addresspcanywhere
pcanywhere 时间:2021-04-03 阅读:()
TranscriptofEpisode#43OpenPortsDescription:ThisweekLeoandStevecoverthebroadsubjectof"openports"onInternet-connectedmachines.
Theydefineports,andwhatitmeansforthemtobeopen,closed,andstealth.
Theydiscusswhatopensthem,whatitmeanstohaveports"open"frombothafunctionalandsecuritystandpoint,howopenportscanbedetected,whetherstealthportsarereallymoresecurethanclosedports,anddifferencesbetweenTCPandUDPportdetection.
Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-043.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-043-lq.
mp3LeoLaporte:BandwidthforSecurityNow!
isprovidedbyAOLRadioatAOL.
com/podcasting.
ThisisSecurityNow!
withSteveGibson,Episode43forJune8,2006:Ports.
SecurityNow!
isbroughttoyoubyAstaro,makersoftheAstaroSecurityGateway,onthewebatwww.
astaro.
com.
SteveGibsonisreadytotalkaboutyourports.
SteveGibson:I'msoexcited.
Leo:Youreally,Imean,IthinkprobablyformanypeoplethefirstkindofintroductiontotheconceptofportscamefromShieldsUP!
andSteveGibson.
Steve:Well,andasfarasIknowIcoinedtheterm"stealth.
"ThatwasonethatIsortof,youknow,inthewholeShieldsUP!
StarTrekthemething,Ithought,okay,whatarewegoingtocallaTCPportwhichisneitheropennorclosedAndIthought,oh,stealth,like,youknow,thecloakingfieldandallthatstufffromStarTrek.
Leo:Andofcourse,asusual,allofthisstuffreallywasthebailiwickofbusinessandenterprisecomputing,networkingandallthatstuff.
Butasmoreandmorepeoplehavemultiplecomputersintheirhome,suddenlywe'reallbecomingnetworkingexperts,andthetopicofportsbecomesveryimportant.
Now,it'salittlebitofaconfusionbecausewe'vealwayshadportswithPCs,buttheyusedtobeserialportsandprinterports.
Andthat'snotthekindofportswe'retalkingabout.
Steve:You'reright.
Andinfactyoumentionedenterprise.
AndIremembertheday,ortheera,rather,where–andthiswasjust–itdemonstratessuchanevolutioninwhat'sgoingonontheInternet,whereitusedtobe,intheearlydaysoftheInternet,whentherewassomemischiefgoingon,thentheITguyswouldblockacertainportthatthismischiefwascomingintothenetworkon.
Inotherwords,therewassortofthispresumptionofeverythingbeingbenign,buttheexceptionswerethingsbeingbad.
Sointermsof,like,afirewallmethodology,andthewaypeoplewerethinking,youhadadefault"allowtrafficin,"andthenyourexceptionsweredenyingtraffic.
Leo:Boy,that'schanged.
Steve:And,Imean,ohmyGod,talkaboutgettingfiredquickly.
IfyouwereanITguythesedayswhodidthat,youknow,it'dbelike,whatareyouthinkingBecauseofcoursetodaytheworldiscompletelyinverted,wherebydefaultyoudenyeverything,andyouonlyallowtrafficintoyourborderthatyouknowyouwantbecause,youknow,theInternet'sjustcrawlingwithjunk.
Forexample,we'vegotthislegacyofWindowswormsstillcrawlingaroundthe'Net,probingoldvulnerabilitiesthathavelongsincebeenremoved.
But,youknow,they'restillouttheretryingtoinfectmachines.
Andasweknow,ifyoudidsticka–ifyoutookacomputeryouhadjustinstalledXPon,beforedoinganyWindowsupdate,beforeinstallinganyservicepacks,thatWindowsXPthatweweretoldwasgoingtobethemostsecureoperatingsystemMicrosoftevercreated,youputoneofthoseontheInternetandstartyourstopwatchtoseehowlongittakestojustbejusttakenoverbythejunkthat'scrawlingaroundthe'Net.
Imean,it's.
.
.
Leo:SasserandMSBlastandallthose.
Steve:Oh,yeah.
Imean,it'slikeamatterofminutes,andstuffiscrawlinginyourmachine.
Leo:Ilikenitalmosttoherpesor–it'saninfectionthat'sendemic.
It'severywhereonthe'Netandwillcontinuetobethere.
Nobody'ssendingitoutanymore,it'sjustthereareinfectedmachineswhocontinuetodoitand.
.
.
Steve:Yup.
Leo:.
.
.
probablywon'tgoawayuntilWindowsgoesaway.
Steve:Ithinkwewillprobablynevergetridofthosethings.
You'reright,they'reold,unmanagedcomputersthatarejustsittingonthe'NetinLordknowswhere,Imean.
.
.
Leo:Right,incorners.
Steve:.
.
.
instrangeplaces,likelongforgotten,andthey'vegotthisjunkinthemnow.
And,youknow,thewholepointofawormisthatit'sself-replicating.
Soonceitcrawledintothismachineandsetupshop,itthenbeganscanningforothers.
And,Imean,they'rejustalwaysgoingtobethere.
Leo:Andwhatthey'rescanningforis,infact,openports.
Maybeweshoulddefinewhataportis.
AndIthinktheterminology'snotgreat.
Ithinkawordlike"channel"mightbebetter.
Steve:Well,"channel"wouldbeagreattermbecause,Imean,aswe'vetalkedaboutwhatwe'vetalkedaboutabouttheissueofportsingeneral,whatIwantedtodothisweekisreallyjustfocusonthisissueofopenportsbecausealotofpeopleareconcernedaboutthem.
Wegetquestionsallthetime,likeIhavetohavethisportopen,isthataproblemHowdoIclosethisportWhatdoesitmeantohaveaportopenSo,yeah,Ireallywantedtojustfocusonthisissueofopenportsandsortofreallycoverthatwelltoresolvealotofthesequestions.
Butyou'recompletelyright.
AswetalkedaboutwhenweweretalkingaboutthebasicprotocolsoftheInternet–ICMP,UDP,andTCP–weglancedonthisbefore,theideathat,unfortunately,aport,peopleassociatethatwithaphysicalthing,youknow,likeaserialport,aparallelport,aUSBport,aFirewireportorwhatever.
Butinfactaportisnothingbuta16-bitnumberwhichiscarriedalongatthefrontintheheaderofInternetpacketswhichsortofspecifies,exactlyasyousaid,Leo,whichchannelormanychannelsof65,535possiblechannelsthispacketisaimedat.
Leo:Sothere'snophysicalitytothiskindofport.
It'snot–there'sno,like,electronic–65,000-channelelectronicswitcherorchangeroranythinglikethat.
Imean,there'snophysicalthing.
Steve:Right.
Well,thephysicalmanifestation,ofcourse,wouldbeyourEthernetport.
Andthereagainwe'vegotthatcollisionofnaming.
So,youknow,yourEthernetconnectionisthewaythatthisEthernettraffic,ofcourse,travelsintoandoutofyourmachine.
Andit'softendoingsothroughtheseso-called"openports.
"Leo:Butit'snotlikeapartofthecableisport1024.
Imean,it'sallcomingthroughthesameelectricalsignal.
Steve:Exactly.
Exactly.
Leo:AndIguessithelpsifyouunderstandthatallofthedataissentinlittlediscretechunkscalledpackets;andthateachpackethas,asyoumentioned,aheader.
Andinsidethisheaderisinformationaboutwherethatpacket'sgoing,whereitcamefrom,andwhatport,whatchannel,itssurfingnumber.
Steve:Well,yes.
Andthat,ofcourse,wasthegreatbreakthroughoftheInternet,wasinsteadofhavingaswitchedcircuitsystemwhereactualphysicalcircuitswerebeingswitched,westeppedbackfromit,andwehaveaswitchedpacketsystem,wherepacketswitchingisthewaymachinestalktoeachotheracrossanetworkoffixedcircuits.
Leo:Sotheline'salwaysopen,anddata'salwaysgoing,butit'sroutedaccordingtothepacketing.
IsthatBobMetcalfe'sinventionIknowheinventedEthernet.
Wasthatkindofthepartofthatinvention,ordidthatpredatethatSteve:No,thatactuallypredatestheactual–theEthernetisjustoneofanumberofelectricaltechnologiesthatcanbeusedtocarrypackets.
But,forexample,TokenRingwasIBM'snetwork.
Leo:Andtheyusedpackets,too.
Steve:Exactly.
Soyoucan.
.
.
Leo:IthinkVintCerfmighthave,Imean,certainlyhegetscreditforIP.
Iwonderif–well,maybenot,though.
Steve:Yeah.
Well,itwasalldone,youknow.
.
.
Leo:Alongtimeago.
Steve:.
.
.
atthebeginningofthe'Net,whenitwasallbeingputtogether.
Leo:Thebeginningoftime.
IguessPaulBaranistheguywhoinventedpacketswitching,oroneoftheguyswhoinventedpacketswitching.
Steve:SofundamentallywehavesortoflikethecoreforamachinewhichisontheInternetistheoperatingsystem.
Buttheoperatingsystemdoesn'titselfnativelyhaveanyports.
Thatis,itsupportstheprotocolandtheabilityfortheOStocommunicatebyprovidingservices,youknow,liketheso-calledTCP/IPstackandIPservices.
TheoperatingsystemwillsupportIPaddresseswhichallowittoacceptthesepackets.
Butsomethingthenaftertheoperatingsystem,somethingrunningintheoperatingsystemistheactualentitywhichcreatesandopenstheseports.
Now,forexample,inthecaseofWindows,itmaynotbeaseparateapplication.
Itmightbeaservice,whichreallyispartoftheoperatingsystem,butit'saseparablepart.
Imean,forexample,youcanstoptheserviceorremovetheserviceinordertoclosetheportsthatthatserviceopened.
Andthenthenextlevelofdistancefromtheoperatingsystemareactualapplicationswhicharerunningintheoperatingsystem,likeyouandIareusingSkyperightnow.
It'srunningasaprogramontopoftheoperatingsystem,usingtheoperatingsystem'slowerlevelnetworkingfacilitiestoallowittocommunicateoutontheInternetsothatourtwoSkypeclientsareabletoconnecttoeachother.
Leo:AndSkypeiskindofindependentofwhatportyou'reusing.
Infact,youcaninSkypesay,no,usethisportorusethatport.
Itworksexactlythesame.
It'snottiedtotheport.
Steve:Itdoesn'tcare,exactly.
Sothereare–alsoaswetalkedaboutbeforetherearesortofwhat'scalled"well-knownportnumbers,"where,forexample,DNS,thedomainnamesystemthatallowswebnamestobelookedupandmatchedtotheirIPaddresses,byagreementitusesport53.
AndsotheDNSserverislisteningforpacketscomingintoport53ofanycomputerthatit'srunningon.
Andyourownclientsaresendingtheirdataoutofport53,boundforwhateverDNSservicethey'vebeenconfiguredtooperatewith.
Andofcourseweknowthewebusesport80,and443forSSL-secureconnections,andonandon.
Sothere'salargearrayofwell-knownports,theideabeingthatsystemswillbydefaulthaveservicesrunninginthem,listeningforincomingtrafficonthoseports.
SoifwerememberwhatweweretalkingaboutwhenweweretalkingaboutTCPbefore,theTransmissionControlProtocol,theideaisthattheoperatingsystemisdoingtheworkfortheapplicationofestablishingandsortofgettingtheconnectiongoing.
Andthisiswherethisnotionreallyofanopenportcomesfrombecause,whenaconnectionwantstobeestablishedwithamachine,aSYN–whichisshortfor"synchronize"–packetissenttothatIPaddressthatthecomputerislisteningon.
Ifit'saTCPportwhichisopen,whichistosaythere'ssomethingthathassaid"Iwanttoacceptconnectionsthatarecomingintothisport,"oraswe'vesaid,reallysortofavirtualport,morelikeachannel,thentheoperatingsystemwillsendbackwhat'scalledaSYN/ACK,itsownSYNandanacknowledgeofthereceiptofthatincomingSYN.
Well,that'ssortofthiswholekeyofwhatmakestheportbeopenisthatanybody,literallyontheplanet,cansendoneoftheseSYNpacketsatsomeone'smachine.
AndifitrespondswithaSYN/ACK,thenweknowthatsomethingisthereatthatIPaddress,evenifit'sacrosstheplanet,whichisreadytoacceptaconnectionandhavesomesortoftransactionwithus.
Leo:Socool.
EverytimeyoudescribethesethingsIjustamimpressedwithhowtheythoughtthisstuffup.
Steve:Well,andthathassurvivedthetestoftime,Imean,sowell.
Andsothat'sreallywhatitwasthatgotmethinkingaboutShieldsUP!
.
Backthen–andwe'retalkingyearsago–IwassettingupanISDNconnectionformycomputer.
Leo:Thereyougo.
That'lltellyouhowlongitwas.
Steve:Exactly.
Leo:Pre-DSL,pre-cablemodem,youknow,ISDN.
Steve:Exactly.
ItwasanISDNconnection.
AndIwasawareofthiswholeissueofportsandsecurity.
AndsoIgotoneofthe–IjustdownloadedoneofthefreeonlinescannersthatwereavailableontheInternet,andstillare.
AndIjust–Iwascurious,like,whatwasgoingonintheneighborhoodoftheIPaddressthatwe'dbeenassigned.
SoIjustsetthescannerupto,like,scan,Idon'tknow,youknow,thehundredIPsplusorminuswheretheIPthatwe'dbeenassignedwas.
Andtherewereallthesecomputersthathad–andinfactthisparticularscannerwasscanningforWindowsfilesharing.
And,Imean,literallythenamesofmachinesandtheCandDdrives,wideopen,exposedontheInternet.
Leo:Thatmusthavebeenashock.
Wow.
Steve:Well,yeah.
Anditwasenoughofashockthatitwas–Ithought,youknow,nobodyknowsaboutthis.
ThisneedstoreceiveattentionbecausepeoplewereputtingtheirWindowsmachines,hookingthemdirectlytotheInternet–thiswasbeforepersonalfirewalls,beforeNATrouters–justliterallypluggingthemintotheInternet.
