Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Evil Port Monitors?
Yes. Evil Port Monitors. I can't think of a better label for the large assortment of junk that's masquerading as something that will protect and notify you of dangerous intrusion attempts . . . when in reality they ACTIVELY ATTRACT the attention of passing scanners and invite much closer inspection of "protected" personal computers by malicious intruders.

Evil is what they are. A well-meaning friend suggested that perhaps I was being too harsh. She suggested that I should refer to them as "technologically challenged port monitors." I thanked her for the suggestion. She was right that they are indeed technologically challenged . . . but this is not the time for political correctness. These things are deliberately deceptive which makes them ethically challenged in my book. I think that's evil!

High-quality, low-level packet-filtering personal firewalls — which I discuss and review in detail on the next page — provide tremendous security benefits for the price. But many companies are leveraging customer ignorance and trading on hype. With much less investment in technology and much more in marketing, they are taking advantage of Internet security hysteria to score a fast buck.

During my successful quest for high-quality Internet security solutions, I encountered more than ten pieces of software that make outrageous claims, deliver little, and are much worse for the security of your computer than using nothing at all! I won't name them here, because any of these products might get their acts together in the future. Instead, I'll show you how you can easily determine whether any program you're using or considering to use is a worthwhile and safe monitor of Internet activity . . . or a piece of junk that's actively attracting attention to you and your computer.

The whole truth is, so much junk is being pushed with exaggerated claims, that unless you know otherwise I would stick with one of the tools I've reviewed and recommended on the next page. But if you're already using one of the many Evil Port Monitors, you should at least understand how it's compromising your security rather than enhancing it.

How can using a port monitoring program be worse than using nothing at all?

Before we go any further we'd better develop a sound understanding of what exactly a "TCP/IP Port" is. Please take a moment to click the TechZone link below so we'll have a common vocabulary:

TechZoneWhat's a Port?

When your computer is scanned by the typical Internet port scanner, connection attempts are made across a range of potential connection ports on your system. Some scanners target specific ports. For example, NetBIOS (Windows shares) scanners send message packets to port number 137 to solicit a response and to collect Windows' "name" information (That's what the first page of this Shields UP! site does in order to retrieve your name information.) Or a NetBIOS scanner might attempt to connect on port 139 (the so-called NetBIOS session port) in order to directly access the system's shared resources. Trojan horse scanners typically attempt connections on high-numbered ports where their "Trojan" servers may have crawled into your system and be waiting for a passing intruder to come calling. (This is how the well-known Back Orifice Trojan horse program operates. Here's a list of the ports used by known Trojan programs.) Or if a known vulnerability exists inside a particular application (most applications seem to have many) — like Windows Personal Web Server, for example, where several exploits are known — then the scanner may try to connect on the system's HTTP (web) port number 80.

"Ports" are just what they sound like: PORTALS into your computer. Entry points to give intruders a foothold. Entry points whose mere existence provides intruders with valuable information. The wily cracker knows that the ports which accept connections imply the existence of server software that's listening and waiting to communicate. That's a place to mount an attack.

So here's the whole problem: Low-technology "Internet monitors" function by pretending to be Internet servers. They deliberately open connection ports that weren't open before and wait for passing scanners to test those connection points. The problem is that when they sense an intruder through a port, that intruder achieves a successful connection to your machine and is led to believe that a complex and probably insecure server is available to be compromised.

An Evil Port Monitor gives your computer the external
appearance of a huge server farm ready for harvesting!

When viewed from across the Internet, computers running Evil Port Monitors give the appearance of being the Grand Central Station of servers with a wide array of exploitable resources. These technologically challenged port monitors typically listen (and allow connections) to ports 21, 23, 25, 80, 110, 443 among others. This gives any passing scanner the seductive impression that they've just encountered a server farm ripe for harvesting. Any cracker examining his scanner's report would be led to believe that they've discovered servers for file transfer protocol (ftp on port 21), remote command prompt execution (Telnet on 23), sending and receiving email (SMTP on 25 and pop on 110), and insecure and secure web services (on ports 80 and 443) among others. Needless to say, this is not the way to maintain a low profile on the net!

Using one of these so-called monitors is like leaving your front door unlocked and slightly ajar in the hopes of catching a burglar: You might well lure someone into your home, but then you have an entirely different problem!

But it doesn't have to be that way! By comparison, high-quality port monitors — which do exist but are not free — can sense connection and intrusion attempts without opening or exposing any ports. If you want to watch for connection attempts to your machine, you should use a good port monitor, not an evil one!

Spotting an Evil Port Monitor . . .

The rule of thumb is simple: Internet monitors should JUST monitor. They should NOT alter the exterior "open port profile" of your computer as seen from the Internet. Yet monitoring without opening ports is MUCH more difficult and requires system-level programming expertise. The products I mention on the next page are able to do it, and my forthcoming freeware firewall will too, but I'm unaware of any other free software that can.

Spotting an evil port monitor is simple: We just need to know whether it has altered your computer's open port profile as seen from the Internet. To know this, we need to perform our own "port scan" of your computer once while the suspected evil port monitor is running and then again when it's not. It just so happens that I have a nifty little port scanner built into this web site. (You knew that didn't you?) If your port monitor is opening ports that aren't open when it's not running, you should give serious thought to whether you wish to continue using it at the cost of attracting the attention of passing port scanners.

Performing your own Port Probe . . .

Any time you would like to check the "open port profile" of your computer — or test any "intrusion detection" program you're experimenting with and getting to know — you can revisit this site's first page where you'll find the option to probe the "top ten" of your computer's TCP/IP ports. This page checks the ten most "popular" Internet service ports, showing you what a port scanner would see.

Having Fun with the Port Probe . . .

So what can you do with the port probe? How can you use it to help tighten your system's security?

Probing your ports with and without your favorite Internet port monitor running will allow you to independently verify whether or not you have been using an evil port monitor. I'm sorry if you determine that it's evil, but wouldn't you rather know? Some of the true personal firewall products I've found are completely capable of not only sensing external probings without completing connections, but can even place your computer into "stealth mode" so that no one from the outside can even sense the presence of the machine! I think that's way cool!
 If you don't need any file sharing functionality and you choose to follow my advice to discipline Windows Networking you can use the Port Probe beforehand to verify that port 139 is dangerously open and accepting connections. And use it again afterward to verify that your machine has gone silent and looks as boring and uninteresting to any passing intruders as it can (without purchasing a personal firewall).
 And, of course, you can tell your Internet connected friends about the Port Probe (and ShieldsUP!) and have them test their own systems to determine how their machines look from across the Internet.

In any event, I hope you'll find that probing your computer's ports gives you some valuable information you've never had before.

To continue, please see: Personal Firewalls

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Sep 21, 2004 at 12:02 (4,414.80 days ago)Viewed 26 times per day