How to make a computer invisible

How to make a computer invisible

[Thomas Preissler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello folks,

how do I really make a computer totally invisibly as it would be
when it does not exist?

It is clear, that the simplest solution is to DROP all incoming
packets, but what's about (R)ARP packets? Can they be blocked anyway?


TIA,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/yjMYLnRAQMIdq38RAswhAKCdn5ISMsB/qCgIATGY8esY1iA5UwCeN4Ik
cdCmJXe5Bzz/EEwcuxQqeY8=
=BUWV
-----END PGP SIGNATURE-----

Re: How to make a computer invisible

[Chris Brenton]

On Sun, 2003-11-30 at 13:12, Thomas Preissler wrote:
>
> how do I really make a computer totally invisibly as it would be
> when it does not exist?

Leave the power switch in the "off" position. ;-)

> It is clear, that the simplest solution is to DROP all incoming
> packets,

Actually, dropping packets is a clear indication that you do in fact
have a firewall protecting one or more systems. Its the only condition
which will cause ICMP error packets to not be returned consistently. 

You would be better off rejecting with host unreachables. then your
firewall looks like a simple router, and the host in question looks like
it is powered down.

HTH,
C

Re: How to make a computer invisible

[Leonardo Rodrigues Magalhães]

    AFAIK, iptables can use some 'layer 2' information such as MAC Address
for doing some filtering in some tables, but it CANT be used for filtering
those 'layer 2' packets. That means iptables CANNOT modify ARP/RARP
behavior.

    Sincerily,
    Leonardo Rodrigues

----- Original Message ----- 
From: "Thomas Preissler" <tomjohn@gmx.de>
To: "netfilter-user Mailinglist" <netfilter@lists.netfilter.org>
Sent: Sunday, November 30, 2003 3:12 PM
Subject: How to make a computer invisible


> Hello folks,
>
> how do I really make a computer totally invisibly as it would be
> when it does not exist?
>
> It is clear, that the simplest solution is to DROP all incoming
> packets, but what's about (R)ARP packets? Can they be blocked anyway?
>

Re: How to make a computer invisible

[Chris Brenton]

On Sun, 2003-11-30 at 14:32, Leonardo Rodrigues Magalhães wrote:
>     AFAIK, iptables can use some 'layer 2' information such as MAC Address
> for doing some filtering in some tables, but it CANT be used for filtering
> those 'layer 2' packets. That means iptables CANNOT modify ARP/RARP
> behavior.

You can choose to ignore them, by initializing the interface with a
'ifconfig -arp', but this will disable all ARP functionality forcing you
to use manual entries. That's sort of like filtering. ;-)

C

Re: How to make a computer invisible

[Leonardo Rodrigues Magalhães]

    Some new informations .....

    iptables really cannot do that. But you should take a look at:

http://sourceforge.net/projects/ebtables/

    go to Files link and you'll see 'arptables' ..... guess what it does ???
:)

----- Original Message ----- 
From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: "Thomas Preissler" <tomjohn@gmx.de>; "netfilter-user Mailinglist"
<netfilter@lists.netfilter.org>
Sent: Sunday, November 30, 2003 4:32 PM
Subject: Re: How to make a computer invisible


>     AFAIK, iptables can use some 'layer 2' information such as MAC Address
> for doing some filtering in some tables, but it CANT be used for filtering
> those 'layer 2' packets. That means iptables CANNOT modify ARP/RARP
> behavior.
>
> ----- Original Message ----- 
> From: "Thomas Preissler" <tomjohn@gmx.de>
> To: "netfilter-user Mailinglist" <netfilter@lists.netfilter.org>
> Sent: Sunday, November 30, 2003 3:12 PM
> Subject: How to make a computer invisible
>
> > how do I really make a computer totally invisibly as it would be
> > when it does not exist?
> >
> > It is clear, that the simplest solution is to DROP all incoming
> > packets, but what's about (R)ARP packets? Can they be blocked anyway?

Re: How to make a computer invisible

[ph4ke]

Hi, 

maybe i should add my two cents asswell 

i would say that if you wanna make a node invisible, then just get iptables 
to reject everything that tries to initiate a connection. 

if the host is going to be a firewall, i like to make a bridge, put my 
iptables rules on it, then take of the IP address of the bridge.

This will make the host invisible, in the sense that no-one will be able to 
connect, but some clever ppl might figure out that something sits between 
them and other hosts. 


maybe this can help you


-- 
ph4ke

Re: How to make a computer invisible

[Babar Kazmi]

Hello ..