Andbydefault,Windowsmachinesallhadthisfilesharingportopen.
Meaningthat,eveniftheuserhadn'tsharedanyfiles,theystill–Windowshadalltheseservicesthatwererunninginthemachinebydefault,acceptingincomingconnectionsfromanyoneontheplanet.
Andsoitwasfinally,Imean,itwasthat,therecognitionthatthisreallyneededattention,thatcausedmetojustsay,okay,I'mgoingtodothisthingthat'sgoingtomakeitveryeasyforpeopletochecktheirsystemstoseeifthey'reinthiskindofdanger.
So,youknow,theveryfirstversionofShieldsUP!
primarilycheckedforWindowsfilesharing.
AndthenIexpandeditinseveralfollow-ongenerationstodo–like,forexample,nowitdoesafull1056portscantocheckfromportsactuallyevenincluding0,whichisnotalegalport,butitturnsouttherearesomevulnerabilitiesinroutersthatwillaccepttrafficonport0.
.
.
Leo:Oh,wow,interesting.
Steve:.
.
.
allthewayupthrough1056,inordertolookateventhelowclientportsunderWindows.
Butanyway,theideawasthat–orisofTCP–thatsoftwarerunninginthesystemwillinstructtheoperatingsystemtoopenaport.
Whatthatmeans,then,isthatthatportwillaffirmativelyrespondtoincomingtraffic.
Well,now,anopenportrespondsaffirmatively.
Butitturnsoutthatevenaclosedport,thatis,aportforwhichthereisnolisteningsoftwareassociatedwithit,thereisnoprogramthathastoldtheoperatingsystem,Iwantyoutoacceptonmybehalftrafficcominginanddothelow-levelhousekeepingworkformeofsettingupaconnection.
Inthatcase,apacketcominginandhittingastandardTCP/IPstackwillgenerateanaffirmativedenialofaconnectionattempt.
Normallyit'llgetbackareset,orsometimesanICMPmessagesayingthereisnoserviceavailableonthisportatthisIP.
Soalthoughyouhaven'tconfirmedthatyou'vefoundsomethingpotentiallyvulnerable,forexample,aservicethatyoumaybeabletoexploitbyvirtueofthefactthatit'sgoingtoacceptaconnectionfromyou,andyou'reabletomesswithit,whatyouhaveconfirmedisthere'sacomputerofsomesortlisteningforincomingtrafficonthatIP.
Sothoseportsareconsideredtobeclosed,butthey'restillknowntoexist.
Andofcoursethenthenextstageofthisisaso-called"stealthport,"whereincomingtraffichitsthemachine.
Iftheportisnotopenandwouldnormallyrespondinsomeaffirmativefashion,sayingnotrafficisbeingacceptedonthatport,insteadthemachineiscompletelymute.
Itjustsaysnothing.
So,andthat's,ofcourse,exactlytheresponsethatyougenerallygetforadeadconnection,wherethere'sjustnothingontheIPatall.
Leo:Andthat'syourso-called"stealthmode.
"Steve:Whichofcoursehasnowbecome,like,thewaytobeontheInternet.
It'sinteresting,Imean,therearepeoplewhoarguethatstealthisbogus.
Leo:WhatReallySteve:Oh,yeah.
Youknow,it'stheoldUNIXguys.
AndtheyalsodisliketheideathatstealthingamachinetechnicallybreakstheIPortheTCP.
.
.
Leo:Oh,Igetit.
It'soutofspec.
Steve:It'soutofspec,exactly,because.
.
.
Leo:Well,that'sapuristpointofview.
Butfrankly,ifyouthinkaboutit,ifbadguyscomeaknocking,what'sthebestresponseWedon'thaveanymoneyinhere,ornothingSteve:Yes,or,exactly,thereisno"inhere.
"Leo:Thereisno"inhere.
"Nothingexistsatthisaddress.
Moveon.
Steve:Right.
Leo:So,Imean,youcanbeapuristaboutit,butfranklyIthinkit'sprettyobviouswhatthebestchoiceis.
Steve:Well,yes.
Andthefactis,sinceitcostsnothingtobestealth,whynotbestealthImean,sinceitcostsnothingtobeinvisible,itseemstomeit'sbetter,exactlyasyousaid,tobecompletelyinvisibleonthe'Netthantosay,I'mhere,butalltheportsyou'vecheckedsofarareclosed.
Leo:Now,itdoescomeupfromtimetotimethat,well,thishappenedwiththeidentdport,wherearoutermanufacturerdecideditwasn'tagoodideatostealththatportbecausesomeserviceswerestillusingit,andaninvisibleportwouldn'tbeanappropriateresponse.
Steve:Well,it'saverygoodpoint.
Theexampleyoucite,theidentport,whathappensis,whenauseristryingtoconnecttoaserver–andthisisgenerally,Imean,justancientservers.
Imean,therearesomeIRCservers,somereallyoldwebservers,sometimessomeFTPservers.
Partoftheconnectionprotocoliswhenarequestcomesintotheserver,itsendsbackanidentpackettotheidentportatthatuser'sIP,becauseintheolddayspeoplewouldhavethesethingscalledidentserverswheretheywouldlistawholebunchofinformationaboutthemselves.
Imean,who'sgoingtodothattodayImean,nobody,becausebasicallyyou'resortofsaying,here,here'severythingyouwanttoknowaboutme.
Leo:Comeonin.
Steve:Exactly.
Leo:Yeah,yeah.
Steve:Soithadbeenforeversinceanyoneactuallyrananidentservice.
Butwhattheserverthatmakesthequerywantsisatleasttogetanaffirm.
.
.
Leo:Anacknowledgement.
Steve:Yes,somesortofaffirmativestatementthat,yes,there'samachinehere,butnobody'shome.
SowhatnormallyhappensistheidentusesTCPprotocol.
SotheserverwillsendaSYNpacket,tryingtoestablishaconnectioninthereversedirection,backtotheclient.
Well,asweknow,TCPisverypatientaboutgettingaconnectionestablished.
It'llsendaSYNpacket.
Ifitdoesn'thearanythingelse,it'llsendanotherone.
Thenitwaitstwiceaslongandsendsanotherone.
Thenitwaitstwiceaslongagainandsendsanotherone.
Somemachineswillsenduptofivepackets,andyoucanendupwaitingaminutebeforethethingfinallydecides,okay,there'snobodyhere.
Theproblemisthatallofthatsuspendsyourmainconnectiontotheserver,thatis,theserver,everythingjuststopsontheserverwhileit'stryingtoestablishthispainfullyslowprocessofgettingaTCPconnection.
Ifthefarenddidsayno,Ihavenoidentservice,bysendingbackanICMPorbysendingaTCPresetpacket,thenatleasttheserverwouldknow,oh,okay,noservice,butthere'ssomebodyhere.
Anditwouldtypicallyjustthen–itdoesn'treallycareabouttheident,it'sjustoldtechnologythatisstillinsomeserversontheInternet.
Leo:Sowhatistheharmindoingthat,thenImean,nowI'mgoingtoplaydevil'sadvocateandsay,well,inthatcase,whydowebotherstealthingthatportSteve:It'sjustthat,well,actuallyIthinkprobablyGRCisatfault.
Imean.
.
.
Leo:It'syourfault.
Steve:I'mnotkidding.
Imean,Iwasshowingeverybodythattheiridentportwasnotstealthed,andstealthbecameacoolthingtodo,andpeoplebeganaskingtheirroutermanufacturersandtheirpersonalfirewallmanufacturers,"Hey,Gibsonsaysmyidentportisnotstealth.
Iwanttobestealth.
"Andsojustreallyduetopopulardemandtheroutermanufacturerssaid,okay,fine,we'llstealththeport.
Well,theproblemthenisthatsomeconnectionswillstallwhenyouaregoingoutthrougharouteroroutthroughapersonalfirewallwhichstealthstheidentport.
Sothenthenextgenerationofthiscamealong,andthatwasadaptivestealthing,oradaptiveidentstealthing,wheretherouterwouldbesmart,anditwouldstealththeidentportfromanysourceIP,thatis,theremoteservertryingtoopenanidentconnectionbacktoyou.
ItwouldstealthitunlessitsawthatyouhadanoutgoingconnectiontothatIP.
Whichisaperfectsolution.
Leo:Thereyougo.
Steve:Soifyou'veestablishedaconnection,anditasksback,well,yougotanidentserver,youcanrespondtothat.
Thenyousayno,Idon't.
Butatleastthefarendserverishappythatyouexist.
Youacknowledgethatimmediately,andthenyougetonwithyourmainconnectionestablishment.
Leo:Ah.
Buthere'sthething.
WouldyoumarkthatasastealthedportSteve:Yes,infact,Idoitonpurpose.
ShieldsUP!
,itcheckstheuser'smachinefromanIPdifferentthantheyareconnectingtousfrom.
Leo:Toavoidthisthing.
Steve:Exactly.
SoIdoitonpurposeinordertogivethemcreditforandtoshowthattheirrouterisstealthingidentforrandomsourcesofIPaddressesoutontheInternet,nottheonesthatthey'reactuallytryingtoconnectto.
Soitendsupbeingaveryusefulthing.
Now.
.
.
Leo:Weshouldjustmentionthatthereasonthatyouwantittobestealthisanyindicator,evenonacompletelysafeportliketheidentport,anyindicatorthatyouexistcouldbeamessagetoahacker,well,atleastthere'ssomethinghereyoumightwanttokeepinvestigating.
Steve:Well,here'saperfectexample,Leo,andthatisdenial-of-serviceattacks.
IfyoupissoffsomebodyontheInternetwho'sgotcontrolofevenasmallbotnet,andtheydecidethey'rejustgoingtoDDoSyouintooblivion,well,they'llblastyouforawhile,andthentypicallystoptheattacksothattheycanseeifyou'restillthere.
Well,youknow,you'dverymuchlikethemnottobeabletotellthatyou'restillthere.
Leo:Yes,yeah.
Steve:Onlyifyou'restealthcanyoupullthatoff.
Ifthey'reabletopingyouortobouncepacketsoffyouortrytoopenaconnectionandgetbackanaffirmativeclosedstatefromyou,thenthey'llknowyou'restillthere.
Leo:Andit'sfairlytrivialtoactuallytesteachandeveryofthe65,000ports.
Imean,computersarefast.
Soevenifthere'sbutoneopen,ornotevenopen,closedbutnotstealth,they'llknowyou'rethere.
Steve:Well,yeah.
Andinfact,ifyou'rerunningasystemthatisnotstealthingyou,everyportwillatleastsayeitherit'sopenorit'sclosed.
Soinordertobecompletelyoffthe'Netinappearance,youreallydoneedthetechnologywhichisgoingtostealthyou.
Andasamatteroffact,I'veseendialogueswherehackersknowthatidentisoftennotstealthed.
Sothey'respecificallytryingtoopenanidentconnectionbecause,unlessit'sadaptivelystealthed,asallthelatestfirmwareandpersonalfirewallsaregenerallynowabletodo,itwilllooklikeit'sclosed,andthey'llknowyou'restillthere.
Leo:SothankstoGRC.
comandShieldsUP!
,allrouters,allconsumer-graderoutersthatshipthesedays,shipwithstealthturnedon.
Steve:Yeah.
Yeah.
It's,Imean,it'stherightwaytogo.
There'sjustnogoodreasonnottobestealthwhereyoucanbe.
Leo:Now,amIthrowingallthevalueofstealthout,though,byhavingsomeopenportsSteve:Probablynotbecauseyoudon'tknowwhatitisthatmightbelookingforyou.
Youmighthave,youknow,ahackermightspecificallybescanningforanewvulnerabilitywhichhasjustbeenfound,likeinMySQL.
AndsoitmightbelookingtoseewhetheryouhaveaSQLdatabaseserverportopen,soitwouldbespecificallycheckingforthatport.
Leo:Andifyoulookatthehackertools,theyusuallywillsay,whatportdoyouwanttohit,andwhatrangeofIPaddressesdoyouwanttotestSteve:Right.
Leo:Andyoucouldtestarangeofports.
Butforefficiency'ssaketheymayjustbegoingafterthatoneport.
Steve:Well,now,it'salsonecessary,sincewereallywanttocoverthetopicofopenportswellinthisparticularepisode,it'snecessarytotalkaboutthefactthatUDPprotocoliseverybitasviableasTCP.
Butbecauseitdoesn'thavethiswholeintroductoryhandshakinggoingon,whereyousendtheSYNandtheSYN/ACKcomesback,oryousendtheSYNandaresetcomesback,UDPportswillgenerallyoperateormayoperatedifferently.
Thatistosaythat,asweknow,UDPdoesn'thavethisconnectionestablishmenthandshake,whichisreallythebenefitforveryshort-termconnections.
Forexample,theDNSprotocolfordomainnameservices,generallyyoujustsendasinglepacketofftoaDNSserver,anditsendsyouasingle-packetreply.
Soit'sextremelyefficient.
SinceDNSisgoingtobetransactingsuchsmallamountsofinformation,youwouldn'twanttogothroughallthetroubleofhavingathree-waypackethandshake,thensendyourrequest,thengetthereply,thenhavetoshutdownthatexistingorestablishedconnectionthroughanotherseriesofpackets.
Leo:SoDNSusesUDP.
Steve:Exactly.
Well,DNS.
.
.
Leo:Ididn'tknowthat.
Steve:Itactuallyusesboth.
It'lluseUDP.
Butthere'salimit.
OneofthereasonsthatUDPactuallyisn'tconvenientisifyouneedtosendalotofdatabecausegenerallyUDPissortofpacketoriented.
Now,again,allofthesethingssortofhavecaveats.
Forexample,youandIareusingUDPrightnowforstreamingsubstantialamountsofdatabetweeneachotherduringthispodcast.
Butwhat'shappenedisaprotocolontopofit,well,Imean,thetypicalVoIPprotocoliscalledSIP[SessionInitiationProtocol],whichisusedontopofUDPtosortofgiveittheabilitytodomore.
