficto192.
168.
0.
1inordertotestitbecausethatIPwon'tgoanywhere.
Ican't,youknow,tensofthousandsofpeoplehavethatIPontheirmachinesbehindtheirrouters.
Leo:Probablymillionsbynow.
Steve:Millions,I'msureitis,yes.
So,youknow,many,manytensofthousands.
Soitreallyisthecasethatthisproblemwithcomputershavingopenportshasreallybeenmitigated,firstbytheadventofrouters,andsecondly,forthosewhoarenotbehindarouter,certainlywithapersonalfirewallwhichisonanddoingitsjobas,youknow,thebuilt-infirewallinWindowsXPdoes.
Whichreallymeans,then,thatthefrontierfortheconcernforopenportsisportsopenedinrouters.
Andsothelastthingworthtalkingaboutisthepeoplewhoareworriedthat,forwhateverreason,theyhavetohaveexposedopenports.
Youknow,whatdoesthatmean,tohaveanexposedopenportSomething,youknow,wherethey'rejustnotabletobestealthbecausetheyneedtohaveservicesthatareavailableoutonthepublicInternet.
Andthisisinterestingbecauseitfactorsexactlyintothediscussionwe'vehadaboutbufferoverruns.
Becauseunfortunatelytheexposureofanopenportisthattrafficisgoingtobeflowingbackinthroughyourrouter,thentowhatevermachineyouhavedesignatedontherouterwillreceivethattraffic.
Andpresumablyyouhavesomethingthereonthatmachine,someapplicationwhichisthengoingtobeacceptingthetraffic.
Theproblemis,asweknow,itisverydifficulttowriteperfectsoftware.
Youknow,theclassicboondoggleofanopenportwaspcAnywhere,whichmanypeoplewereusingintheearlydaysoftheInternetbecauseitallowedthemtoconnecttotheirmachinesathomeanddowhatevertheywantedto.
That'swhyitwascalledpcAnywhere.
Theproblemwas.
.
.
Leo:Anythinganywhere.
Steve:.
.
.
ithad,yeah,ithadserioussecurityproblemsthatwerebeingfoundoneafteranotherafteranother.
Manypeopledidn'teventakethetroubletoputastrongpasswordonpcAnywhere.
Soeveryoneknewwhatthedefaultpasswordwas.
Andpeople,youknow,badguyswouldscanthe'NetforthestandardpcAnywhereportandconnecttopeople'smachineswhonevertookthetimetochangethedefaultpassword.
Sotheproblemis,ifyou'vegotportsexposed,ifyou'vegotportsopen,itissomethingyouneedtorecognizeasapotentialproblem,andthatisthatyouarethendependinguponthesecurityofandtheproperfunctioningofwhateversoftwarepackageitiswhichislisteningtothoseports.
Andinfact,whenIfiredupSkypejustnow,Leo,inordertoestablishourconnection,IgotamessagetellingmethattherewasanewversionavailablebecauseasecurityproblemhadbeenfoundandfixedinSkype.
Soit'slike,okay,I'mgoingtoupdatemyselfrightnow.
Leo:Right,right,right.
Anytimeyou'rerunningaserviceofanykind,inorderforthatservicetoworkyouhavetoopenaport.
Andthatopensupyoursystemtotroubleiftheservicehasabug.
Andasyoupointout,it'sinevitable.
There'salwaysbugs.
Steve:Yeah.
It'sjustsodifficultnot,Imean,thiswasthehugeproblemthatMicrosofthadwithalloftheirservices.
Imean,virtuallyeverysingleoneofthem.
.
.
Leo:Somethingwaswrongwiththem.
Steve:.
.
.
hadmultipleproblemsthatwerefoundandexploited.
And,Imean,that'swherethewormscamefromthatweweretalkingaboutbeforeisspecificallyfromthesekindsofproblems.
So,youknow,thegoodnewsis,securityisoneveryone'smind.
Certainlysecurityisforemostinthemindsofanyonewritingapplications.
Iwouldsaytheonlypieceofadvice,ifyouhavetohaveportsopen,istrytouserobust,well-testedservicesthatyouhaveeveryreasonpossibletobelievearenotgoingtohaveproblems.
Andinfact,youknow,ifyoureallywantedtogoastepfurther,andyouhadtheabilityto,Iwouldsayrunthosemachinesseparately.
Thatis,youknow,itmaybethecasethatyou'vegotanoldcomputer.
