Archived Weblog Entry - 02/22/2004: "Ports and probes"

[Previous entry: "Metabolic Dominance"] [Main Index] [Next entry: "US solider seeks asylum in Canada"]

02/22/2004 Archived Entry: "Ports and probes"

Wendy has suggested that, if I'm going to natter on about ports and probes and vulnerabilities, then perhaps I should take a moment to explain what I'm talking about. Those of you who are familiar with IP addressing can skip the rest of this post.

When your computer is connected to the Internet, it is given a unique identifying number: its "IP address" (IP stands for Internet Protocol). This number is used by other computers to route the data that is destined for your computer over the network. You can think of this as the Internet equivalent of a telephone number, although it has nothing to do with the phone number you dial to connect your modem to your ISP (Internet Service Provider). An IP address is a 32-bit binary number, usually written as four decimal numbers from 0 to 255, like this: 192.168.19.34.

If you connect through dial-up, an IP address will be assigned to you when you connect; and when you disconnect, that IP address will be made available to someone else ("dynamic IP"). If you have a permanent Internet connection, you will probably have a permanent IP address assigned to you ("static IP").

Data is sent over the Internet in small chunks called "packets." Large amounts of data will be broken into many packets for transmission. Each packet independently contains all the information needed to route that packet over the network, including its destination IP address and its source IP address. (Yes, every packet has a "return address" identifying its sender.)

Your computer may be talking to several other computers at the same time. (Maybe you're browsing web pages while collecting your email and downloading a file.) Since all this data arrives at your computer at your single IP address, how does it know where to go? This is what "ports" are for. Your computer can have up to 65,536 ports on its single IP address. You can think of these like telephone extension numbers at a large company. When your computer needs to talk to another computer, it tells that other computer what "extension number" to use when the other computer replies.

So how do computers that are talking for the first time find out each other's port numbers? Well, when you telephone a strange company and get an automated switchboard, you can be pretty sure that "0" will get you the operator, and the operator can give you anyone else's extension number. Computers work in a similar fashion. Certain port numbers have been universally agreed to provide certain services. For example, port 80 is always used for the web server, so when your computer wants a web page from another computer, that's where it sends the request.

If someone sends your computer a request on port 80, your computer can do three things. If you have a web server running on your machine (many Linux computers do), it can honor the request and send a reply. If you don't have a web server, it can send a reply saying "no". Or your computer can simply ignore the request and not even acknowledge it. Your port 80 would be called "open," "closed," or "stealthed," respectively.

An "open" port means that a program running on your computer is willing to accept packets received for that port. Usually this program will be part of the operating system. For example, port 139 is used by Microsoft computers to share files on the hard disk. When you enable file sharing on your local area network, you instruct the operating system to honor requests sent to port 139 (and also 138 and 137).

This is an example of a major vulnerability. Many Windows machines (and even some Linux systems) do not distinguish between the local network (your Ethernet) and the outside world (your modem). So if you have enabled file sharing carelessly, and you are dialed into your ISP, any computer in the world can read and write files on your hard disk. It's been estimated that 1 to 3% of Windows computers -- millions! -- are "wide open" in this way. To be safe,

1. Don't enable file sharing unless you need it.
2. Don't ever enable sharing for drive C:. Instead, enable just selected folders (and never any of the system folders).
3. Enable file sharing "read only," so that even if strangers can read your files, at least they can't change them or write new ones.
4. Establish passwords for your shared folders.
5. Put a firewall between you and the outside world. A firewall can distinguish between requests on your local area network, and requests from the modem; and it can block the latter.

So now you have enough knowledge to understand one of the "rules" we previously used in our firewall:

ipchains -A input -i ppp0 --dport 139 -j DENY

...which, amidst the usual cryptic Unixish punctuation, says: tell Ipchains (the firewall program), for received packets (input) from the modem (ppp0), destined for port 139, to "deny" those packets (ignore them and don't reply).

I say "previously used" because we now have a simpler rule: we deny all packets from the outside world, unless they're replies to a request made by our computers. This is because so many ports are now being opened by viruses.

It's possible for a virus, like any other program on your computer, to tell the operating system that it will accept requests sent to some arbitrary port number... thus "opening" that port. Viruses may do this to accept new programming from the outside world; for example, the MyDoom virus opens port 3127 on an infected computer. To find those vulnerable computers, "hostile" outside computers will send requests to random computers using that port number, to see if they're honored, refused, or ignored. If such a request is honored, an infected computer has been found.

So even though we're not infected, we get constantly bombarded with these "probes" on our port 3127 (and many other ports), looking for an opening. We used to send a reply saying the port is "closed," but that consumes bandwidth, and also lets the hostile computer know that there is a computer at this IP address... and even if it's not infected with MyDoom, it might be vulnerable to some other attack. Now we simply ignore all such requests and don't reply, denying invaders knowledge of our very existence. A good firewall program will do that.

brad