How to secure your TCP/IP ports
12th Sep 2009 | 09:00
Understanding ports is the key to shoring up your defences
The TCP/IP protocol, which underlies everything that we do on the internet, was designed when robustness rather than security was the priority.
But while it means that traffic always arrives at the right destination, assumptions and bugs in the way TCP/IP has been implemented and in the application software to which it delivers data mean that we all have to be prepared for attack when going online.
Hackers are constantly trying to discover new ways to connect to machines so that they can install backdoors for later re-entry, trojans to collect financial details and the inevitable botnet clients. Whatever their goal, the starting point is the same: the port.
This guide will help you to understand how they work, how they can be used maliciously and how to close unwanted ports to keep you safer.
In the beginning
What we now think of as the internet began in the late 1960s with the US Defense Advanced Research Agency's ARPANET. Central to its design was the idea of 'packets' of data that could be sent at will between networked computers.
These packets were sent by being passed (or 'switched') from machine to machine along a network of connections, gradually getting nearer their destination. Computers known as Interface Message Processors (IMPs) decided how to switch the packets at each network junction. Today, we call these devices routers.
Unlike telephone systems, which at the time used a single physical line to host a single conversation at a time, packet switching networks sent multiple packets of information destined for different destinations down the same line, one after the other, making them vastly more efficient.
If one part of the network was unreachable, the IMPs could decide to route a packet around the damage so that it could still reach its proper destination.
As the benefits of networking computers became apparent in the early 1970s, the number of different networking protocols in use started to become a serious bottleneck.
The big breakthrough for the internet as we now know it came in 1973, when researchers Vint Cerf and Robert E Kahn realised that by having each host computer use a common protocol, any machine could send and receive packets of data to and from any other, regardless of the physical network used.
Suddenly, any network using Cerf and Kahn's TCP/IP (which stands for Transmission Control Protocol/Internet working Protocol) system could talk to any other network easily and reliably. All each manufacturer needed to do was program the protocol into its operating system.
How TCP/IP works
Depending on the data being carried, packets are sent not only to a destination computer, but also to a specific software 'port'. Each port handles different application traffic.
Port 80, for example, handles normal HTTP web traffic, while port 443 handles HTTPS encrypted web traffic. Sending email is always done over port 25, while receiving it is completed over port 110.
CLOSE THEM OFF:Closing the ports you don't need is a good place to start on the road to a secure PC
The TCP/IP system running on the internet today uses a series of handshakes to ensure that data always gets through to the correct machine, and that when it doesn't, the loss can be easily rectified. When your computer sends a packet, the following happens.
First, your computer sends the destination computer a packet containing its address, the address of the machine that it's connecting to and the number of the port to which it wants to connect. This is called a SYN packet, which is short for synchronisation. The packet also contains a random number that's known as the sequence number.
If the software on the receiving port accepts the connection, it sends back a packet called a SYN-ACK packet, short for synchronisation acknowledgement. This packet also contains a random sequence number. Your PC then sends an ACK (which is short for acknowledgement) packet back to the server. This technique is called the 'handshake'.
Once a connection is established, data transmission can begin. The packets sent by your computer are tagged with the sequence number it used when it began contacting the destination machine. Your computer includes and increments this number in each packet sent.
The combination of the source and destination IP address, the port number and the incrementing sequence ensures that all packets are uniquely identifiable.
For each packet you send, the destination computer returns a receipt packet to say that it got there safely. If a receipt doesn't arrive after a timeout, that's the cue to resend.
Unfortunately, TCP/IP was conceived to send and receive data reliably, not to secure it. That's the job of the applications listening and sending on specific ports.
If they don't make an effort to negotiate some form of data encryption, anyone can intercept the 'clear text' data as it flows past, which can include usernames and passwords. This is the basis for a 'man-in-the-middle' attack.
In this form of attack, data is routed through an attacker's computer, which retransmits it as if nothing had happened.
Meanwhile, the attacker copies every packet for later analysis. It's also possible to sniff this clear text traffic as it goes past on the network using a utility such as WireShark.
LISTEN IN:Be careful when using WireShark. If you accidentally listen in to someone else's PC, it could land you in a lot of bother with the law
In web jargon, HTTP is a plain text protocol. When you log into a site, the username and password you use are sent in plain text. This is why you should always ensure that the site is using an encrypted HTTPS connection before entering your credentials.
This goes for your ISP, too. It may be convenient to read your email on the web when you're on the move, but unless your ISP redirects to an HTTPS connection before asking for your username and password, your details could be vulnerable.