Letitbetheoneonthefrontlineintheso-called"DMZ,"whereit'sgoingtobereceivingthattraffic,andnotrunthoseservicesonyourmainmachine,whereyoureallyhavemuchmorevaluabledata,andyouwanttomakesurenothingisabletocrawlintoit.
Leo:Andit'sanotherreasonwhypeopleshouldgooutandgetrouters,iftheydon'talreadyhavethem,andusethem.
Andtheminuteyoudo,infacteverytimeIinstallarouter,andassoonasI'vechangedthepasswordandturnedoffUniversalPlugandPlay,I'llgotoGRC.
comandrunShieldsUP!
andmakesurethatIdon'thaveanyunstealthedports.
Andthat'swhatagreatservicethatis.
Steve:Youalsowanttomakesurewhenyou'resettingupanewrouterthatyouremembertoturnoffanythingthat's,like,WAN-sidestuff.
Manyroutershave,like,WAN-sideadministrationwhere.
.
.
Leo:Unh-unh.
Thatmeanstheotherguycanadministrateyourrouter.
Steve:Exactly.
AnyoneontheInternet.
Leo:Badidea.
Steve:That'snotagoodthingtohave.
Leo:Notagoodthingtohave.
Steve:Imean,again,ifyouhavetouseitforwhateverreason,thenyouwanttotakethetimetodoareallygood–tochooseareallystrongpasswordthatnooneisgoingtobeabletoguessbecause,ifyourrouterisacceptingaconnectiononitsstandardWAN-port,thensomebodyouttherecouldjustsittherepoundingawayonit,doingabrute-forcepasswordattack,tryingtogetcontrolofyourrouter.
It'scertainlybetter,firstofall,nottorunitonthestandardport.
Moveit,alwaysmovethosethingstoadifferentport,ifyouhavetohavethematall,andthenrunareallystrongpassword.
Leo:Yeah.
Andyoucouldbesurethat,ifit'soutthere,somebody'sbangingonit.
That'stheotherthingwe'velearnedonthe'Netisthatyoucan'tjustkindofskateanymore.
Peopleareoutthereallthetime.
Steve:Well,forexample,thewayI'vegotmyequipmentatLevel3configuredfortheGRCnetwork,Ineedtobeable,iftheworsthappenedandIneededtorebootamachine,Ineedtobeabletopowercyclethemachineorgetconsoleaccessremotely.
SoI'vegotsomeequipmentwhichareneatlittlerack-mountedboxes.
Butalltheyhaveistelnet.
Theydon'thaveanyprovisionforstrongerauthentication.
Ican'tdoSSHorSSL.
Leo:Ooh,that'snotgood.
Steve:No,it'shorrible.
Andthere'snoprovisionforchangingfromthedefaulttelnetportof23.
SoI'vegotthesethreeboxessittingtherethatIhavetohaveaccesstofromtheoutside.
Imean,that'sthewholepointofthemisI'mabletogettothemfrommyhomenetworkorwhenI'montheroad.
Sotheproblemis,theywillonlylistentoport23.
Theydoprovideapassword,butit'sjusteightcharacters.
Leo:Oh,man.
Steve:And,Imean,andit'smynetwork.
It'stheGRCnetwork.
Leo:That'sterrible.
Steve:Andifsomeoneaccessedit,youknow,theycouldturnofftheequipmentatGRC.
Leo:Yeah,yeah.
Steve:SoobviouslytheonlyreasonI'msayingthisonapodcastisI'vesolvedtheproblem.
Leo:Iwasgoingtosay,you'reaskingfortroublehere.
WhatdidyoudoSteve:WhatIdidwas,Ifoundareallynicemanagedswitch.
IhaveaDellmanagedswitch,whichissurprisinglyinexpensive,whichallowsmetofilterthoseportsandonlyallowspecificIPrangestoseethematall.
Soonly.
.
.
Leo:SoonlysomebodyfromyourIPaddresscanloginatport23.
Steve:Exactly.
Andinfactthatequipment,itdoesn'texistforanyoneoutsideofspecificnetworkswhichIhavepre-designatedasbeingallowedtosendtrafficin.
Leo:That'sagoodwaytodoit.
That'ssuperstealth.
Steve:Well,and,Imean,youhaveto.
Becauseyoujustcan'thaveaserviceexposedontheInternet,especiallyawell-knownservice,especiallyfromawell-knowncompany.
It'sjustgoingtogetattacked.
Someone'sgoingtowritesomethingthatsitsthereandstartswithAandthenBandthenC.
.
.
