Stealth Ports even while communicating?

I was using a port probing site/program called ShieldsUp! to scan my ports. It reported back that all of my ports were "stealth", and in their words

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Then I ran the same port scan when I knew that I had a program that was using certain ports and the test came back stealth again.

Is that to be expected? I was under the impression that using the ports made them visible. I was expecting it to find that many of my ports were simply closed based on their Internet Port Status Definition because I was running these tests on a fresh installation of Ubuntu with no third party firewall installed.

But even if Ubuntu had a built in firewall, I had to tell it to specifically open the ports I wanted to use. Would Ubuntu automatically close those ports when it didn't get any traffic coming or going?

Additional information (wasn't sure it would matter at first)

I left out part of the explanation because I wasn't sure it would be relevant, but now I think it might be. I had set it up so that two computers on my network were communicating using a simple communication client. And while the two computers were communicating, I ran the port probe on one of the computers. I only mention this because it seems like their would be ports open because each computer would be expecting traffic on a given port.

Ryan

Posted 2010-10-22T16:38:52.677

Reputation: 1 488

1Do you have a firewall/router between the internet and your computer? If so, then the site is actually probing your router rather than your computer, unless you have the router configured to pass incoming connections to the computer (e.g. port forwarding or DMZ) – Eric Petroelje – 2010-10-22T18:19:11.607

Answers

There is a difference between a port at your side and a port on the server, and between a listening port and a connection.

ShieldsUp! only looks for TCP ports that have a service listening on your computer for connections from elsewhere. For example, if you had a web server running, you would have TCP/80/incoming "open".

(If A tries to establish a connection to B port X, and there's no service listening on that port, A usually receives a "reset" packet. AFAIK, Stealth mode means A won't even receive a negative reply -- as if the host did not exist.)

However, "using" the same port -- browsing the web using HTTP, for example -- doesn't open that port at your side. A HTTP connection you make is to port 80 on the web server, but from a randomly chosen port at your side. And even that local port cannot be described as "open", for there is nothing listening for connections on it; the OS only accepts packets belonging to a specific already-active connection.

Each TCP connection is identified by four things: local address:port and remote address:port pairs. Two packets must have identical address:port pairs to be considered as belonging to the same connection (although replies obviously have local and remote reversed).

For example, if you are 1.0.0.1 and open a TCP connection from 1.0.0.1:13579 to 2.2.2.2:80. When a packet is received, it will be considered as belonging to the same connection only if it came from 2.2.2.2:80 to 1.0.0.1:13579.

This means you can:

open multiple connections to different servers;
to different ports of the same server;
and even to the same port of the same server

as long as at least one number (usually the randomly-chosen local port) is different.

user1686

Posted 2010-10-22T16:38:52.677

Reputation: 283 655

Okay, I left out part of the explanation because I wasn't sure it would be relevant, but now I think it might be. I had set it up so that two computers on my network were communicating using a simple communication client. And while the two computers were communicating, I ran the port probe on one of the computers. Would your explanation still be accurate if this was how the ports were being used? I only ask because it seems like their would be ports open because each computer would be expecting traffic on a given port. – Ryan – 2010-10-24T20:22:45.103

@Ryan: Updated the answer... [I'm quite bad at explaining things though.] – user1686 – 2010-10-26T18:41:42.253

Thanks for the update! You did a great job explaining it! – Ryan – 2010-10-27T04:30:54.520

Ports are only open when a process is listening, expecting remote devices to connect to it. As such the results you've received are to be expected.

Cry Havok

Posted 2010-10-22T16:38:52.677

Reputation: 3 486

As I understand it, your firewall sits between any application on your PC (that has permission from the automated firewall rules or from you) and the internet. If the programme is listening for data on a port, then the firewall is listening too. Any unexpected attempt at communication from the internet will be detected by the firewall and ignored/dropped, the application won't even see it.

Tog

Posted 2010-10-22T16:38:52.677

Reputation: 4 747