ButinthecaseofDNSitispossibletoconnectwithTCPtoaDNSserverandthenmakeyourqueriesthatwayifyouneededtoforsomereason.
Andforexamplethere'ssomethinginDNScalleda"zonetransfer,"whereyoubasicallysaytellmeeverythingthereistoknowaboutGRC.
com,forexample.
Andifzonetransfersareallowed,whichformanysecuritypurposesnowadaystheyarenot,butintheolddaysyouonlycoulduseTCPforoneoftheseso-called"zonetransfers,"whereyou'resayingIwanttoknowaboutallthemachineswithintheGRC.
comdomain,theMXor,youknow,theemailservers,andeverythinggoingon.
Giveitalltome.
AndyoucannotdothatoverUDP.
Soingeneral,UDPisamuchmorequick,simple,lightweightprotocol.
ItalsomeansthatyoumighthaveaUDPserverwithanopenUDPport,asopposedtoanopenTCPport.
Andyouwouldnotreallybeabletotellthatitwasthereunlessyouaskeditinitsownparticularprotocol.
Forexample,ifyouwantedtofindoutifsomeonewasrunningaDNSserver,you'dhavetosendaDNSquerytoport53andseeifyougotaresponse.
WhereasthewholeopeningconnectiondancewithTCPisgeneric.
Youdothesamethree-wayhandshakenomatterwhatservice,whetherit'swebor,forexample,DNSoverTCPorFTPoranyotherTCP-basedprotocol.
Leo:Soifyou'reahackersniffingTCPports,youcouldjustsendaSYNtoeveryport,oneaftertheother.
Steve:Exactly.
Leo:Andsayhello.
Andthat'lltellyouthatport'sthere.
ButifyouwanttosniffUDPports,you'dactuallyhavetousetheappropriateprotocoloneachport.
Steve:Exactly,inordertosatisfytheserverthatmayormaynotbelistening.
Now.
.
.
Leo:Soit'smuchmorecomplicatedtosniffUDPports,then.
Steve:It'salotmorecomplicated.
Although,again,theoriginalspecfortheUNIXmachines,youknow,whereallthisoriginated,doessaythatifaUDPpacketarriveswherethereisnoservicelisteningandthathastoldtheoperatingsystemthatitwantsittoforwardpacketsthatarriveonacertainporttoit,thentheoperatingsystemshouldsendbackanICMP,aspecificICMPmessagesayingthere'snothinglisteningtothisport.
SoUDPportscan,bydefault,showthemselvesasbeingclosed,thatis,yougetbacksomethingsayingthere'snobodyhere.
Soagain,you'dliketostealththatbehavior.
Andofcoursethat'swhatpersonalfirewallsandroutersdo.
Leo:Ithinkthisisgreat.
Youknow,whenyou–wedealwiththisallthetime.
Whenyougointoyourrouter,forinstance,toportforward,tomakesomeportwork,let'ssayyou'vegotarouterthat's,youknow,rightlyso,blockingallports,butyouwanttousea,youknow,youwanttosetupaserverforWorldofWarcraft,you'llseeallthis.
You'llseeUDPversusTCP,andwhichportnumber,andallsortsofstuff.
Butnowyouknowwhatitmeans.
Nowyouknowwhatyou'redoing.
Steve:Well,it'sinteresting,too.
Youweretalkingaboutportforwarding.
AndIrememberedthatthatalsobearsontheidentportbecausetherearestillsomeolderrouterswhosefirmwaredoes–itwillnotstealththeidentport.
Itwillrespondthatthere'snobodyhere.
Butareallyfunworkaroundistoforwardthatidentport–which,bytheway,is113–youforwardthattoanonexistentIPaddressbehindtherouter,thatis,onyourownnetwork.
So,forexample,ifyourIPaddresswas192.
168.
0.
,youknow,1to100,youcouldtelltherouter,forwardthatto.
0.
200,amachinethatyouknowwillneverexist.
AndwhattherouterdoesisdutifullyacceptthatincomingICMPpacketandsticksitonyournetwork,aimedatanIPthatdoesn'texist.
Well,sinceitdoesn'texist,there'snobodytheretoanswerthecall,andyouendupstealthingyouridentportifyourrouterotherwisewouldnotdosoforyou.
So,Imean–andofcoursethatworksforanythingthatyouwantitto.
Youcouldnameanyportsthatyouwantedtostealth,iftherouterwasn't,justoffintothetwilightzone,toanIPinsideyournetworkthatdoesn'thaveamachinelisteningonit,andthosepacketsarejustgoingtogonowhere.
Theyjustendupbeingdropped.
Leo:Well,Ithinkyou–havewecoveredthesubjectDoweknoweverythingweneedtoknowaboutportsSteve:TheonethingthatIthinkisworthmentioningtopeopleisthatallofthisproblem–whichhasbeenlotsofhistory,youknow,wetalkedfirstaboutthisnotionoffirewallsbydefaultallowingtrafficandthenITguysblockingonlythemischiefandhowthat'scompletelyflippedaround.
Well,theolddaysofMicrosoftWindows,andforthatmatterotheroperatingsystems,generallyhadlotsofthingslisteningbecausetherewasn'tacompellingreasonnotto.
AndofcourseinMicrosoft'scase,Microsoftalwayswantedtodefaulttowardsallowingtrafficbecausetheyjustwantedthingstowork.
Imean,andtheysuredid,boy.
Youknow,youstuckyourWindowsmachineontheInternet,andyoucouldshareyourfileswitheverybodyintheworld.
Leo:Workedalittletoowell.
Steve:Whetherthat'swhatyouhadinmindornot.
Andtheywant,youknow,theywantedWindowssothat,whenyouclickyourmachinestogetherintoanetwork,theycanallseeeachother,andtheycanallhappilysharefiles.
Unfortunately,puttingWindowsontotheInternetwasthesameasputtingitonyournetwork.
Leo:Right.
Steve:Soit'sreallyworthmentioningthatthisisallchangednow,finally.
Imean,andittook–Idon'tknowwhyittooksolong,butitdid.
It'schangedwithServicePack2ofWindowsXP,wherethereisabuilt-infirewall,anditisonbydefault.
And,youknow,therearepeoplewhoarestilldownloadingmyDCOMbobulatorandmyUnPlugn'Prayutilities.
ThosearethingswhichIcreatedinaday,immediatelyafteranewvulnerabilityhadcomeoutandwellbefore,insomecasesmonthsbefore,Microsoftdidanythingtodealwithit.
AndthosethingsIcreatedto,like,killoffthoseportsorshutdownthoseproblemsbecausewestilldidn't–manypeopledidnothavepersonalfirewalls.
XPdidn'thaveapersonalfirewallinthebeginningthatwasturnedonallthetime.
EarlierversionsofWindowsneverdid.
Imean,backthenpeoplewerestillusing,youknow,95and98.
Butit'sreallythecasethattheseproblemshavebeensolvedjustby,firstofall,bypeoplehavingNATrouters.
Imean,ifyou'vegotaNATrouterinfrontofyoursystem,itmatterstoafarlesserdegreewhatportsareopenonyourmachineitself.
Andyoucanseethatbecause,ifyouuseShieldsUP!
atGRC,it'llshowyoueverythingisstealth,evenifyou'vegotopenportsonthecomputersinyourownnetwork.
Thereasonbeing,nothinggetsthroughyourNATrouter.
We'retestingyourpublicIP,notthoseprivateIPsthatnoonecanaccessanywaybecausethey'renotroutableontheInternet.
There'snowayIcansendtrafficto192.
168.
0.
1inordertotestitbecausethatIPwon'tgoanywhere.
Ican't,youknow,tensofthousandsofpeoplehavethatIPontheirmachinesbehindtheirrouters.
Leo:Probablymillionsbynow.
Steve:Millions,I'msureitis,yes.
So,youknow,many,manytensofthousands.
Soitreallyisthecasethatthisproblemwithcomputershavingopenportshasreallybeenmitigated,firstbytheadventofrouters,andsecondly,forthosewhoarenotbehindarouter,certainlywithapersonalfirewallwhichisonanddoingitsjobas,youknow,thebuilt-infirewallinWindowsXPdoes.
Whichreallymeans,then,thatthefrontierfortheconcernforopenportsisportsopenedinrouters.
Andsothelastthingworthtalkingaboutisthepeoplewhoareworriedthat,forwhateverreason,theyhavetohaveexposedopenports.
Youknow,whatdoesthatmean,tohaveanexposedopenportSomething,youknow,wherethey'rejustnotabletobestealthbecausetheyneedtohaveservicesthatareavailableoutonthepublicInternet.
Andthisisinterestingbecauseitfactorsexactlyintothediscussionwe'vehadaboutbufferoverruns.
Becauseunfortunatelytheexposureofanopenportisthattrafficisgoingtobeflowingbackinthroughyourrouter,thentowhatevermachineyouhavedesignatedontherouterwillreceivethattraffic.
Andpresumablyyouhavesomethingthereonthatmachine,someapplicationwhichisthengoingtobeacceptingthetraffic.
Theproblemis,asweknow,itisverydifficulttowriteperfectsoftware.
Youknow,theclassicboondoggleofanopenportwaspcAnywhere,whichmanypeoplewereusingintheearlydaysoftheInternetbecauseitallowedthemtoconnecttotheirmachinesathomeanddowhatevertheywantedto.
That'swhyitwascalledpcAnywhere.
Theproblemwas.
.
.
Leo:Anythinganywhere.
Steve:.
.
.
ithad,yeah,ithadserioussecurityproblemsthatwerebeingfoundoneafteranotherafteranother.
Manypeopledidn'teventakethetroubletoputastrongpasswordonpcAnywhere.
Soeveryoneknewwhatthedefaultpasswordwas.
Andpeople,youknow,badguyswouldscanthe'NetforthestandardpcAnywhereportandconnecttopeople'smachineswhonevertookthetimetochangethedefaultpassword.
Sotheproblemis,ifyou'vegotportsexposed,ifyou'vegotportsopen,itissomethingyouneedtorecognizeasapotentialproblem,andthatisthatyouarethendependinguponthesecurityofandtheproperfunctioningofwhateversoftwarepackageitiswhichislisteningtothoseports.
Andinfact,whenIfiredupSkypejustnow,Leo,inordertoestablishourconnection,IgotamessagetellingmethattherewasanewversionavailablebecauseasecurityproblemhadbeenfoundandfixedinSkype.
Soit'slike,okay,I'mgoingtoupdatemyselfrightnow.
Leo:Right,right,right.
Anytimeyou'rerunningaserviceofanykind,inorderforthatservicetoworkyouhavetoopenaport.
Andthatopensupyoursystemtotroubleiftheservicehasabug.
Andasyoupointout,it'sinevitable.
There'salwaysbugs.
Steve:Yeah.
It'sjustsodifficultnot,Imean,thiswasthehugeproblemthatMicrosofthadwithalloftheirservices.
Imean,virtuallyeverysingleoneofthem.
.
.
Leo:Somethingwaswrongwiththem.
Steve:.
.
.
hadmultipleproblemsthatwerefoundandexploited.
And,Imean,that'swherethewormscamefromthatweweretalkingaboutbeforeisspecificallyfromthesekindsofproblems.
So,youknow,thegoodnewsis,securityisoneveryone'smind.
Certainlysecurityisforemostinthemindsofanyonewritingapplications.
Iwouldsaytheonlypieceofadvice,ifyouhavetohaveportsopen,istrytouserobust,well-testedservicesthatyouhaveeveryreasonpossibletobelievearenotgoingtohaveproblems.
Andinfact,youknow,ifyoureallywantedtogoastepfurther,andyouhadtheabilityto,Iwouldsayrunthosemachinesseparately.
Thatis,youknow,itmaybethecasethatyou'vegotanoldcomputer.
Letitbetheoneonthefrontlineintheso-called"DMZ,"whereit'sgoingtobereceivingthattraffic,andnotrunthoseservicesonyourmainmachine,whereyoureallyhavemuchmorevaluabledata,andyouwanttomakesurenothingisabletocrawlintoit.
Leo:Andit'sanotherreasonwhypeopleshouldgooutandgetrouters,iftheydon'talreadyhavethem,andusethem.
Andtheminuteyoudo,infacteverytimeIinstallarouter,andassoonasI'vechangedthepasswordandturnedoffUniversalPlugandPlay,I'llgotoGRC.
comandrunShieldsUP!
andmakesurethatIdon'thaveanyunstealthedports.
Andthat'swhatagreatservicethatis.
Steve:Youalsowanttomakesurewhenyou'resettingupanewrouterthatyouremembertoturnoffanythingthat's,like,WAN-sidestuff.
Manyroutershave,like,WAN-sideadministrationwhere.
.
.
Leo:Unh-unh.
Thatmeanstheotherguycanadministrateyourrouter.
Steve:Exactly.
AnyoneontheInternet.
Leo:Badidea.
Steve:That'snotagoodthingtohave.
Leo:Notagoodthingtohave.
Steve:Imean,again,ifyouhavetouseitforwhateverreason,thenyouwanttotakethetimetodoareallygood–tochooseareallystrongpasswordthatnooneisgoingtobeabletoguessbecause,ifyourrouterisacceptingaconnectiononitsstandardWAN-port,thensomebodyouttherecouldjustsittherepoundingawayonit,doingabrute-forcepasswordattack,tryingtogetcontrolofyourrouter.
It'scertainlybetter,firstofall,nottorunitonthestandardport.
Moveit,alwaysmovethosethingstoadifferentport,ifyouhavetohavethematall,andthenrunareallystrongpassword.
Leo:Yeah.
Andyoucouldbesurethat,ifit'soutthere,somebody'sbangingonit.
That'stheotherthingwe'velearnedonthe'Netisthatyoucan'tjustkindofskateanymore.
Peopleareoutthereallthetime.
Steve:Well,forexample,thewayI'vegotmyequipmentatLevel3configuredfortheGRCnetwork,Ineedtobeable,iftheworsthappenedandIneededtorebootamachine,Ineedtobeabletopowercyclethemachineorgetconsoleaccessremotely.