Leo:It'snotgoingtotakelong.
EightlettersSteve:Exactly,anddoesabrute-forceattack.
Leo:Well,Ijustwanttocirclebackandsaythatwecanthankinparticulartwodifferentpeopleforpackets,thenotionofpackets.
IdidsayPaulBaran.
Hedidthisresearchintheearly'60satRandCorporationandwroteapaperontheideaofapacket-switchnetwork.
AndaBritnamedDonaldWatts-Daviswhosimultaneously,butindependentofBaran,wrotesomepaperson–infact,he'stheonewhocoinedtheterm"packetswitching"anddescribingthatidea.
AnditreallydoesgobacktooneofthegreatpioneersoftheInternet,LenKleinrock,whowrotesomepaperstheorizingthatthebestwaytodothiswouldbewithpacketsand,infact,createdtheideaofanotionofdatablockstosolvethatissueofdataflow.
Soit'sbeenaroundforalongtime.
AndIhaveapoemIwanttoread.
Steve:Okay.
Leo:DoyoumindSteve:No.
Leo:Thisis–I'mgoingtotellyouthestoryaboutthispoeminalittlebit.
Butit'sbeengoingaroundtheInternetforyears.
I'mjustgoingtoreadoneoftheverses:"Ifapackethitsapocketonasocketonaport,andthebusisinterruptedasaverylastresort,andtheaddressofthememorymakesyourfloppydiskabort,thenthesocketpacketpockethasanerrortoreport.
"JustthoughtI'dpassthatalongtoyou.
Steve:That'sprettygood.
Ilikethat.
Leo:Actuallyit'squiteabitlonger.
It'swrittenbyaguynamedGeneZiegler,whoisatCornell.
Wroteitin'64,andit'sbeengoing–or'94,Ishouldsay.
Butit'sbeengoingaroundtheInternetaswrittenbyAnonymous.
Butit'salongparodyofDr.
Seussthatisreallyquitefunny.
AndI'llputalinkintheshownotes.
Steve:Iwasjustgoingtosay,putalinkintheshownotes,yeah.
Leo:MaybewhatI'lldoisI'llreadit,givingcredittoGeneZiegler,andputacopyoftherecordingup.
Ireadityearsagoon"TheSite"asDevNull,thevirtualcharacter.
Anditgoeson,Imean,I'lljustreadthelastverse.
"Whenacopyofyourfloppy'sgettingsloppyonthedisk,andthemicrocodeinstructionscauseunnecessaryrisk,thenyou'llhavetoflashyourmemory,andyou'llwanttoRAMyourROM.
Quickly,turnoffyourcomputerandbesuretotellyourmom.
"Andthepageis"AGrandchild'sGuidetoUsingGrandpa'sComputer.
"HewroteitafterhisgrandkidsmesseduphisMac.
Steve:That'sverycool.
Leo:Andwealso,ofcourse,wanttoremindpeoplethatGRC.
comisavailable24hoursadaytocheckyourports,baby.
ShieldsUP!
isoneofthemanyresources,valuablesecurityresources,Stevemakesavailableforfree.
Butit'sallsupportedbyhisgreatprogram,SpinRite,theultimatediskrecoveryandmaintenanceutility,whicheveryoneshouldhaveacopyofinthisentireworld.
Andifyoudon't,gotoGRC.
comandgetyourselfone.
Andalso,ifyouwant16KBversionsoftheshow,thankstoourtranscriptionist,Elaine,thosearealsoavailableatGRC.
com/–I'mgoingtodothis–securitynow.
Steve:Yup.
Leo:They'rewaitingforthehtm.
Nohtmnecessary.
Steve:Yup.
Nowww,nohttp,anything.
Leo:Hey,Iwantto–wegotanotefromAlexNeihauswhoisatAstaro,ourgreatsponsor.
AndyourememberthatlastepisodeweweretalkingaboutNATtraversal,maybetwoepisodes–no,Iguessitwaslastepisode.
Steve:Yeah,itwaslastepisode.
WetalkedabouthowNATtraversalworksandthenthenotionoffriendlyversusnon-friendlyrouters.
Leo:Right.
Steve:Thatwouldbehaveornot,dependinguponhowtheymappedtheportsthroughtherouter.
Leo:AndofcourseAstaromakes,youknow,theSecurityGatewaysoftware.
Soheactuallysentanotetohisengineerssayingdowedothis,andtheyactuallydoit,itsoundslikequiteright.
Now,Ididn'tfullyunderstandthat.