As far as I know  iptables use MAC Address information for filtering.
It cant be used for filtering packets, and I assume iptables cannot edit /
modify ARP / RARP stuff.

If you find an alternate way, Do Share :)

Regards

Babar Kazmi.

----- Original Message ----- 
From: "Thomas Preissler" <tomjohn@gmx.de>
To: "netfilter-user Mailinglist" <netfilter@lists.netfilter.org>
Sent: Sunday, November 30, 2003 3:12 PM
Subject: How to make a computer invisible


> Hello folks,
>
> how do I really make a computer totally invisibly as it would be
> when it does not exist?
>
> It is clear, that the simplest solution is to DROP all incoming
> packets, but what's about (R)ARP packets? Can they be blocked anyway?
>

Re: How to make a computer invisible

[Michael Gale]

Hello,

	You can make a machine almost invisible with iptables. I have a firewall box with multiple IP's on one interface. The one IP address does not have any servers listening on it. So if I do a nmap for all TCP and UDP ports and watch the traffic through a TCP dump the only responses I see are ARP replies.

So besides the response to ARP traffic no packets were sent out .. so if I could disable the ARP reply a nothing would be known.

The nmap scanned could only tell me that all ports a filtered :)

If you have a service on the IP -- like a web server I can not see you being able to hide it.

Also iptables by default is a IP based filter you a rule like:
iptables -A INPUT -j DROP 
will not drop layer two stuff.

You could try:
iptables -I INPUT -m mac -j DROP
but I am not sure what this would cause and what else it will break :0

Michael.


On Tue, 2 Dec 2003 09:40:09 +0500
"Babar Kazmi" <BabarKazmi@Hotmail.Com> wrote:

> Hello ..
> 
> As far as I know  iptables use MAC Address information for filtering.
> It cant be used for filtering packets, and I assume iptables cannot edit /
> modify ARP / RARP stuff.
> 
> If you find an alternate way, Do Share :)
> 
> Regards
> 
> Babar Kazmi.
> 
> ----- Original Message ----- 
> From: "Thomas Preissler" <tomjohn@gmx.de>
> To: "netfilter-user Mailinglist" <netfilter@lists.netfilter.org>
> Sent: Sunday, November 30, 2003 3:12 PM
> Subject: How to make a computer invisible
> 
> 
> > Hello folks,
> >
> > how do I really make a computer totally invisibly as it would be
> > when it does not exist?
> >
> > It is clear, that the simplest solution is to DROP all incoming
> > packets, but what's about (R)ARP packets? Can they be blocked anyway?
> >
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: How to make a computer invisible

[Chris Brenton]

On Tue, 2003-12-02 at 10:14, Michael Gale wrote:
> Hello,
> 
> You can make a machine almost invisible with iptables.

<snip>

> So if I do a nmap for all TCP and UDP ports and watch the traffic through a TCP dump the only responses I see are ARP replies.

I guess this depends on what you mean by "invisible". When you ran your
scan nmap reported back "filtered". This is because nmap is smart enough
to know that no response back means there is a firewall controlling
traffic between the source and the target. 

So while an attacker can't tell if the IP is up or down, they can tell
there is a firewall in the way and if the host is up, no accessible
services are being offered.

> If you have a service on the IP -- like a web server I can not see you being able to hide it.

I've had pretty good luck using: 
-j REJECT --reject-with icmp-host-unreachable

If the open service ports are not the first ones hit, many vulnerability
scanners read this as the host being off-line and never bother to
complete the scan. So while people going directly to port 80 will access
your Web server without a problem, people doing a vertical port scan
many times get a response saying the host is off-line and never get to
see that TCP/80 is open.

HTH,
C

Re: How to make a computer invisible

[Michael Gale]

Do you have rate limit on this rule - if not could someone simple just hammer a non-open port causing your machine to send out a large amount of REJECT packets ?

Michael.


On Tue, 02 Dec 2003 10:48:08 -0500
Chris Brenton <cbrenton@chrisbrenton.org> wrote:

