Totally Stealthy Router

In response to the post detailing router response to port scans, one of my readers asked an interesting question:

“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”
Here's how you do it:
  • No TCP RST packets should be sent as responses to port scans. Inbound access list dropping all IP packets achieves that.
  • Outbound traffic, both from the protected LAN as well as from the router itself (ping, telnet, DNS, NTP ...) should be allowed. Configure ip inspect with router-traffic option.
  • Disable generation of ICMP unreachables with the no ip unreachables interface configuration command.
The relevant parts of router configuration are included below:
ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
!
interface FastEthernet0/0
ip address a.b.c.d x.y.z.w
ip access-group Internet in
no ip unreachables
ip inspect Internet out
!
ip access-list extended Internet
deny ip any any
Notes:
  • The sample router configuration is taken from a SOHO router doing PAT on the public interface. You might have to adjust the Internet access-list to your needs.
  • This article is part of You've asked for it series.

1 comment:

  1. First off, I'd like to say your blog rocks!!! I love it, thank you so much.

    =)

    I'd like to point out that I've been messing with the inspect rules -- and instead of useing tcp, udp and icmp statements, the 'ip' does all three. Just thought you could use that tidbit here. I also played with allowing specific ports before the inspect, it keeps those from being generated on the other side. (I have explicit allows in for a port both udp and tcp that I thought would be redundant in the inspect espeecially since there's tons of connections on those ports.)

    The way you implemented it gives me a great idea on keeping things simple too. I had three lists set up where you have one and I think it'll trim down my fw. Thanks again!!!

    -tommy.becker@gmail.com

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.