But.
.
.
Steve:Actuallytheydoitsorightthat,Imean,it'slikethebestwayyoucould.
Whattheydois–andthisistheAstaroSecurityGateway.
Whenit'srunninginaNATmode,theywillleavethesourceportunchangedasitmovesacrosstheNAT.
Leo:Mostroutersdonotdothat;rightTheychangetheport.
Steve:Correct.
Mostroutersjustmakeuparandomportandassignitinatable,sothey'realwayschangingthesourceport.
Andwhatyou'rehopingforisthatthesourceportwillbethesame,evenifthedestinationIPisdifferent.
That'sthecriticalfeaturethatyouneedforpeer-to-peer-friendlyNAT.
Well,theAstaroNATis,like,thebestitcanbebecauseitwillleavethesourceportaloneasitcrossesthroughtheNATtranslation,onlychangingthesourceIPfromthemachinebehindtheNATtotheNATaddressitself,sothatthepacketisabletocomeback.
Andwhat'sverycoolisthattheonlytimewhenitwillchangethesourceportisifyouhappentohavetwodifferentmachines,bothcommunicatingonthesamesourceport,bothtothesameremoteIP,becausethereit'sveryclearyouwouldneed.
.
.
Leo:Youcouldhaveacollision.
Steve:.
.
.
youwouldhavetochangethesourceportinordertodisambiguatethosetwomachinesfromtheoutside.
Butunlessthat'snecessary,thesourceportisnotchanged,whichmeansthattheAstaroNATislike,Imean,it'sgoingtobethefriendliestNATyoucouldeverhave.
Leo:That'sslick.
That'sreal–andbytheway.
.
.
Steve:Andit'sfree.
Leo:.
.
.
I'musingone.
Yeah,it'sfree.
Youcangetthesoftwareforfree.
I'musingonerightnow,andI'mreallyhappywithit.
Ifeelkindofpowerful.
IdowanttomentionAstarois,ofcourse,oursponsor.
Andwe'vementionedbeforethatyoucangettheAstaroSecurityGatewaysoftwareforhomeusersabsolutelyfree.
Foralittlebitmoreyoucanupgradeittospam,antivirusprotection,anditreallyispowerfulstuff.
ButIalsowanttomentionthatthereisanewmanagedsystem,theAstaroCommandCenter.
I'vebeenlookingatthescreenshotsofthis.
Itissoslick-looking.
ACCv1.
ItisfreeforusersofAstaroSecurityGateway,soI'mgoingtodownloadit.
Andit'sreallydesignedfornetworkadministratorswhohavemultiplegateways.
Itallowsyoutomanageandcontrolthosegatewaysfromasingleslick-lookingdashboard.
Imean,thisthingisgorgeous,reallylooksgood.
Includesaworldmapsoyoucanseewhereyourgatewaysareallovertheworld.
Youcan,youknow,ithasthismonitoringsoyoucanseewhatthethreatlevelsare,Imean,Idon'tknowaboutthreatlevels,butresourceusage.
Youcan'tseethethreatlevels,butlet'shopeyoudon'thaveanythreatlevels.
Buttheresourceusageforallthegatewaysinthenetwork,andyoucancoordinatethemandmanagethem,youknow,startup,shutdown,andmaintenanceandallofthatstuff.
Steve:Well,youknow,I'vegotsomefriendsthatmanagethesecurityfor,like,abunchofsmallnetworks.
Andthissoundslikeit'dbejustthethingforthem.
Leo:Exactly.
Exactly.
Soifyou'realreadyusingASG,justgotoAstaro.
com,andyoucandownloadtheAstaroCommandCenterv1fromtheProductssection.
Which,youknow,Imean,Ithinkit'soneofthenicethingsaboutusingsoftwarelikethis,opensourcesoftwarelikethis,isitgetsbetterallthetime.
Andit'sjustwonderful.
Imean,youreallygetarealbenefitfromit.
Steve:It'sthefuture.
Leo:IalmostwishIhadabigmanagednetwork.
Itwouldn'tbeanygoodforme.
Ijustusethehomeversion.
Astaro.
com.
Andwethankthemfortheirsupport.
AndofcoursewethankthefolksatAOLforsupportingtheshowwithbandwidth,whichisalwaysanissuewithashowlikethis,withhundredsofthousandsoflisteners.
Thatbillcanaddup,butAOL'sbeenverygenerous.
AndweencourageyoutofindoutmoreaboutpodcastingatAOLontheAOLRadioChannelbygoingtoAOL.
com/podcasting.
