[SATLUG] Why are my ports 135,139,and 445 open?

Henry Pugsley henry.pugsley at gmail.com
Sat Dec 26 11:44:24 CST 2009


On Sat, Dec 26, 2009 at 9:25 AM, Don Davis <dondavis at reglue.org> wrote:
>
> There are two hops above me:'foo' and an inconclusive * * * *.
> Scanning 'foo' shows a few filtered ports, but none of the ports in
> question.
> Is it acceptable to scan my subnet neighbors from the ISP to check?

I'm not sure what you would hope to learn from doing this, but I
always recommend against scanning systems that do not belong to you or
you do not control. "foo" is probably your own router (what's the IP?)
 There are normally vague terms in the AUP that allow an ISP to cancel
your account for general mischief (should someone complain or notice).
 All you'll find is everyone else is running a
linksys/belkin/dlink/netgear router with a bunch of filtered and
closed ports ;)

> Any thoughts on a free or close to free shell account that offers IPv6? Or
> are there recommendations on how to set up an IPv6 tunnel using a shell
> account? (I'd like to check the IPv6 from the outside as well, but my
> exterior shell account doesn't have IPv6.)

Why scan IPv6 if there is no way to access your system with IPv6
without setting up a specialized tunnel?  If you're setting up a
tunnel then you should definitely know what is going over the tunnel,
thus making scanning pointless.

> It is a good point - why did the ISP decide on REJECT instead of DROP?

If you DROP packets, the sender does not know their packets are not
getting through and will keep sending more packets which results in
added network traffic.  The REJECT sends an ICMP unreachable or TCP
reset which tells the sender "nothing here, move along".  Yeah, it
sounds cool to appear stealthy but if you're an ISP with tens of
thousands of subscribers, 3x more traffic from port scans can crush
your network.  The ARP traffic alone on a cable node from constant
port scans is enough to kill some low-end consumer routers.  Connect
your PC directly to your cable modem and do a tcpdump for ARP traffic
at 3am and you'll see what I mean.

The only time I use DROPs on my system is during a DoS attack, because
it makes the attacker think that the system is offline, giving the
appearance of a successful attack :)

-Henry

>
>
> Ernest De Leon wrote:
>>
>> Ah, so I didn't pay good attention to the first post from Don so I missed
>> that he has a router with OpenWRT. With that caveat, remember that it
>> doesn't matter what you have set on the laptop firewall, if you are using
>> an
>> external scanner such as ShieldsUp from GRC, it will report back what the
>> router is REJECTing or DROPping.
>>
>> Also, most ISPs do not block ports other than 25 [and maybe 80 inbound (to
>> block web servers.)] If they did block these ports Don is talking about, I
>> doubt they would REJECT the packets. They would most likely DROP the
>> packets
>> (see below.)
>>
>> In general, you want to be as stealthy as possible when connected to the
>> internet. This is why you DROP packets instead of REJECTing them. By
>> REJECTing them, you give a response and thus prove that there is a machine
>> at that particular IP. ISPs know this very well and if they filter ports
>> at
>> all, they usually DROP packets so as to avoid a possible DoS/DDoS against
>> a
>> particular subscriber IP.
>>
>> I'm willing to bet that Don is trying to figure out why those port numbers
>> are giving off responses at all rather than silently DROPping packets.
>>
>> E
>>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>



-- 
"The best way to predict the future is to invent it" - Alan Kay


More information about the SATLUG mailing list