SoI'vegotsomeequipmentwhichareneatlittlerack-mountedboxes.
Butalltheyhaveistelnet.
Theydon'thaveanyprovisionforstrongerauthentication.
Ican'tdoSSHorSSL.
Leo:Ooh,that'snotgood.
Steve:No,it'shorrible.
Andthere'snoprovisionforchangingfromthedefaulttelnetportof23.
SoI'vegotthesethreeboxessittingtherethatIhavetohaveaccesstofromtheoutside.
Imean,that'sthewholepointofthemisI'mabletogettothemfrommyhomenetworkorwhenI'montheroad.
Sotheproblemis,theywillonlylistentoport23.
Theydoprovideapassword,butit'sjusteightcharacters.
Leo:Oh,man.
Steve:And,Imean,andit'smynetwork.
It'stheGRCnetwork.
Leo:That'sterrible.
Steve:Andifsomeoneaccessedit,youknow,theycouldturnofftheequipmentatGRC.
Leo:Yeah,yeah.
Steve:SoobviouslytheonlyreasonI'msayingthisonapodcastisI'vesolvedtheproblem.
Leo:Iwasgoingtosay,you'reaskingfortroublehere.
WhatdidyoudoSteve:WhatIdidwas,Ifoundareallynicemanagedswitch.
IhaveaDellmanagedswitch,whichissurprisinglyinexpensive,whichallowsmetofilterthoseportsandonlyallowspecificIPrangestoseethematall.
Soonly.
.
.
Leo:SoonlysomebodyfromyourIPaddresscanloginatport23.
Steve:Exactly.
Andinfactthatequipment,itdoesn'texistforanyoneoutsideofspecificnetworkswhichIhavepre-designatedasbeingallowedtosendtrafficin.
Leo:That'sagoodwaytodoit.
That'ssuperstealth.
Steve:Well,and,Imean,youhaveto.
Becauseyoujustcan'thaveaserviceexposedontheInternet,especiallyawell-knownservice,especiallyfromawell-knowncompany.
It'sjustgoingtogetattacked.
Someone'sgoingtowritesomethingthatsitsthereandstartswithAandthenBandthenC.
.
.
Leo:It'snotgoingtotakelong.
EightlettersSteve:Exactly,anddoesabrute-forceattack.
Leo:Well,Ijustwanttocirclebackandsaythatwecanthankinparticulartwodifferentpeopleforpackets,thenotionofpackets.
IdidsayPaulBaran.
Hedidthisresearchintheearly'60satRandCorporationandwroteapaperontheideaofapacket-switchnetwork.
AndaBritnamedDonaldWatts-Daviswhosimultaneously,butindependentofBaran,wrotesomepaperson–infact,he'stheonewhocoinedtheterm"packetswitching"anddescribingthatidea.
AnditreallydoesgobacktooneofthegreatpioneersoftheInternet,LenKleinrock,whowrotesomepaperstheorizingthatthebestwaytodothiswouldbewithpacketsand,infact,createdtheideaofanotionofdatablockstosolvethatissueofdataflow.
Soit'sbeenaroundforalongtime.
AndIhaveapoemIwanttoread.
Steve:Okay.
Leo:DoyoumindSteve:No.
Leo:Thisis–I'mgoingtotellyouthestoryaboutthispoeminalittlebit.
Butit'sbeengoingaroundtheInternetforyears.
I'mjustgoingtoreadoneoftheverses:"Ifapackethitsapocketonasocketonaport,andthebusisinterruptedasaverylastresort,andtheaddressofthememorymakesyourfloppydiskabort,thenthesocketpacketpockethasanerrortoreport.
"JustthoughtI'dpassthatalongtoyou.
Steve:That'sprettygood.
Ilikethat.
Leo:Actuallyit'squiteabitlonger.
It'swrittenbyaguynamedGeneZiegler,whoisatCornell.
Wroteitin'64,andit'sbeengoing–or'94,Ishouldsay.
Butit'sbeengoingaroundtheInternetaswrittenbyAnonymous.
Butit'salongparodyofDr.
Seussthatisreallyquitefunny.
AndI'llputalinkintheshownotes.
Steve:Iwasjustgoingtosay,putalinkintheshownotes,yeah.
Leo:MaybewhatI'lldoisI'llreadit,givingcredittoGeneZiegler,andputacopyoftherecordingup.
Ireadityearsagoon"TheSite"asDevNull,thevirtualcharacter.
Anditgoeson,Imean,I'lljustreadthelastverse.
"Whenacopyofyourfloppy'sgettingsloppyonthedisk,andthemicrocodeinstructionscauseunnecessaryrisk,thenyou'llhavetoflashyourmemory,andyou'llwanttoRAMyourROM.
Quickly,turnoffyourcomputerandbesuretotellyourmom.
"Andthepageis"AGrandchild'sGuidetoUsingGrandpa'sComputer.
"HewroteitafterhisgrandkidsmesseduphisMac.
Steve:That'sverycool.
Leo:Andwealso,ofcourse,wanttoremindpeoplethatGRC.
comisavailable24hoursadaytocheckyourports,baby.
ShieldsUP!
isoneofthemanyresources,valuablesecurityresources,Stevemakesavailableforfree.
Butit'sallsupportedbyhisgreatprogram,SpinRite,theultimatediskrecoveryandmaintenanceutility,whicheveryoneshouldhaveacopyofinthisentireworld.
Andifyoudon't,gotoGRC.
comandgetyourselfone.
Andalso,ifyouwant16KBversionsoftheshow,thankstoourtranscriptionist,Elaine,thosearealsoavailableatGRC.
com/–I'mgoingtodothis–securitynow.
Steve:Yup.
Leo:They'rewaitingforthehtm.
Nohtmnecessary.
Steve:Yup.
Nowww,nohttp,anything.
Leo:Hey,Iwantto–wegotanotefromAlexNeihauswhoisatAstaro,ourgreatsponsor.
AndyourememberthatlastepisodeweweretalkingaboutNATtraversal,maybetwoepisodes–no,Iguessitwaslastepisode.
Steve:Yeah,itwaslastepisode.
WetalkedabouthowNATtraversalworksandthenthenotionoffriendlyversusnon-friendlyrouters.
Leo:Right.
Steve:Thatwouldbehaveornot,dependinguponhowtheymappedtheportsthroughtherouter.
Leo:AndofcourseAstaromakes,youknow,theSecurityGatewaysoftware.
Soheactuallysentanotetohisengineerssayingdowedothis,andtheyactuallydoit,itsoundslikequiteright.
Now,Ididn'tfullyunderstandthat.
But.
.
.
Steve:Actuallytheydoitsorightthat,Imean,it'slikethebestwayyoucould.
Whattheydois–andthisistheAstaroSecurityGateway.
Whenit'srunninginaNATmode,theywillleavethesourceportunchangedasitmovesacrosstheNAT.
Leo:Mostroutersdonotdothat;rightTheychangetheport.
Steve:Correct.
Mostroutersjustmakeuparandomportandassignitinatable,sothey'realwayschangingthesourceport.
Andwhatyou'rehopingforisthatthesourceportwillbethesame,evenifthedestinationIPisdifferent.
That'sthecriticalfeaturethatyouneedforpeer-to-peer-friendlyNAT.
Well,theAstaroNATis,like,thebestitcanbebecauseitwillleavethesourceportaloneasitcrossesthroughtheNATtranslation,onlychangingthesourceIPfromthemachinebehindtheNATtotheNATaddressitself,sothatthepacketisabletocomeback.
Andwhat'sverycoolisthattheonlytimewhenitwillchangethesourceportisifyouhappentohavetwodifferentmachines,bothcommunicatingonthesamesourceport,bothtothesameremoteIP,becausethereit'sveryclearyouwouldneed.
.
.
Leo:Youcouldhaveacollision.
Steve:.
.
.
youwouldhavetochangethesourceportinordertodisambiguatethosetwomachinesfromtheoutside.
Butunlessthat'snecessary,thesourceportisnotchanged,whichmeansthattheAstaroNATislike,Imean,it'sgoingtobethefriendliestNATyoucouldeverhave.
Leo:That'sslick.
That'sreal–andbytheway.
.
.
Steve:Andit'sfree.
Leo:.
.
.
I'musingone.
Yeah,it'sfree.
Youcangetthesoftwareforfree.
I'musingonerightnow,andI'mreallyhappywithit.
Ifeelkindofpowerful.
IdowanttomentionAstarois,ofcourse,oursponsor.
Andwe'vementionedbeforethatyoucangettheAstaroSecurityGatewaysoftwareforhomeusersabsolutelyfree.
Foralittlebitmoreyoucanupgradeittospam,antivirusprotection,anditreallyispowerfulstuff.
ButIalsowanttomentionthatthereisanewmanagedsystem,theAstaroCommandCenter.
I'vebeenlookingatthescreenshotsofthis.
Itissoslick-looking.
ACCv1.
ItisfreeforusersofAstaroSecurityGateway,soI'mgoingtodownloadit.
Andit'sreallydesignedfornetworkadministratorswhohavemultiplegateways.
Itallowsyoutomanageandcontrolthosegatewaysfromasingleslick-lookingdashboard.
Imean,thisthingisgorgeous,reallylooksgood.
Includesaworldmapsoyoucanseewhereyourgatewaysareallovertheworld.
Youcan,youknow,ithasthismonitoringsoyoucanseewhatthethreatlevelsare,Imean,Idon'tknowaboutthreatlevels,butresourceusage.
Youcan'tseethethreatlevels,butlet'shopeyoudon'thaveanythreatlevels.
Buttheresourceusageforallthegatewaysinthenetwork,andyoucancoordinatethemandmanagethem,youknow,startup,shutdown,andmaintenanceandallofthatstuff.
Steve:Well,youknow,I'vegotsomefriendsthatmanagethesecurityfor,like,abunchofsmallnetworks.
Andthissoundslikeit'dbejustthethingforthem.
Leo:Exactly.
Exactly.
Soifyou'realreadyusingASG,justgotoAstaro.
com,andyoucandownloadtheAstaroCommandCenterv1fromtheProductssection.
Which,youknow,Imean,Ithinkit'soneofthenicethingsaboutusingsoftwarelikethis,opensourcesoftwarelikethis,isitgetsbetterallthetime.
Andit'sjustwonderful.
Imean,youreallygetarealbenefitfromit.
Steve:It'sthefuture.
Leo:IalmostwishIhadabigmanagednetwork.
Itwouldn'tbeanygoodforme.
Ijustusethehomeversion.
Astaro.
com.
Andwethankthemfortheirsupport.
AndofcoursewethankthefolksatAOLforsupportingtheshowwithbandwidth,whichisalwaysanissuewithashowlikethis,withhundredsofthousandsoflisteners.
Thatbillcanaddup,butAOL'sbeenverygenerous.
AndweencourageyoutofindoutmoreaboutpodcastingatAOLontheAOLRadioChannelbygoingtoAOL.
com/podcasting.
Steve,I'msogladyoudidthis.
Ithinkportsare,youknow,probablythesinglemostconfusingandinterestingtopic,andcertainlythethingthatweallhavetodealwithallthetime.
Steve:Well,yes.
AndIthinkit'sthatthey'resovisible.
Imean,it'sthethingpeoplecansee,anditcausesconcern.
SoIjustreallywantedtocoverthatreallywell.
Leo:Andit'soneofthosethingsinthecomputerworldthatreallyIdon'tthinkanybodyeverintendedend-userswouldhavetodealwith.
Itwasn'tdesignedforend-users.
Butwedo.
Steve:Oh,Imean,neitherwashttp://.
Leo:Exactly.
Exactly.
TimBerners-Leeisembarrassedthatanybodyhastoseethat.
Butthat'showthingsevolve,andthat'sthewayitis.
Great,Steve,we'llseeyounextweek.
Youhaveanyideawhatwe'llbetalkingabout,or.
.
.
Steve:Absolutely.
It'sEpisode44.
Leo:Iwasgoingtosay,itmustbeaMod4.
Steve:Yup.
Sowe'lldoQ&A.
Anybodywho'sgotanyquestions,theycangotoGRC.
com/securitynow.
Downatthebottomofthepageisaform.
Sendyourquestionstous.
I'llreadthem,andwe'llpickfromthemandanswer12.
Leo:Allright.
Andofcoursethat'salsoagoodplacetogotothediscussiongroups,thesecuritydiscussiongroupsatGRC.
com.
AndyoucangetyourquestionsansweredbySteveandotherexperts.
It'sreallyareallywonderfulresource:GRC.
com.
Thanks,Steve.
Steve:Alwaysapleasure,Leo.
Talktoyounextweek.
Copyright(c)2006bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:http://creativecommons.
org/licenses/by-nc-sa/2.
5/
Theydefineports,andwhatitmeansforthemtobeopen,closed,andstealth.
Theydiscusswhatopensthem,whatitmeanstohaveports"open"frombothafunctionalandsecuritystandpoint,howopenportscanbedetected,whetherstealthportsarereallymoresecurethanclosedports,anddifferencesbetweenTCPandUDPportdetection.
Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-043.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-043-lq.
mp3LeoLaporte:BandwidthforSecurityNow!
isprovidedbyAOLRadioatAOL.
com/podcasting.
ThisisSecurityNow!
withSteveGibson,Episode43forJune8,2006:Ports.
SecurityNow!
isbroughttoyoubyAstaro,makersoftheAstaroSecurityGateway,onthewebatwww.
astaro.
com.
SteveGibsonisreadytotalkaboutyourports.
SteveGibson:I'msoexcited.
Leo:Youreally,Imean,IthinkprobablyformanypeoplethefirstkindofintroductiontotheconceptofportscamefromShieldsUP!
andSteveGibson.
Steve:Well,andasfarasIknowIcoinedtheterm"stealth.
"ThatwasonethatIsortof,youknow,inthewholeShieldsUP!
StarTrekthemething,Ithought,okay,whatarewegoingtocallaTCPportwhichisneitheropennorclosedAndIthought,oh,stealth,like,youknow,thecloakingfieldandallthatstufffromStarTrek.