Steve,I'msogladyoudidthis.
Ithinkportsare,youknow,probablythesinglemostconfusingandinterestingtopic,andcertainlythethingthatweallhavetodealwithallthetime.
Steve:Well,yes.
AndIthinkit'sthatthey'resovisible.
Imean,it'sthethingpeoplecansee,anditcausesconcern.
SoIjustreallywantedtocoverthatreallywell.
Leo:Andit'soneofthosethingsinthecomputerworldthatreallyIdon'tthinkanybodyeverintendedend-userswouldhavetodealwith.
Itwasn'tdesignedforend-users.
Butwedo.
Steve:Oh,Imean,neitherwashttp://.
Leo:Exactly.
Exactly.
TimBerners-Leeisembarrassedthatanybodyhastoseethat.
Butthat'showthingsevolve,andthat'sthewayitis.
Great,Steve,we'llseeyounextweek.
Youhaveanyideawhatwe'llbetalkingabout,or.
.
.
Steve:Absolutely.
It'sEpisode44.
Leo:Iwasgoingtosay,itmustbeaMod4.
Steve:Yup.
Sowe'lldoQ&A.
Anybodywho'sgotanyquestions,theycangotoGRC.
com/securitynow.
Downatthebottomofthepageisaform.
Sendyourquestionstous.
I'llreadthem,andwe'llpickfromthemandanswer12.
Leo:Allright.
Andofcoursethat'salsoagoodplacetogotothediscussiongroups,thesecuritydiscussiongroupsatGRC.
com.
AndyoucangetyourquestionsansweredbySteveandotherexperts.
It'sreallyareallywonderfulresource:GRC.
com.
Thanks,Steve.
Steve:Alwaysapleasure,Leo.
Talktoyounextweek.
Copyright(c)2006bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:http://creativecommons.
org/licenses/by-nc-sa/2.
5/
- addresspcanywhere相关文档
- 投标人pcanywhere
- 色谱pcanywhere
- sourcepcanywhere
- checkpcanywhere
- pointpcanywhere
- RemoteWareBCpcanywhere
Pia云服务香港月20元游戏提供香港CN2云服务器
Pia云商家在前面有介绍过一次,根据市面上的信息是2018的开办的国人商家,原名叫哔哔云,目前整合到了魔方云平台。这个云服务商家主要销售云服务器VPS主机业务和服务,云服务器采用KVM虚拟架构 。目前涉及的机房有美国洛杉矶、中国香港和深圳地区。洛杉矶为crea机房,三网回程CN2 GIA,自带20G防御。中国香港机房的线路也是CN2直连大陆,比较适合建站或者有游戏业务需求的用户群。在这篇文章中,简...
小白云 (80元/月),四川德阳 4核2G,山东枣庄 4核2G,美国VPS20元/月起三网CN2
小白云是一家国人自营的企业IDC,主营国内外VPS,致力于让每一个用户都能轻松、快速、经济地享受高端的服务,成立于2019年,拥有国内大带宽高防御的特点,专注于DDoS/CC等攻击的防护;海外线路精选纯CN2线路,以确保用户体验的首选线路,商家线上多名客服一对一解决处理用户的问题,提供7*24无人全自动化服务。商家承诺绝不超开,以用户体验为中心为用提供服务,一直坚持主打以产品质量用户体验性以及高效...
港云网络(¥1/月活动机器),香港CN2 4核4G 1元/月 美国CN2
港云网络官方网站商家简介港云网络成立于2016年,拥有IDC/ISP/云计算资质,是正规的IDC公司,我们采用优质硬件和网络,为客户提供高速、稳定的云计算服务。公司拥有一流的技术团队,提供7*24小时1对1售后服务,让您无后顾之忧。我们目前提供高防空间、云服务器、物理服务器,高防IP等众多产品,为您提供轻松上云、安全防护。点击进入港云网络官方网站港云网络中秋福利1元领【每人限量1台】,售完下架,活...
pcanywhere为你推荐
-
原代码源代码是什么钟神发战旗TV ID:新年快乐丶未央不见是哪个主播www.gegeshe.com《我的电台fm》 she网址是多少?qq530.com求教:如何下载http://www.qq530.com/ 上的音乐avtt4.comwww.51kao4.com为什么进不去啊?ip查询器查看自己IP的指令杨丽晓博客明星的最新博文www4399com4399是什么网站啊???5566.com5566网址大全www.gogo.comNEO春之色直径?