> On Tue, 2003-12-02 at 10:14, Michael Gale wrote:
> > Hello,
> > 
> > You can make a machine almost invisible with iptables.
> 
> <snip>
> 
> > So if I do a nmap for all TCP and UDP ports and watch the traffic through a TCP dump the only responses I see are ARP replies.
> 
> I guess this depends on what you mean by "invisible". When you ran your
> scan nmap reported back "filtered". This is because nmap is smart enough
> to know that no response back means there is a firewall controlling
> traffic between the source and the target. 
> 
> So while an attacker can't tell if the IP is up or down, they can tell
> there is a firewall in the way and if the host is up, no accessible
> services are being offered.
> 
> > If you have a service on the IP -- like a web server I can not see you being able to hide it.
> 
> I've had pretty good luck using: 
> -j REJECT --reject-with icmp-host-unreachable
> 
> If the open service ports are not the first ones hit, many vulnerability
> scanners read this as the host being off-line and never bother to
> complete the scan. So while people going directly to port 80 will access
> your Web server without a problem, people doing a vertical port scan
> many times get a response saying the host is off-line and never get to
> see that TCP/80 is open.
> 
> HTH,
> C
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: How to make a computer invisible

[Chris Brenton]

On Tue, 2003-12-02 at 11:01, Michael Gale wrote:
> Do you have rate limit on this rule

Yup, 3/sec. Combine this with the high TTL used by Netfilter and your
firewall looks more like a Cisco router than a Linux based firewall.

C

Re: How to make a computer invisible

[Thomas Preissler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

* Chris wrote on 12/02/03:

> On Tue, 2003-12-02 at 10:14, Michael Gale wrote:
> > Hello,
> > 
> > You can make a machine almost invisible with iptables.
> 
> <snip>
> 
> > So if I do a nmap for all TCP and UDP ports and watch the traffic through a TCP dump the only responses I see are ARP replies.
> 
> I guess this depends on what you mean by "invisible". When you ran your

I mean, that it looks like that the computer with the ip x is not
reachable as the same as it is, when you address an ip that
addresses no computer, i.e. is an unused ip.

I think RECJECTing with "Destination Host Unreachable" is ok and
produces nice results.

But I must have a look at the ARP requests, I think I must feed the
documentation from ebtables, it looks good ;-))

[...]

Background: I am just experimenting and this was an interesting
issue for me. I want to setup a whole net with UML boxes and hide
the physical computer... Just testing, just playing... nothing else.
Just testing about some very crazy networking issues ;-)))


Thx,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zL00LnRAQMIdq38RApZUAJ92WxUQNO2s4ee18iKbv3iM2lmi+gCgi7li
It1DRQKHq8RjJ3/fOufZE5U=
=8ZAg
-----END PGP SIGNATURE-----

Re: How to make a computer invisible

[Chris Brenton]

Greetings!

On Tue, 2003-12-02 at 11:26, Thomas Preissler wrote:
> 
> I mean, that it looks like that the computer with the ip x is not
> reachable as the same as it is, when you address an ip that
> addresses no computer, i.e. is an unused ip.

Then using a "drop" is not quite the same. Let's say you have no
firewall and someone sends a packet to an unused IP:

packet is received by your edge router
router realizes the target IP is local off of one interface
router sends 3 ARP requests for the IP
When no ARP reply is received, router gives up and returns a host
unreachable to the source IP

Again, nmap expects the above which is why it reports "filtered" when it
hits your drop rule. This is why you can mess up its results by
returning host unreachables.

> Background: I am just experimenting and this was an interesting
> issue for me. I want to setup a whole net with UML boxes and hide
> the physical computer.

UML does this quite nicely. I was part of the crew that started
Dartmouth's security institute, as well as one of the original members
of the honeynet. In both groups we used UML extensively in the setup you
mention above. check:

http://www.ists.dartmouth.edu

They probably still have some papers up there written by Bill Stearns
and myself on the subject.

HTH,
C

Re: How to make a computer invisible

[Arnt Karlsen]

On Tue, 02 Dec 2003 13:19:14 -0500, 
Chris Brenton <cbrenton@chrisbrenton.org> wrote in message 
<1070389153.2057.34.camel@grendel>:

> Greetings!
> 
> On Tue, 2003-12-02 at 11:26, Thomas Preissler wrote:
> > 
> > I mean, that it looks like that the computer with the ip x is not
> > reachable as the same as it is, when you address an ip that
> > addresses no computer, i.e. is an unused ip.
> 
> Then using a "drop" is not quite the same. Let's say you have no
> firewall and someone sends a packet to an unused IP:
> 
> packet is received by your edge router
> router realizes the target IP is local off of one interface
> router sends 3 ARP requests for the IP
> When no ARP reply is received, router gives up and returns a host
> unreachable to the source IP
> 
> Again, nmap expects the above which is why it reports "filtered" when
> it hits your drop rule. This is why you can mess up its results by
> returning host unreachables.

..so, to play dead, we really oughtta wait for the 3'rd "ping" 
before firing off the "Destination Host Unreachable"?

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.