Leo:Andofcourse,asusual,allofthisstuffreallywasthebailiwickofbusinessandenterprisecomputing,networkingandallthatstuff.
Butasmoreandmorepeoplehavemultiplecomputersintheirhome,suddenlywe'reallbecomingnetworkingexperts,andthetopicofportsbecomesveryimportant.
Now,it'salittlebitofaconfusionbecausewe'vealwayshadportswithPCs,buttheyusedtobeserialportsandprinterports.
Andthat'snotthekindofportswe'retalkingabout.
Steve:You'reright.
Andinfactyoumentionedenterprise.
AndIremembertheday,ortheera,rather,where–andthiswasjust–itdemonstratessuchanevolutioninwhat'sgoingonontheInternet,whereitusedtobe,intheearlydaysoftheInternet,whentherewassomemischiefgoingon,thentheITguyswouldblockacertainportthatthismischiefwascomingintothenetworkon.
Inotherwords,therewassortofthispresumptionofeverythingbeingbenign,buttheexceptionswerethingsbeingbad.
Sointermsof,like,afirewallmethodology,andthewaypeoplewerethinking,youhadadefault"allowtrafficin,"andthenyourexceptionsweredenyingtraffic.
Leo:Boy,that'schanged.
Steve:And,Imean,ohmyGod,talkaboutgettingfiredquickly.
IfyouwereanITguythesedayswhodidthat,youknow,it'dbelike,whatareyouthinkingBecauseofcoursetodaytheworldiscompletelyinverted,wherebydefaultyoudenyeverything,andyouonlyallowtrafficintoyourborderthatyouknowyouwantbecause,youknow,theInternet'sjustcrawlingwithjunk.
Forexample,we'vegotthislegacyofWindowswormsstillcrawlingaroundthe'Net,probingoldvulnerabilitiesthathavelongsincebeenremoved.
But,youknow,they'restillouttheretryingtoinfectmachines.
Andasweknow,ifyoudidsticka–ifyoutookacomputeryouhadjustinstalledXPon,beforedoinganyWindowsupdate,beforeinstallinganyservicepacks,thatWindowsXPthatweweretoldwasgoingtobethemostsecureoperatingsystemMicrosoftevercreated,youputoneofthoseontheInternetandstartyourstopwatchtoseehowlongittakestojustbejusttakenoverbythejunkthat'scrawlingaroundthe'Net.
Imean,it's.
.
.
Leo:SasserandMSBlastandallthose.
Steve:Oh,yeah.
Imean,it'slikeamatterofminutes,andstuffiscrawlinginyourmachine.
Leo:Ilikenitalmosttoherpesor–it'saninfectionthat'sendemic.
It'severywhereonthe'Netandwillcontinuetobethere.
Nobody'ssendingitoutanymore,it'sjustthereareinfectedmachineswhocontinuetodoitand.
.
.
Steve:Yup.
Leo:.
.
.
probablywon'tgoawayuntilWindowsgoesaway.
Steve:Ithinkwewillprobablynevergetridofthosethings.
You'reright,they'reold,unmanagedcomputersthatarejustsittingonthe'NetinLordknowswhere,Imean.
.
.
Leo:Right,incorners.
Steve:.
.
.
instrangeplaces,likelongforgotten,andthey'vegotthisjunkinthemnow.
And,youknow,thewholepointofawormisthatit'sself-replicating.
Soonceitcrawledintothismachineandsetupshop,itthenbeganscanningforothers.
And,Imean,they'rejustalwaysgoingtobethere.
Leo:Andwhatthey'rescanningforis,infact,openports.
Maybeweshoulddefinewhataportis.
AndIthinktheterminology'snotgreat.
Ithinkawordlike"channel"mightbebetter.
Steve:Well,"channel"wouldbeagreattermbecause,Imean,aswe'vetalkedaboutwhatwe'vetalkedaboutabouttheissueofportsingeneral,whatIwantedtodothisweekisreallyjustfocusonthisissueofopenportsbecausealotofpeopleareconcernedaboutthem.
Wegetquestionsallthetime,likeIhavetohavethisportopen,isthataproblemHowdoIclosethisportWhatdoesitmeantohaveaportopenSo,yeah,Ireallywantedtojustfocusonthisissueofopenportsandsortofreallycoverthatwelltoresolvealotofthesequestions.
Butyou'recompletelyright.
AswetalkedaboutwhenweweretalkingaboutthebasicprotocolsoftheInternet–ICMP,UDP,andTCP–weglancedonthisbefore,theideathat,unfortunately,aport,peopleassociatethatwithaphysicalthing,youknow,likeaserialport,aparallelport,aUSBport,aFirewireportorwhatever.
Butinfactaportisnothingbuta16-bitnumberwhichiscarriedalongatthefrontintheheaderofInternetpacketswhichsortofspecifies,exactlyasyousaid,Leo,whichchannelormanychannelsof65,535possiblechannelsthispacketisaimedat.
Leo:Sothere'snophysicalitytothiskindofport.
It'snot–there'sno,like,electronic–65,000-channelelectronicswitcherorchangeroranythinglikethat.
Imean,there'snophysicalthing.
Steve:Right.
Well,thephysicalmanifestation,ofcourse,wouldbeyourEthernetport.
Andthereagainwe'vegotthatcollisionofnaming.
So,youknow,yourEthernetconnectionisthewaythatthisEthernettraffic,ofcourse,travelsintoandoutofyourmachine.
Andit'softendoingsothroughtheseso-called"openports.
"Leo:Butit'snotlikeapartofthecableisport1024.
Imean,it'sallcomingthroughthesameelectricalsignal.
Steve:Exactly.
Exactly.
Leo:AndIguessithelpsifyouunderstandthatallofthedataissentinlittlediscretechunkscalledpackets;andthateachpackethas,asyoumentioned,aheader.
Andinsidethisheaderisinformationaboutwherethatpacket'sgoing,whereitcamefrom,andwhatport,whatchannel,itssurfingnumber.
Steve:Well,yes.
Andthat,ofcourse,wasthegreatbreakthroughoftheInternet,wasinsteadofhavingaswitchedcircuitsystemwhereactualphysicalcircuitswerebeingswitched,westeppedbackfromit,andwehaveaswitchedpacketsystem,wherepacketswitchingisthewaymachinestalktoeachotheracrossanetworkoffixedcircuits.
Leo:Sotheline'salwaysopen,anddata'salwaysgoing,butit'sroutedaccordingtothepacketing.
IsthatBobMetcalfe'sinventionIknowheinventedEthernet.
Wasthatkindofthepartofthatinvention,ordidthatpredatethatSteve:No,thatactuallypredatestheactual–theEthernetisjustoneofanumberofelectricaltechnologiesthatcanbeusedtocarrypackets.
But,forexample,TokenRingwasIBM'snetwork.
Leo:Andtheyusedpackets,too.
Steve:Exactly.
Soyoucan.
.
.
Leo:IthinkVintCerfmighthave,Imean,certainlyhegetscreditforIP.
Iwonderif–well,maybenot,though.
Steve:Yeah.
Well,itwasalldone,youknow.
.
.
Leo:Alongtimeago.
Steve:.
.
.
atthebeginningofthe'Net,whenitwasallbeingputtogether.
Leo:Thebeginningoftime.
IguessPaulBaranistheguywhoinventedpacketswitching,oroneoftheguyswhoinventedpacketswitching.
Steve:SofundamentallywehavesortoflikethecoreforamachinewhichisontheInternetistheoperatingsystem.
Buttheoperatingsystemdoesn'titselfnativelyhaveanyports.
Thatis,itsupportstheprotocolandtheabilityfortheOStocommunicatebyprovidingservices,youknow,liketheso-calledTCP/IPstackandIPservices.
TheoperatingsystemwillsupportIPaddresseswhichallowittoacceptthesepackets.
Butsomethingthenaftertheoperatingsystem,somethingrunningintheoperatingsystemistheactualentitywhichcreatesandopenstheseports.
Now,forexample,inthecaseofWindows,itmaynotbeaseparateapplication.
Itmightbeaservice,whichreallyispartoftheoperatingsystem,butit'saseparablepart.
Imean,forexample,youcanstoptheserviceorremovetheserviceinordertoclosetheportsthatthatserviceopened.
Andthenthenextlevelofdistancefromtheoperatingsystemareactualapplicationswhicharerunningintheoperatingsystem,likeyouandIareusingSkyperightnow.
It'srunningasaprogramontopoftheoperatingsystem,usingtheoperatingsystem'slowerlevelnetworkingfacilitiestoallowittocommunicateoutontheInternetsothatourtwoSkypeclientsareabletoconnecttoeachother.
Leo:AndSkypeiskindofindependentofwhatportyou'reusing.
Infact,youcaninSkypesay,no,usethisportorusethatport.
Itworksexactlythesame.
It'snottiedtotheport.
Steve:Itdoesn'tcare,exactly.
Sothereare–alsoaswetalkedaboutbeforetherearesortofwhat'scalled"well-knownportnumbers,"where,forexample,DNS,thedomainnamesystemthatallowswebnamestobelookedupandmatchedtotheirIPaddresses,byagreementitusesport53.
AndsotheDNSserverislisteningforpacketscomingintoport53ofanycomputerthatit'srunningon.
Andyourownclientsaresendingtheirdataoutofport53,boundforwhateverDNSservicethey'vebeenconfiguredtooperatewith.
Andofcourseweknowthewebusesport80,and443forSSL-secureconnections,andonandon.
Sothere'salargearrayofwell-knownports,theideabeingthatsystemswillbydefaulthaveservicesrunninginthem,listeningforincomingtrafficonthoseports.
SoifwerememberwhatweweretalkingaboutwhenweweretalkingaboutTCPbefore,theTransmissionControlProtocol,theideaisthattheoperatingsystemisdoingtheworkfortheapplicationofestablishingandsortofgettingtheconnectiongoing.
Andthisiswherethisnotionreallyofanopenportcomesfrombecause,whenaconnectionwantstobeestablishedwithamachine,aSYN–whichisshortfor"synchronize"–packetissenttothatIPaddressthatthecomputerislisteningon.
Ifit'saTCPportwhichisopen,whichistosaythere'ssomethingthathassaid"Iwanttoacceptconnectionsthatarecomingintothisport,"oraswe'vesaid,reallysortofavirtualport,morelikeachannel,thentheoperatingsystemwillsendbackwhat'scalledaSYN/ACK,itsownSYNandanacknowledgeofthereceiptofthatincomingSYN.
Well,that'ssortofthiswholekeyofwhatmakestheportbeopenisthatanybody,literallyontheplanet,cansendoneoftheseSYNpacketsatsomeone'smachine.
AndifitrespondswithaSYN/ACK,thenweknowthatsomethingisthereatthatIPaddress,evenifit'sacrosstheplanet,whichisreadytoacceptaconnectionandhavesomesortoftransactionwithus.
Leo:Socool.
EverytimeyoudescribethesethingsIjustamimpressedwithhowtheythoughtthisstuffup.
Steve:Well,andthathassurvivedthetestoftime,Imean,sowell.
Andsothat'sreallywhatitwasthatgotmethinkingaboutShieldsUP!
.
Backthen–andwe'retalkingyearsago–IwassettingupanISDNconnectionformycomputer.
Leo:Thereyougo.
That'lltellyouhowlongitwas.
Steve:Exactly.
Leo:Pre-DSL,pre-cablemodem,youknow,ISDN.
Steve:Exactly.
ItwasanISDNconnection.
AndIwasawareofthiswholeissueofportsandsecurity.
AndsoIgotoneofthe–IjustdownloadedoneofthefreeonlinescannersthatwereavailableontheInternet,andstillare.
AndIjust–Iwascurious,like,whatwasgoingonintheneighborhoodoftheIPaddressthatwe'dbeenassigned.
SoIjustsetthescannerupto,like,scan,Idon'tknow,youknow,thehundredIPsplusorminuswheretheIPthatwe'dbeenassignedwas.
Andtherewereallthesecomputersthathad–andinfactthisparticularscannerwasscanningforWindowsfilesharing.
And,Imean,literallythenamesofmachinesandtheCandDdrives,wideopen,exposedontheInternet.
Leo:Thatmusthavebeenashock.
Wow.
Steve:Well,yeah.
Anditwasenoughofashockthatitwas–Ithought,youknow,nobodyknowsaboutthis.
ThisneedstoreceiveattentionbecausepeoplewereputtingtheirWindowsmachines,hookingthemdirectlytotheInternet–thiswasbeforepersonalfirewalls,beforeNATrouters–justliterallypluggingthemintotheInternet.
Andbydefault,Windowsmachinesallhadthisfilesharingportopen.
Meaningthat,eveniftheuserhadn'tsharedanyfiles,theystill–Windowshadalltheseservicesthatwererunninginthemachinebydefault,acceptingincomingconnectionsfromanyoneontheplanet.
Andsoitwasfinally,Imean,itwasthat,therecognitionthatthisreallyneededattention,thatcausedmetojustsay,okay,I'mgoingtodothisthingthat'sgoingtomakeitveryeasyforpeopletochecktheirsystemstoseeifthey'reinthiskindofdanger.
So,youknow,theveryfirstversionofShieldsUP!
primarilycheckedforWindowsfilesharing.
AndthenIexpandeditinseveralfollow-ongenerationstodo–like,forexample,nowitdoesafull1056portscantocheckfromportsactuallyevenincluding0,whichisnotalegalport,butitturnsouttherearesomevulnerabilitiesinroutersthatwillaccepttrafficonport0.
.
.
Leo:Oh,wow,interesting.
Steve:.
.
.
allthewayupthrough1056,inordertolookateventhelowclientportsunderWindows.
Butanyway,theideawasthat–orisofTCP–thatsoftwarerunninginthesystemwillinstructtheoperatingsystemtoopenaport.
Whatthatmeans,then,isthatthatportwillaffirmativelyrespondtoincomingtraffic.
Well,now,anopenportrespondsaffirmatively.
