[ale] How to test your public internet connection for open ports

Ron Frazier atllinuxenthinfo at c3energy.com
Sat Feb 12 12:28:50 EST 2011 

Hi Michael W.,

Just have a few replies here.  Not going to beat the dead horse too much 
more.

On 02/11/2011 10:42 AM, Michael H. Warfield wrote:

> Guess you wouldn't be a good hacker then.  Because they do.  They find
> an address like that, they don't need to attack it but they can abuse it
> as part of their other attacks.  I work with these things.  It does
> happen.
>
>    

You mean I wouldn't make a good CRacker, right?  I could learn.  Just 
kidding.  8-)

I use the wrong term sometimes myself.  Unfortunately, the public 
usually equates the two terms.

> You haven't show any of us a single benefit and I've mentioned a couple
> of benefits to rejecting packets appropriately.  Nice try.  Thank you
> for playing.
>
>    

Even assuming that's true, I have no control over what packets my 
consumer router drops.  I'm pretty sure it drops them all.  I'm going to 
forward some further testing on that.  It does whatever it's designed to 
do.  The only thing I can control is whether it responds to pings or not.

> This is what makes me so frustrated.  By making inaccurate, imprecise,
> statements like "you need a router for security" and "you're secure
> because you have a NAT device" has perpetuated this myth that NAT ==
> security.  Then foolish consumers think "Oh, IPv6 must not be very
> secure if it doesn't have NAT" when just the opposite is true!
>
>    

> And then, because of this inaccurate reasoning, they think that IPv6 is
> less secure that IPv4 because it has no NAT.  That is just incredibly
> wrong on so many levels it's mind boggling.
>
>    

Probably true.  However, there's not a lot we can do about it since 
marketers, and not engineers control the way the products are 
presented.  We're going to have to reeducate consumers, and maybe 
management and marketers too, about how IPv6 works.

> As a security professional I'll go so far as to say you are more secure
> on IPv6 with no firewall at all, than you are on IPv4 with a firewall or
> NAT.  Why?  Because IPv6 is 4 billion times more difficult to
> comprehensively brute force scan a single subnet than it is to scan the
> IPv4 internet from end to end.  Note:  I'm being VERY precise in that
> terminology.  Yes, IPv6 can be scanned, especially when people treat it
> like IPv4 and assign sequential addresses, but you have to use
> "intelligent" scans and heuristics to choose your targets, you can not
> simply start at one end of even a single subnet and scan to the other
> end.  Now put THAT behind a firewall, or have the addresses changing
> periodically (privacy enhanced addresses) and try scanning for that.
> Combine that with the deliberate sparse nature of v6 allocations.  IPv4
> is like shooting fish in a barrel.  You hit a broadband or DSL subnet,
> you can barely turn around and take a breath without hitting an
> opportune target.  Now, replace each of those single IPv4 addresses with
> an IPv6 /64 subnet.  Now you have only 1 change in 18 billion billion of
> guessing a host address (times the number of machines).  The opportunity
> to score drops real low and your attack yield is low because the
> defenders attackable footprint is so much tinier.
>
>    

I understand what you're saying.  You may be right.  You're into the 
realm of statistics and probabilities, which is not my specialty.  I'm 
intrigued by IPv6, and I like to keep up with new technology, and I'd 
like to try it.  As you all have discussed, I could get it now by 
tunneling.  Comcast has recently rolled out native dual stack IPv6 in 
Colorado for testing.  But, it's not available here yet.  I want to try 
it, but I am very leery of the security.  I would still want a 
firewall.  I don't know if those have been created and debugged yet.  
Also, I don't know if the IPv6 stacks in Windows and Linux randomize the 
IP addresses chosen for the hosts, or maybe DHCP does that, or maybe 
nobody does that.  I certainly wouldn't want to reduce my security by 
opening up a direct IPv6 pathway into my network.  I actually disabled 
the IPv6 networking components in Windows because I had reason to think 
they were destabilizing my IPv4 network.

> Point on the curve.  Years ago a particularly nasty worm called the
> Whitty worm cut loose on the net.  Its growth was explosive.  Within
> minutes it overwhelmed routers and networks.  Within a half an hour it
> had infected well over 12,000 hosts around the world.  It took days to
> clean up.  I participated in a lot of that.  Because of the unique
> nature of that worm, I was able to track it in my darknet net-telescope
> as did CAIDA, a much larger (/8) net telescope.  It was a single packet
> spoofed UDP based worm that was spoofed "from" a particular port making
> is rather easy to track and easy to tell when it managed to "sneak"
> behind a NAT router (I started seeing other ports and multiple ports
> from teh same address - simple).  It wasn't part of a virus or trojan
> package, so it only propagated by network traffic alone and it wasn't
> something you tripped on browsing a web site.  A classical self
> propagating worm.
>
>  From the time I saw the first Whitty worm packets in the aperture of my
> net-telescope to the time I saw the first indications that it had wormed
> it's way past a NAT and infected a NAT based network was under 1 minute.
> We never did determine how it was that it managed to make it past NAT
> devices, which should have been acting like firewalls, but it did and by
> the end of the day there were hundreds of NAT based networks that were
> infected.  I can't say if it snuck past stateful firewalls or not, since
> I couldn't discriminate that, but I strongly suspect that it would have
> as well.  Whitty would have never gotten off the ground on an IPv6
> network.
>
>    

Those routers may have had a bug in the firmware.  Steve periodically 
points out various consumer routers that are behaving badly and which 
need a firmware upgrade or which have a flaw and no patch is available.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list