It's better to have your ISP forward your mail to a more secure online account, such as Gmail, which logs you in using an HTTPS web page.
From the earliest days of the internet, hackers quickly realised that bugs in different TCP/IP implementations meant that they could knock a computer offline by sending carefully crafted packets. They could, in other words, deny people its services.
There are two basic types of denial of service (DoS) attacks. Bandwidth consumption attacks are far more popular these days thanks to the rise of the botnet. In this type of attack, infected 'zombie' computers are directed to flood a target with data.
This usually takes the form of massive numbers of SYN packets. The target believes that someone is trying to connect, so it blindly makes a note of each request and sends a SYN-ACK packet back. Because it has to use a small amount of memory to remember all the connection requests, the target quickly gets overwhelmed and is knocked off the internet until the botnet ceases its attack.
The second type of DoS attack is designed to crash the TCP/IP software itself. Attackers send a data packet that's either far too big or is broken into overlapping fragments. These packets confuse the target and lock it up.
One frightening element to this second form of attack is that with a single, carefully crafted packet you could take out a whole server until it is rebooted, possibly causing massive data loss for the affected website.
However, this type of attack is losing popularity with hackers because operating system producers have spent a lot of time and effort hardening their TCP/IP code to make it more reliable and less vulnerable.
Hackers exploit bugs in networking software for far more than simply disrupting services, however. It's possible in some instances to inject code into the running system. This can open a backdoor, allowing a trojan to be uploaded and installed to your machine, ready to steal your credentials, make your PC part of a botnet or even force your system to serve illegal images. Such attacks are automated and can infect thousands of computers a day.
The bug that let malicious code install the Conficker botnet's client software in just this way caused a global panic in late 2008.
Unprotected = infected
While it's necessary for some ports to be open to internet traffic, it's also necessary to ensure that only the bare minimum are exposed and that the software connected to them is as up to date as possible.
This is why it's essential to turn on automatic updates, both for Windows and Linux, but also for your antivirus software.
If a computer starts acting up and its patches aren't up to date, security professionals will treat it as infected. As the saying goes, 'the unprotected become infected'.
Beyond staying up to date, the key to keeping your PC secure is to ensure that your firewall is closed to all traffic other than to the ports you know should be open. Because some malicious software can silently open ports, it pays to check them yourself and close any that you don't need open.
In Windows XP, the firewall settings can be found by opening the Control Panel and double clicking Windows Firewall. If you're in an insecure place such as a public Wi-Fi hotspot, make sure that the checkbox to prevent exceptions on the first tab of the resulting window is ticked.
The second tab lists all the programs allowed through your firewall. Uncheck all those you don't actively use and press 'OK'. Also ensure that the checkbox making sure that Windows pops up a message to say that it's blocked a program is ticked. By default, Windows also creates a log of firewall activity, storing it in 'C:\WINDOWS\pfirewall.log'.
The procedure is similar in Vista. On the Control Panel, select 'Allow a program through Windows Firewall' under the Security section. This brings up the same window as in XP. Inspect all the open ports and close those you don't need.
If your broadband router contains a firewall, it's a good idea to update your firmware regularly and to block traffic on all ports other than email in and out (ports 25 and 110), DNS (port 53), HTTP (port 80) and HTTPS (port 443).
On no account should you allow Microsoft's NetBIOS services through (ports 137 to 139), as these are vulnerable to attack. Finally, see the 'Test your exposure' section below for details of an online service that will show you which of your PC's ports can be seen from the internet.
Test your exposure
When trying to assess the state of your online security, it pays to be able to see how others see your network. There are various online services that can help you. One is by T1shopper, at www.t1shopper. com/tools/port-scanner.
On this page, you'll see your IP address displayed. You can enter a single port to see if it's reachable, as well as a range of port numbers to scan.
You can also tick any of the more commonly used ports from the two-column list. Each port that's closed (meaning that it has no software attached and listening to it and is therefore not vulnerable to attack) will return a line telling you that it isn't responding.
GET TESTED:Using free online tools such as Nmap and T1Shopper will show you which ports are open on your network
If your firewall is working and configured correctly, all of these tests should fail. For a more comprehensive test – one that will find out whether there's a botnet or other piece of malware listening on a specific port on your computer – enter a start and end port number and the service will scan these individually looking for open ones.
Don't abuse this service by entering '1' and '65,535' (the highest port number). Instead, play nicely, and enter only blocks of a maximum of 500.
Scanning will take some time, so be patient. At the end you should have a comprehensive view of how exposed your system is.
First published in PC Plus Issue 285
Liked this? Then check out Professional vulnerability scanning explained
Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register