Butitturnsoutthatevenaclosedport,thatis,aportforwhichthereisnolisteningsoftwareassociatedwithit,thereisnoprogramthathastoldtheoperatingsystem,Iwantyoutoacceptonmybehalftrafficcominginanddothelow-levelhousekeepingworkformeofsettingupaconnection.
Inthatcase,apacketcominginandhittingastandardTCP/IPstackwillgenerateanaffirmativedenialofaconnectionattempt.
Normallyit'llgetbackareset,orsometimesanICMPmessagesayingthereisnoserviceavailableonthisportatthisIP.
Soalthoughyouhaven'tconfirmedthatyou'vefoundsomethingpotentiallyvulnerable,forexample,aservicethatyoumaybeabletoexploitbyvirtueofthefactthatit'sgoingtoacceptaconnectionfromyou,andyou'reabletomesswithit,whatyouhaveconfirmedisthere'sacomputerofsomesortlisteningforincomingtrafficonthatIP.
Sothoseportsareconsideredtobeclosed,butthey'restillknowntoexist.
Andofcoursethenthenextstageofthisisaso-called"stealthport,"whereincomingtraffichitsthemachine.
Iftheportisnotopenandwouldnormallyrespondinsomeaffirmativefashion,sayingnotrafficisbeingacceptedonthatport,insteadthemachineiscompletelymute.
Itjustsaysnothing.
So,andthat's,ofcourse,exactlytheresponsethatyougenerallygetforadeadconnection,wherethere'sjustnothingontheIPatall.
Leo:Andthat'syourso-called"stealthmode.
"Steve:Whichofcoursehasnowbecome,like,thewaytobeontheInternet.
It'sinteresting,Imean,therearepeoplewhoarguethatstealthisbogus.
Leo:WhatReallySteve:Oh,yeah.
Youknow,it'stheoldUNIXguys.
AndtheyalsodisliketheideathatstealthingamachinetechnicallybreakstheIPortheTCP.
.
.
Leo:Oh,Igetit.
It'soutofspec.
Steve:It'soutofspec,exactly,because.
.
.
Leo:Well,that'sapuristpointofview.
Butfrankly,ifyouthinkaboutit,ifbadguyscomeaknocking,what'sthebestresponseWedon'thaveanymoneyinhere,ornothingSteve:Yes,or,exactly,thereisno"inhere.
"Leo:Thereisno"inhere.
"Nothingexistsatthisaddress.
Moveon.
Steve:Right.
Leo:So,Imean,youcanbeapuristaboutit,butfranklyIthinkit'sprettyobviouswhatthebestchoiceis.
Steve:Well,yes.
Andthefactis,sinceitcostsnothingtobestealth,whynotbestealthImean,sinceitcostsnothingtobeinvisible,itseemstomeit'sbetter,exactlyasyousaid,tobecompletelyinvisibleonthe'Netthantosay,I'mhere,butalltheportsyou'vecheckedsofarareclosed.
Leo:Now,itdoescomeupfromtimetotimethat,well,thishappenedwiththeidentdport,wherearoutermanufacturerdecideditwasn'tagoodideatostealththatportbecausesomeserviceswerestillusingit,andaninvisibleportwouldn'tbeanappropriateresponse.
Steve:Well,it'saverygoodpoint.
Theexampleyoucite,theidentport,whathappensis,whenauseristryingtoconnecttoaserver–andthisisgenerally,Imean,justancientservers.
Imean,therearesomeIRCservers,somereallyoldwebservers,sometimessomeFTPservers.
Partoftheconnectionprotocoliswhenarequestcomesintotheserver,itsendsbackanidentpackettotheidentportatthatuser'sIP,becauseintheolddayspeoplewouldhavethesethingscalledidentserverswheretheywouldlistawholebunchofinformationaboutthemselves.
Imean,who'sgoingtodothattodayImean,nobody,becausebasicallyyou'resortofsaying,here,here'severythingyouwanttoknowaboutme.
Leo:Comeonin.
Steve:Exactly.
Leo:Yeah,yeah.
Steve:Soithadbeenforeversinceanyoneactuallyrananidentservice.
Butwhattheserverthatmakesthequerywantsisatleasttogetanaffirm.
.
.
Leo:Anacknowledgement.
Steve:Yes,somesortofaffirmativestatementthat,yes,there'samachinehere,butnobody'shome.
SowhatnormallyhappensistheidentusesTCPprotocol.
SotheserverwillsendaSYNpacket,tryingtoestablishaconnectioninthereversedirection,backtotheclient.
Well,asweknow,TCPisverypatientaboutgettingaconnectionestablished.
It'llsendaSYNpacket.
Ifitdoesn'thearanythingelse,it'llsendanotherone.
Thenitwaitstwiceaslongandsendsanotherone.
Thenitwaitstwiceaslongagainandsendsanotherone.
Somemachineswillsenduptofivepackets,andyoucanendupwaitingaminutebeforethethingfinallydecides,okay,there'snobodyhere.
Theproblemisthatallofthatsuspendsyourmainconnectiontotheserver,thatis,theserver,everythingjuststopsontheserverwhileit'stryingtoestablishthispainfullyslowprocessofgettingaTCPconnection.
Ifthefarenddidsayno,Ihavenoidentservice,bysendingbackanICMPorbysendingaTCPresetpacket,thenatleasttheserverwouldknow,oh,okay,noservice,butthere'ssomebodyhere.
Anditwouldtypicallyjustthen–itdoesn'treallycareabouttheident,it'sjustoldtechnologythatisstillinsomeserversontheInternet.
Leo:Sowhatistheharmindoingthat,thenImean,nowI'mgoingtoplaydevil'sadvocateandsay,well,inthatcase,whydowebotherstealthingthatportSteve:It'sjustthat,well,actuallyIthinkprobablyGRCisatfault.
Imean.
.
.
Leo:It'syourfault.
Steve:I'mnotkidding.
Imean,Iwasshowingeverybodythattheiridentportwasnotstealthed,andstealthbecameacoolthingtodo,andpeoplebeganaskingtheirroutermanufacturersandtheirpersonalfirewallmanufacturers,"Hey,Gibsonsaysmyidentportisnotstealth.
Iwanttobestealth.
"Andsojustreallyduetopopulardemandtheroutermanufacturerssaid,okay,fine,we'llstealththeport.
Well,theproblemthenisthatsomeconnectionswillstallwhenyouaregoingoutthrougharouteroroutthroughapersonalfirewallwhichstealthstheidentport.
Sothenthenextgenerationofthiscamealong,andthatwasadaptivestealthing,oradaptiveidentstealthing,wheretherouterwouldbesmart,anditwouldstealththeidentportfromanysourceIP,thatis,theremoteservertryingtoopenanidentconnectionbacktoyou.
ItwouldstealthitunlessitsawthatyouhadanoutgoingconnectiontothatIP.
Whichisaperfectsolution.
Leo:Thereyougo.
Steve:Soifyou'veestablishedaconnection,anditasksback,well,yougotanidentserver,youcanrespondtothat.
Thenyousayno,Idon't.
Butatleastthefarendserverishappythatyouexist.
Youacknowledgethatimmediately,andthenyougetonwithyourmainconnectionestablishment.
Leo:Ah.
Buthere'sthething.
WouldyoumarkthatasastealthedportSteve:Yes,infact,Idoitonpurpose.
ShieldsUP!
,itcheckstheuser'smachinefromanIPdifferentthantheyareconnectingtousfrom.
Leo:Toavoidthisthing.
Steve:Exactly.
SoIdoitonpurposeinordertogivethemcreditforandtoshowthattheirrouterisstealthingidentforrandomsourcesofIPaddressesoutontheInternet,nottheonesthatthey'reactuallytryingtoconnectto.
Soitendsupbeingaveryusefulthing.
Now.
.
.
Leo:Weshouldjustmentionthatthereasonthatyouwantittobestealthisanyindicator,evenonacompletelysafeportliketheidentport,anyindicatorthatyouexistcouldbeamessagetoahacker,well,atleastthere'ssomethinghereyoumightwanttokeepinvestigating.
Steve:Well,here'saperfectexample,Leo,andthatisdenial-of-serviceattacks.
IfyoupissoffsomebodyontheInternetwho'sgotcontrolofevenasmallbotnet,andtheydecidethey'rejustgoingtoDDoSyouintooblivion,well,they'llblastyouforawhile,andthentypicallystoptheattacksothattheycanseeifyou'restillthere.
Well,youknow,you'dverymuchlikethemnottobeabletotellthatyou'restillthere.
Leo:Yes,yeah.
Steve:Onlyifyou'restealthcanyoupullthatoff.
Ifthey'reabletopingyouortobouncepacketsoffyouortrytoopenaconnectionandgetbackanaffirmativeclosedstatefromyou,thenthey'llknowyou'restillthere.
Leo:Andit'sfairlytrivialtoactuallytesteachandeveryofthe65,000ports.
Imean,computersarefast.
Soevenifthere'sbutoneopen,ornotevenopen,closedbutnotstealth,they'llknowyou'rethere.
Steve:Well,yeah.
Andinfact,ifyou'rerunningasystemthatisnotstealthingyou,everyportwillatleastsayeitherit'sopenorit'sclosed.
Soinordertobecompletelyoffthe'Netinappearance,youreallydoneedthetechnologywhichisgoingtostealthyou.
Andasamatteroffact,I'veseendialogueswherehackersknowthatidentisoftennotstealthed.
Sothey'respecificallytryingtoopenanidentconnectionbecause,unlessit'sadaptivelystealthed,asallthelatestfirmwareandpersonalfirewallsaregenerallynowabletodo,itwilllooklikeit'sclosed,andthey'llknowyou'restillthere.
Leo:SothankstoGRC.
comandShieldsUP!
,allrouters,allconsumer-graderoutersthatshipthesedays,shipwithstealthturnedon.
Steve:Yeah.
Yeah.
It's,Imean,it'stherightwaytogo.
There'sjustnogoodreasonnottobestealthwhereyoucanbe.
Leo:Now,amIthrowingallthevalueofstealthout,though,byhavingsomeopenportsSteve:Probablynotbecauseyoudon'tknowwhatitisthatmightbelookingforyou.
Youmighthave,youknow,ahackermightspecificallybescanningforanewvulnerabilitywhichhasjustbeenfound,likeinMySQL.
AndsoitmightbelookingtoseewhetheryouhaveaSQLdatabaseserverportopen,soitwouldbespecificallycheckingforthatport.
Leo:Andifyoulookatthehackertools,theyusuallywillsay,whatportdoyouwanttohit,andwhatrangeofIPaddressesdoyouwanttotestSteve:Right.
Leo:Andyoucouldtestarangeofports.
Butforefficiency'ssaketheymayjustbegoingafterthatoneport.
Steve:Well,now,it'salsonecessary,sincewereallywanttocoverthetopicofopenportswellinthisparticularepisode,it'snecessarytotalkaboutthefactthatUDPprotocoliseverybitasviableasTCP.
Butbecauseitdoesn'thavethiswholeintroductoryhandshakinggoingon,whereyousendtheSYNandtheSYN/ACKcomesback,oryousendtheSYNandaresetcomesback,UDPportswillgenerallyoperateormayoperatedifferently.
Thatistosaythat,asweknow,UDPdoesn'thavethisconnectionestablishmenthandshake,whichisreallythebenefitforveryshort-termconnections.
Forexample,theDNSprotocolfordomainnameservices,generallyyoujustsendasinglepacketofftoaDNSserver,anditsendsyouasingle-packetreply.
Soit'sextremelyefficient.
SinceDNSisgoingtobetransactingsuchsmallamountsofinformation,youwouldn'twanttogothroughallthetroubleofhavingathree-waypackethandshake,thensendyourrequest,thengetthereply,thenhavetoshutdownthatexistingorestablishedconnectionthroughanotherseriesofpackets.
Leo:SoDNSusesUDP.
Steve:Exactly.
Well,DNS.
.
.
Leo:Ididn'tknowthat.
Steve:Itactuallyusesboth.
It'lluseUDP.
Butthere'salimit.
OneofthereasonsthatUDPactuallyisn'tconvenientisifyouneedtosendalotofdatabecausegenerallyUDPissortofpacketoriented.
Now,again,allofthesethingssortofhavecaveats.
Forexample,youandIareusingUDPrightnowforstreamingsubstantialamountsofdatabetweeneachotherduringthispodcast.
Butwhat'shappenedisaprotocolontopofit,well,Imean,thetypicalVoIPprotocoliscalledSIP[SessionInitiationProtocol],whichisusedontopofUDPtosortofgiveittheabilitytodomore.
ButinthecaseofDNSitispossibletoconnectwithTCPtoaDNSserverandthenmakeyourqueriesthatwayifyouneededtoforsomereason.
Andforexamplethere'ssomethinginDNScalleda"zonetransfer,"whereyoubasicallysaytellmeeverythingthereistoknowaboutGRC.
com,forexample.
Andifzonetransfersareallowed,whichformanysecuritypurposesnowadaystheyarenot,butintheolddaysyouonlycoulduseTCPforoneoftheseso-called"zonetransfers,"whereyou'resayingIwanttoknowaboutallthemachineswithintheGRC.
comdomain,theMXor,youknow,theemailservers,andeverythinggoingon.
Giveitalltome.
AndyoucannotdothatoverUDP.
Soingeneral,UDPisamuchmorequick,simple,lightweightprotocol.
ItalsomeansthatyoumighthaveaUDPserverwithanopenUDPport,asopposedtoanopenTCPport.
Andyouwouldnotreallybeabletotellthatitwasthereunlessyouaskeditinitsownparticularprotocol.
Forexample,ifyouwantedtofindoutifsomeonewasrunningaDNSserver,you'dhavetosendaDNSquerytoport53andseeifyougotaresponse.
WhereasthewholeopeningconnectiondancewithTCPisgeneric.
Youdothesamethree-wayhandshakenomatterwhatservice,whetherit'swebor,forexample,DNSoverTCPorFTPoranyotherTCP-basedprotocol.
Leo:Soifyou'reahackersniffingTCPports,youcouldjustsendaSYNtoeveryport,oneaftertheother.
Steve:Exactly.
Leo:Andsayhello.
Andthat'lltellyouthatport'sthere.
ButifyouwanttosniffUDPports,you'dactuallyhavetousetheappropriateprotocoloneachport.
Steve:Exactly,inordertosatisfytheserverthatmayormaynotbelistening.
Now.
.
.
Leo:Soit'smuchmorecomplicatedtosniffUDPports,then.
Steve:It'salotmorecomplicated.
Although,again,theoriginalspecfortheUNIXmachines,youknow,whereallthisoriginated,doessaythatifaUDPpacketarriveswherethereisnoservicelisteningandthathastoldtheoperatingsystemthatitwantsittoforwardpacketsthatarriveonacertainporttoit,thentheoperatingsystemshouldsendbackanICMP,aspecificICMPmessagesayingthere'snothinglisteningtothisport.
SoUDPportscan,bydefault,showthemselvesasbeingclosed,thatis,yougetbacksomethingsayingthere'snobodyhere.
Soagain,you'dliketostealththatbehavior.
Andofcoursethat'swhatpersonalfirewallsandroutersdo.
Leo:Ithinkthisisgreat.
Youknow,whenyou–wedealwiththisallthetime.
Whenyougointoyourrouter,forinstance,toportforward,tomakesomeportwork,let'ssayyou'vegotarouterthat's,youknow,rightlyso,blockingallports,butyouwanttousea,youknow,youwanttosetupaserverforWorldofWarcraft,you'llseeallthis.
You'llseeUDPversusTCP,andwhichportnumber,andallsortsofstuff.
Butnowyouknowwhatitmeans.
Nowyouknowwhatyou'redoing.
Steve:Well,it'sinteresting,too.
Youweretalkingaboutportforwarding.
AndIrememberedthatthatalsobearsontheidentportbecausetherearestillsomeolderrouterswhosefirmwaredoes–itwillnotstealththeidentport.
Itwillrespondthatthere'snobodyhere.
Butareallyfunworkaroundistoforwardthatidentport–which,bytheway,is113–youforwardthattoanonexistentIPaddressbehindtherouter,thatis,onyourownnetwork.
So,forexample,ifyourIPaddresswas192.
168.
0.
,youknow,1to100,youcouldtelltherouter,forwardthatto.
0.
200,amachinethatyouknowwillneverexist.
AndwhattherouterdoesisdutifullyacceptthatincomingICMPpacketandsticksitonyournetwork,aimedatanIPthatdoesn'texist.
Well,sinceitdoesn'texist,there'snobodytheretoanswerthecall,andyouendupstealthingyouridentportifyourrouterotherwisewouldnotdosoforyou.
So,Imean–andofcoursethatworksforanythingthatyouwantitto.
Youcouldnameanyportsthatyouwantedtostealth,iftherouterwasn't,justoffintothetwilightzone,toanIPinsideyournetworkthatdoesn'thaveamachinelisteningonit,andthosepacketsarejustgoingtogonowhere.
Theyjustendupbeingdropped.
Leo:Well,Ithinkyou–havewecoveredthesubjectDoweknoweverythingweneedtoknowaboutportsSteve:TheonethingthatIthinkisworthmentioningtopeopleisthatallofthisproblem–whichhasbeenlotsofhistory,youknow,wetalkedfirstaboutthisnotionoffirewallsbydefaultallowingtrafficandthenITguysblockingonlythemischiefandhowthat'scompletelyflippedaround.
Well,theolddaysofMicrosoftWindows,andforthatmatterotheroperatingsystems,generallyhadlotsofthingslisteningbecausetherewasn'tacompellingreasonnotto.
AndofcourseinMicrosoft'scase,Microsoftalwayswantedtodefaulttowardsallowingtrafficbecausetheyjustwantedthingstowork.
Imean,andtheysuredid,boy.
Youknow,youstuckyourWindowsmachineontheInternet,andyoucouldshareyourfileswitheverybodyintheworld.
Leo:Workedalittletoowell.
Steve:Whetherthat'swhatyouhadinmindornot.
Andtheywant,youknow,theywantedWindowssothat,whenyouclickyourmachinestogetherintoanetwork,theycanallseeeachother,andtheycanallhappilysharefiles.
Unfortunately,puttingWindowsontotheInternetwasthesameasputtingitonyournetwork.
Leo:Right.
Steve:Soit'sreallyworthmentioningthatthisisallchangednow,finally.
Imean,andittook–Idon'tknowwhyittooksolong,butitdid.
It'schangedwithServicePack2ofWindowsXP,wherethereisabuilt-infirewall,anditisonbydefault.
And,youknow,therearepeoplewhoarestilldownloadingmyDCOMbobulatorandmyUnPlugn'Prayutilities.
ThosearethingswhichIcreatedinaday,immediatelyafteranewvulnerabilityhadcomeoutandwellbefore,insomecasesmonthsbefore,Microsoftdidanythingtodealwithit.
AndthosethingsIcreatedto,like,killoffthoseportsorshutdownthoseproblemsbecausewestilldidn't–manypeopledidnothavepersonalfirewalls.
XPdidn'thaveapersonalfirewallinthebeginningthatwasturnedonallthetime.
EarlierversionsofWindowsneverdid.
Imean,backthenpeoplewerestillusing,youknow,95and98.
Butit'sreallythecasethattheseproblemshavebeensolvedjustby,firstofall,bypeoplehavingNATrouters.
Imean,ifyou'vegotaNATrouterinfrontofyoursystem,itmatterstoafarlesserdegreewhatportsareopenonyourmachineitself.
Andyoucanseethatbecause,ifyouuseShieldsUP!
atGRC,it'llshowyoueverythingisstealth,evenifyou'vegotopenportsonthecomputersinyourownnetwork.
Thereasonbeing,nothinggetsthroughyourNATrouter.
We'retestingyourpublicIP,notthoseprivateIPsthatnoonecanaccessanywaybecausethey'renotroutableontheInternet.
There'snowayIcansendtrafficto192.
168.
0.
1inordertotestitbecausethatIPwon'tgoanywhere.
Ican't,youknow,tensofthousandsofpeoplehavethatIPontheirmachinesbehindtheirrouters.
Leo:Probablymillionsbynow.
Steve:Millions,I'msureitis,yes.
So,youknow,many,manytensofthousands.
Soitreallyisthecasethatthisproblemwithcomputershavingopenportshasreallybeenmitigated,firstbytheadventofrouters,andsecondly,forthosewhoarenotbehindarouter,certainlywithapersonalfirewallwhichisonanddoingitsjobas,youknow,thebuilt-infirewallinWindowsXPdoes.
Whichreallymeans,then,thatthefrontierfortheconcernforopenportsisportsopenedinrouters.
Andsothelastthingworthtalkingaboutisthepeoplewhoareworriedthat,forwhateverreason,theyhavetohaveexposedopenports.
Youknow,whatdoesthatmean,tohaveanexposedopenportSomething,youknow,wherethey'rejustnotabletobestealthbecausetheyneedtohaveservicesthatareavailableoutonthepublicInternet.
Andthisisinterestingbecauseitfactorsexactlyintothediscussionwe'vehadaboutbufferoverruns.
Becauseunfortunatelytheexposureofanopenportisthattrafficisgoingtobeflowingbackinthroughyourrouter,thentowhatevermachineyouhavedesignatedontherouterwillreceivethattraffic.
Andpresumablyyouhavesomethingthereonthatmachine,someapplicationwhichisthengoingtobeacceptingthetraffic.
Theproblemis,asweknow,itisverydifficulttowriteperfectsoftware.
Youknow,theclassicboondoggleofanopenportwaspcAnywhere,whichmanypeoplewereusingintheearlydaysoftheInternetbecauseitallowedthemtoconnecttotheirmachinesathomeanddowhatevertheywantedto.
That'swhyitwascalledpcAnywhere.
Theproblemwas.
.
.
Leo:Anythinganywhere.
Steve:.
.
.
ithad,yeah,ithadserioussecurityproblemsthatwerebeingfoundoneafteranotherafteranother.
Manypeopledidn'teventakethetroubletoputastrongpasswordonpcAnywhere.
Soeveryoneknewwhatthedefaultpasswordwas.
Andpeople,youknow,badguyswouldscanthe'NetforthestandardpcAnywhereportandconnecttopeople'smachineswhonevertookthetimetochangethedefaultpassword.
Sotheproblemis,ifyou'vegotportsexposed,ifyou'vegotportsopen,itissomethingyouneedtorecognizeasapotentialproblem,andthatisthatyouarethendependinguponthesecurityofandtheproperfunctioningofwhateversoftwarepackageitiswhichislisteningtothoseports.
Andinfact,whenIfiredupSkypejustnow,Leo,inordertoestablishourconnection,IgotamessagetellingmethattherewasanewversionavailablebecauseasecurityproblemhadbeenfoundandfixedinSkype.
Soit'slike,okay,I'mgoingtoupdatemyselfrightnow.
Leo:Right,right,right.
Anytimeyou'rerunningaserviceofanykind,inorderforthatservicetoworkyouhavetoopenaport.
Andthatopensupyoursystemtotroubleiftheservicehasabug.
Andasyoupointout,it'sinevitable.
There'salwaysbugs.
Steve:Yeah.
It'sjustsodifficultnot,Imean,thiswasthehugeproblemthatMicrosofthadwithalloftheirservices.
Imean,virtuallyeverysingleoneofthem.
.
.
Leo:Somethingwaswrongwiththem.
Steve:.
.
.
hadmultipleproblemsthatwerefoundandexploited.
And,Imean,that'swherethewormscamefromthatweweretalkingaboutbeforeisspecificallyfromthesekindsofproblems.
So,youknow,thegoodnewsis,securityisoneveryone'smind.
Certainlysecurityisforemostinthemindsofanyonewritingapplications.
Iwouldsaytheonlypieceofadvice,ifyouhavetohaveportsopen,istrytouserobust,well-testedservicesthatyouhaveeveryreasonpossibletobelievearenotgoingtohaveproblems.
Andinfact,youknow,ifyoureallywantedtogoastepfurther,andyouhadtheabilityto,Iwouldsayrunthosemachinesseparately.
Thatis,youknow,itmaybethecasethatyou'vegotanoldcomputer.
Letitbetheoneonthefrontlineintheso-called"DMZ,"whereit'sgoingtobereceivingthattraffic,andnotrunthoseservicesonyourmainmachine,whereyoureallyhavemuchmorevaluabledata,andyouwanttomakesurenothingisabletocrawlintoit.
Leo:Andit'sanotherreasonwhypeopleshouldgooutandgetrouters,iftheydon'talreadyhavethem,andusethem.
Andtheminuteyoudo,infacteverytimeIinstallarouter,andassoonasI'vechangedthepasswordandturnedoffUniversalPlugandPlay,I'llgotoGRC.
comandrunShieldsUP!
andmakesurethatIdon'thaveanyunstealthedports.
Andthat'swhatagreatservicethatis.
Steve:Youalsowanttomakesurewhenyou'resettingupanewrouterthatyouremembertoturnoffanythingthat's,like,WAN-sidestuff.
Manyroutershave,like,WAN-sideadministrationwhere.
.
.
Leo:Unh-unh.
Thatmeanstheotherguycanadministrateyourrouter.
Steve:Exactly.
AnyoneontheInternet.
Leo:Badidea.
Steve:That'snotagoodthingtohave.
Leo:Notagoodthingtohave.
Steve:Imean,again,ifyouhavetouseitforwhateverreason,thenyouwanttotakethetimetodoareallygood–tochooseareallystrongpasswordthatnooneisgoingtobeabletoguessbecause,ifyourrouterisacceptingaconnectiononitsstandardWAN-port,thensomebodyouttherecouldjustsittherepoundingawayonit,doingabrute-forcepasswordattack,tryingtogetcontrolofyourrouter.
It'scertainlybetter,firstofall,nottorunitonthestandardport.
Moveit,alwaysmovethosethingstoadifferentport,ifyouhavetohavethematall,andthenrunareallystrongpassword.
Leo:Yeah.
Andyoucouldbesurethat,ifit'soutthere,somebody'sbangingonit.
That'stheotherthingwe'velearnedonthe'Netisthatyoucan'tjustkindofskateanymore.
Peopleareoutthereallthetime.
Steve:Well,forexample,thewayI'vegotmyequipmentatLevel3configuredfortheGRCnetwork,Ineedtobeable,iftheworsthappenedandIneededtorebootamachine,Ineedtobeabletopowercyclethemachineorgetconsoleaccessremotely.
SoI'vegotsomeequipmentwhichareneatlittlerack-mountedboxes.
Butalltheyhaveistelnet.
Theydon'thaveanyprovisionforstrongerauthentication.
Ican'tdoSSHorSSL.
Leo:Ooh,that'snotgood.
Steve:No,it'shorrible.
Andthere'snoprovisionforchangingfromthedefaulttelnetportof23.
SoI'vegotthesethreeboxessittingtherethatIhavetohaveaccesstofromtheoutside.
Imean,that'sthewholepointofthemisI'mabletogettothemfrommyhomenetworkorwhenI'montheroad.
Sotheproblemis,theywillonlylistentoport23.
Theydoprovideapassword,butit'sjusteightcharacters.
Leo:Oh,man.
Steve:And,Imean,andit'smynetwork.
It'stheGRCnetwork.
Leo:That'sterrible.
Steve:Andifsomeoneaccessedit,youknow,theycouldturnofftheequipmentatGRC.
Leo:Yeah,yeah.
Steve:SoobviouslytheonlyreasonI'msayingthisonapodcastisI'vesolvedtheproblem.
Leo:Iwasgoingtosay,you'reaskingfortroublehere.
WhatdidyoudoSteve:WhatIdidwas,Ifoundareallynicemanagedswitch.
IhaveaDellmanagedswitch,whichissurprisinglyinexpensive,whichallowsmetofilterthoseportsandonlyallowspecificIPrangestoseethematall.
Soonly.
.
.
Leo:SoonlysomebodyfromyourIPaddresscanloginatport23.
Steve:Exactly.
Andinfactthatequipment,itdoesn'texistforanyoneoutsideofspecificnetworkswhichIhavepre-designatedasbeingallowedtosendtrafficin.
Leo:That'sagoodwaytodoit.
That'ssuperstealth.
Steve:Well,and,Imean,youhaveto.
Becauseyoujustcan'thaveaserviceexposedontheInternet,especiallyawell-knownservice,especiallyfromawell-knowncompany.
It'sjustgoingtogetattacked.
Someone'sgoingtowritesomethingthatsitsthereandstartswithAandthenBandthenC.
.
.
Leo:It'snotgoingtotakelong.
EightlettersSteve:Exactly,anddoesabrute-forceattack.
Leo:Well,Ijustwanttocirclebackandsaythatwecanthankinparticulartwodifferentpeopleforpackets,thenotionofpackets.
IdidsayPaulBaran.
Hedidthisresearchintheearly'60satRandCorporationandwroteapaperontheideaofapacket-switchnetwork.
AndaBritnamedDonaldWatts-Daviswhosimultaneously,butindependentofBaran,wrotesomepaperson–infact,he'stheonewhocoinedtheterm"packetswitching"anddescribingthatidea.
AnditreallydoesgobacktooneofthegreatpioneersoftheInternet,LenKleinrock,whowrotesomepaperstheorizingthatthebestwaytodothiswouldbewithpacketsand,infact,createdtheideaofanotionofdatablockstosolvethatissueofdataflow.
Soit'sbeenaroundforalongtime.
AndIhaveapoemIwanttoread.
Steve:Okay.
Leo:DoyoumindSteve:No.
Leo:Thisis–I'mgoingtotellyouthestoryaboutthispoeminalittlebit.
Butit'sbeengoingaroundtheInternetforyears.
I'mjustgoingtoreadoneoftheverses:"Ifapackethitsapocketonasocketonaport,andthebusisinterruptedasaverylastresort,andtheaddressofthememorymakesyourfloppydiskabort,thenthesocketpacketpockethasanerrortoreport.
"JustthoughtI'dpassthatalongtoyou.
Steve:That'sprettygood.
Ilikethat.
Leo:Actuallyit'squiteabitlonger.
It'swrittenbyaguynamedGeneZiegler,whoisatCornell.
Wroteitin'64,andit'sbeengoing–or'94,Ishouldsay.
Butit'sbeengoingaroundtheInternetaswrittenbyAnonymous.
Butit'salongparodyofDr.
Seussthatisreallyquitefunny.
AndI'llputalinkintheshownotes.
Steve:Iwasjustgoingtosay,putalinkintheshownotes,yeah.
Leo:MaybewhatI'lldoisI'llreadit,givingcredittoGeneZiegler,andputacopyoftherecordingup.
Ireadityearsagoon"TheSite"asDevNull,thevirtualcharacter.
Anditgoeson,Imean,I'lljustreadthelastverse.
"Whenacopyofyourfloppy'sgettingsloppyonthedisk,andthemicrocodeinstructionscauseunnecessaryrisk,thenyou'llhavetoflashyourmemory,andyou'llwanttoRAMyourROM.
Quickly,turnoffyourcomputerandbesuretotellyourmom.
"Andthepageis"AGrandchild'sGuidetoUsingGrandpa'sComputer.
"HewroteitafterhisgrandkidsmesseduphisMac.
Steve:That'sverycool.
Leo:Andwealso,ofcourse,wanttoremindpeoplethatGRC.
comisavailable24hoursadaytocheckyourports,baby.
ShieldsUP!
isoneofthemanyresources,valuablesecurityresources,Stevemakesavailableforfree.
Butit'sallsupportedbyhisgreatprogram,SpinRite,theultimatediskrecoveryandmaintenanceutility,whicheveryoneshouldhaveacopyofinthisentireworld.
Andifyoudon't,gotoGRC.
comandgetyourselfone.
Andalso,ifyouwant16KBversionsoftheshow,thankstoourtranscriptionist,Elaine,thosearealsoavailableatGRC.
com/–I'mgoingtodothis–securitynow.
Steve:Yup.
Leo:They'rewaitingforthehtm.
Nohtmnecessary.
Steve:Yup.
Nowww,nohttp,anything.
Leo:Hey,Iwantto–wegotanotefromAlexNeihauswhoisatAstaro,ourgreatsponsor.
AndyourememberthatlastepisodeweweretalkingaboutNATtraversal,maybetwoepisodes–no,Iguessitwaslastepisode.
Steve:Yeah,itwaslastepisode.
WetalkedabouthowNATtraversalworksandthenthenotionoffriendlyversusnon-friendlyrouters.
Leo:Right.
Steve:Thatwouldbehaveornot,dependinguponhowtheymappedtheportsthroughtherouter.
Leo:AndofcourseAstaromakes,youknow,theSecurityGatewaysoftware.
Soheactuallysentanotetohisengineerssayingdowedothis,andtheyactuallydoit,itsoundslikequiteright.
Now,Ididn'tfullyunderstandthat.
But.
.
.
Steve:Actuallytheydoitsorightthat,Imean,it'slikethebestwayyoucould.
Whattheydois–andthisistheAstaroSecurityGateway.
Whenit'srunninginaNATmode,theywillleavethesourceportunchangedasitmovesacrosstheNAT.
Leo:Mostroutersdonotdothat;rightTheychangetheport.
Steve:Correct.
Mostroutersjustmakeuparandomportandassignitinatable,sothey'realwayschangingthesourceport.
Andwhatyou'rehopingforisthatthesourceportwillbethesame,evenifthedestinationIPisdifferent.
That'sthecriticalfeaturethatyouneedforpeer-to-peer-friendlyNAT.
Well,theAstaroNATis,like,thebestitcanbebecauseitwillleavethesourceportaloneasitcrossesthroughtheNATtranslation,onlychangingthesourceIPfromthemachinebehindtheNATtotheNATaddressitself,sothatthepacketisabletocomeback.
Andwhat'sverycoolisthattheonlytimewhenitwillchangethesourceportisifyouhappentohavetwodifferentmachines,bothcommunicatingonthesamesourceport,bothtothesameremoteIP,becausethereit'sveryclearyouwouldneed.
.
.
Leo:Youcouldhaveacollision.
Steve:.
.
.
youwouldhavetochangethesourceportinordertodisambiguatethosetwomachinesfromtheoutside.
Butunlessthat'snecessary,thesourceportisnotchanged,whichmeansthattheAstaroNATislike,Imean,it'sgoingtobethefriendliestNATyoucouldeverhave.
Leo:That'sslick.
That'sreal–andbytheway.
.
.
Steve:Andit'sfree.
Leo:.
.
.
I'musingone.
Yeah,it'sfree.
Youcangetthesoftwareforfree.
I'musingonerightnow,andI'mreallyhappywithit.
Ifeelkindofpowerful.
IdowanttomentionAstarois,ofcourse,oursponsor.
Andwe'vementionedbeforethatyoucangettheAstaroSecurityGatewaysoftwareforhomeusersabsolutelyfree.
Foralittlebitmoreyoucanupgradeittospam,antivirusprotection,anditreallyispowerfulstuff.
ButIalsowanttomentionthatthereisanewmanagedsystem,theAstaroCommandCenter.
I'vebeenlookingatthescreenshotsofthis.
Itissoslick-looking.
ACCv1.
ItisfreeforusersofAstaroSecurityGateway,soI'mgoingtodownloadit.
Andit'sreallydesignedfornetworkadministratorswhohavemultiplegateways.
Itallowsyoutomanageandcontrolthosegatewaysfromasingleslick-lookingdashboard.
Imean,thisthingisgorgeous,reallylooksgood.
Includesaworldmapsoyoucanseewhereyourgatewaysareallovertheworld.
Youcan,youknow,ithasthismonitoringsoyoucanseewhatthethreatlevelsare,Imean,Idon'tknowaboutthreatlevels,butresourceusage.
Youcan'tseethethreatlevels,butlet'shopeyoudon'thaveanythreatlevels.
Buttheresourceusageforallthegatewaysinthenetwork,andyoucancoordinatethemandmanagethem,youknow,startup,shutdown,andmaintenanceandallofthatstuff.
Steve:Well,youknow,I'vegotsomefriendsthatmanagethesecurityfor,like,abunchofsmallnetworks.
Andthissoundslikeit'dbejustthethingforthem.
Leo:Exactly.
Exactly.
Soifyou'realreadyusingASG,justgotoAstaro.
com,andyoucandownloadtheAstaroCommandCenterv1fromtheProductssection.
Which,youknow,Imean,Ithinkit'soneofthenicethingsaboutusingsoftwarelikethis,opensourcesoftwarelikethis,isitgetsbetterallthetime.
Andit'sjustwonderful.
Imean,youreallygetarealbenefitfromit.
Steve:It'sthefuture.
Leo:IalmostwishIhadabigmanagednetwork.
Itwouldn'tbeanygoodforme.
Ijustusethehomeversion.
Astaro.
com.
Andwethankthemfortheirsupport.
AndofcoursewethankthefolksatAOLforsupportingtheshowwithbandwidth,whichisalwaysanissuewithashowlikethis,withhundredsofthousandsoflisteners.
Thatbillcanaddup,butAOL'sbeenverygenerous.
AndweencourageyoutofindoutmoreaboutpodcastingatAOLontheAOLRadioChannelbygoingtoAOL.
com/podcasting.
Steve,I'msogladyoudidthis.
Ithinkportsare,youknow,probablythesinglemostconfusingandinterestingtopic,andcertainlythethingthatweallhavetodealwithallthetime.
Steve:Well,yes.
AndIthinkit'sthatthey'resovisible.
Imean,it'sthethingpeoplecansee,anditcausesconcern.
SoIjustreallywantedtocoverthatreallywell.
Leo:Andit'soneofthosethingsinthecomputerworldthatreallyIdon'tthinkanybodyeverintendedend-userswouldhavetodealwith.
Itwasn'tdesignedforend-users.
Butwedo.
Steve:Oh,Imean,neitherwashttp://.
Leo:Exactly.
Exactly.
TimBerners-Leeisembarrassedthatanybodyhastoseethat.
Butthat'showthingsevolve,andthat'sthewayitis.
Great,Steve,we'llseeyounextweek.
Youhaveanyideawhatwe'llbetalkingabout,or.
.
.
Steve:Absolutely.
It'sEpisode44.
Leo:Iwasgoingtosay,itmustbeaMod4.
Steve:Yup.
Sowe'lldoQ&A.
Anybodywho'sgotanyquestions,theycangotoGRC.
com/securitynow.
Downatthebottomofthepageisaform.
Sendyourquestionstous.
I'llreadthem,andwe'llpickfromthemandanswer12.
Leo:Allright.
Andofcoursethat'salsoagoodplacetogotothediscussiongroups,thesecuritydiscussiongroupsatGRC.
com.
AndyoucangetyourquestionsansweredbySteveandotherexperts.
It'sreallyareallywonderfulresource:GRC.
com.
Thanks,Steve.
Steve:Alwaysapleasure,Leo.
Talktoyounextweek.
Copyright(c)2006bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:http://creativecommons.
org/licenses/by-nc-sa/2.
5/
- addresspcanywhere相关文档
- 投标人pcanywhere
- 色谱pcanywhere
- sourcepcanywhere
- checkpcanywhere
- pointpcanywhere
- RemoteWareBCpcanywhere
Megalayer促销:美国圣何塞CN2线路VPS月付48元起/香港VPS月付59元起/香港E3独服月付499元起
Megalayer是新晋崛起的国外服务器商,成立于2019年,一直都处于稳定发展的状态,机房目前有美国机房,香港机房,菲律宾机房。其中圣何塞包括CN2或者国际线路,Megalayer商家提供了一些VPS特价套餐,譬如15M带宽CN2线路主机最低每月48元起,基于KVM架构,支持windows或者Linux操作系统。。Megalayer技术团队行业经验丰富,分别来自于蓝汛、IBM等知名企业。Mega...
DogYun春节优惠:动态云7折,经典云8折,独立服务器月省100元,充100送10元
传统农历新年将至,国人主机商DogYun(狗云)发来了虎年春节优惠活动,1月31日-2月6日活动期间使用优惠码新开动态云7折,经典云8折,新开独立服务器可立减100元/月;使用优惠码新开香港独立服务器优惠100元,并次月免费;活动期间单笔充值每满100元赠送10元,还可以参与幸运大转盘每日抽取5折码,流量,余额等奖品;商家限量推出一款年付特价套餐,共100台,每个用户限1台,香港VPS年付199元...
cyun29元/月,香港CN2 GIA云服务器低至起;香港多ip站群云服务器4核4G
cyun怎么样?cyun蓝米数据是一家(香港)藍米數據有限公司旗下品牌,蓝米云、蓝米主机等同属于该公司品牌。CYUN全系列云产品采用KVM架构,SSD磁盘阵列,优化线路,低延迟,高稳定。目前,cyun推出的香港云服务器性价比超高,香港cn2 gia云服务器,1核1G1M/系统盘+20G数据盘,低至29元/月起;香港多ip站群云服务器,16个ip/4核4G仅220元/月起,希望买香港站群服务器的站长...
pcanywhere为你推荐
-
特朗普取消访问丹麦特朗普首次出访为什么选择梵蒂冈www.hao360.cn搜狗360导航网址是什么www.kkk.comwww.kkk103.com网站产品质量有保证吗psbc.com95580是什么诈骗信息不点网址就安全吧!同ip域名什么是同主机域名seo优化工具seo优化软件有哪些?www.5any.comwww.qbo5.com 这个网站要安装播放器www.idanmu.com腾讯有qqsk.zik.mu这个网站吗?www.ijinshan.com桌面上多了一个IE图标,打开后就链接到009dh.com这个网站,这个图标怎么删掉啊?hao.rising.cn电脑每次开机的时候,都会弹出“http://hao.rising.cn/?b=34” 但是这个时