Why is it bad to have open ports?

security networking tcpip tcp udp
71,456

Solution 1

A port isn't open if something isn't listening for a connection on it.

The reason it is bad form to have all ports open to everywhere is that it exposes those services that are listening on those ports to exploits. That is why firewalls exist, to limit what is allowed to connect to certain ports, to reduce the surface area exposed by services.

EDIT

To address your question about why people can't just write software that isn't exploitable:

This is fairly easy for simple programs, but many programs that require a socket are complex. As such, they have many components, many of which aren't even written by the developer most likely (included libraries). You cannot rely on other people to keep your network secure when there are hardening methods you can use yourself, such as firewalls.

Arbitrary/remote code execution is a huge risk, as you have pointed out. Unfortunately buffer overflows and other security flaws that allow it are common. Look at any Microsoft security update and I'll bet it patches either remote code execution or elevation of privileges, and MS is a huge company with hundreds of developers and billions of dollars.

Solution 2

Regarding the update you wrote:

Thanks for the replies so far. I understand now, that a port being open actually means there is a program that can be exploited listening on that port. But why is it so hard to write software that can't be exploited? To do any real harm to a computer wouldn't a program have to allow one or more files to be uploaded, and then one of those files would need to be executed. It seems like that would be incredibly hard to allow accidentally.

It's very difficult to write software that can't be exploited!

I have read the book Building Secure Software and one things it discussed was exploiting stack overflows. There were two very scary facts in there:

  • For a program to have an exploitable stack overflow bug is very easy to do, especially when the program is written in C. In the C programming language, many functions are not safe by default and the programmer either needs to know to avoid the vulnerable functions, or has to take special actions to be safe.
  • The exploit a hacker needs to use is short - very short. It was less than half a page of assembly language, which translates to 100 or so (guess) bytes of machine code. This exploit code is sufficient to give the hacker shell(command prompt) access to your machine. No big file upload and execution required - just a tiny piece of code that can be inserted into the middle of legitimate data.

So if a hacker can find a program that (a) has a stack overflow bug that is (b) exploitable over a network and (c) has a couple 100 bytes spare in its buffer, then your computer is pwned. Fortunately knowledge about stack overflow bugs is fairly common knowledge now, but they do still pop up. 5 years ago and longer this was a much more frequent problem.

Going back to your original question, you should avoid open ports to avoid any accident with an exploitable bug in a program. You now have a second reason: the remote shell that a hacker would then use is another open port. If you have a firewall that is blocking everything except that you have specifically allowed, you would also block that remote shell (although a hacker would still be able to do other nasty things to your computer, so don't be complacent!)

Solution 3

  • Open port: When anyone asks, the computer responds that there is a service listening on this port. This means anything coming to this port will get processed by a program (a service) running on that computer.
  • Closed port: When anyone asks, the computer responds that there are no services listening on that port. The akser will know there is a computer responding at the address.
  • Stealth port: When anyone asks, they get no reply. The point is to hide if there is a computer at the address at all. It might not be very effective, though, as joschi poits out in the comments.

If you have an open port, you are safe provided the program processing the incoming stuff has no available exploits. But exploits are found all the time, and it's good to know that there are a lot of port scans travelling around the net, looking for targets.

Closed ports still respond to the akser, so possible attacker knows to proceed checking other ports. Then again, this is how the internet is specificed to work. While stealth ports attempt to not give the potential attacker any information, in theory they break the specification.

From a security point of view, any open port is a huge gaping hole, since code is being used to process foreign data. What a firewall (or a NAT router) does is make sure no incoming traffic gets to your computer, even if the system has some open ports. This way, they effectively close all ports.

Solution 4

Actually as far as I know, an open port means that a program is listening to it. So there is some kind of service processing the data.

Solution 5

Assuming you don't have a virus on your computer or some other program listening to a port that may actually do something why does it matter if a port is open? If some malicious person starts sending packets to a port, but nothing is there to receive the data and do something with it why does it matter?

Assumption is the mother of all eff-ups :)

rather safe than sorry ... here's nice read for you at makeuseof.com:

Technology Explained: Open Router Ports & Their Security Implications

Share:
71,456

Related videos on Youtube

aireq
Author by

aireq

Updated on September 17, 2022

Comments

  • aireq
    aireq over 1 year

    Here's something that has always baffled me. Why is it bad to have open ports on your computer? Assuming you don't have a virus on your computer or some other program listening to a port that may actually do something why does it matter if a port is open? If some malicious person starts sending packets to a port, but nothing is there to receive the data and do something with it why does it matter? A computer doesn't just arbitrarly execute any data it receives. I understand flooding a computer with packets could cause it to crash because it just can't deal with the amount of data, but I'm only considering security issues that actually change the files on the computer.

    Update

    Thanks for the replies so far. I understand now, that a port being open actually means there is a program that can be exploited listening on that port. But why is it so hard to write software that can't be exploited? To do any real harm to a computer wouldn't a program have to allow one or more files to be uploaded, and then one of those files would need to be executed. It seems like that would be incredibly hard to allow accidentally.

  • Felix
    Felix over 14 years
    Just adding: If you for example know that a service has a bug which can be used to infiltrate code or whatever and you actually see that this service is running, this is an open invitation ;)
  • MDMarra
    MDMarra over 14 years
    Your definition of what a port is, is incorrect. A port isn't limited to TCP by any means.
  • Shoeless
    Shoeless over 14 years
    I suppose one should not believe EVERYTHING they read on the 'net :) 5 of the top 6 Google results explicitly state "TCP" in their definition. google.com/…
  • mrdenny
    mrdenny over 14 years
    as well as ICMP
  • MDMarra
    MDMarra over 14 years
    ICMP doesn't use a port, it is a layer 3 protocol that is included in the IP suite of protocols.
  • quack quixote
    quack quixote over 14 years
    i lock my doors & windows 'cause it's cold outside. what does this question have to do with insulation?
  • DaveParillo
    DaveParillo over 14 years
    a good, short read.
  • Shoeless
    Shoeless over 14 years
    lol... I almost included mention of UDP in my initial post. Point taken. I guess I should have just left "TCP" out in the first place. The intended main gist of my post was the final paragraph.
  • MDMarra
    MDMarra over 14 years
    The only reason that I say it is that it is very important in reference to firewalls (which this is indirectly about). TCP is stateful, and thus connections are remembered, where UDP is not. Many times this means ports must be open for return UDP traffic which is initiated internally where this does not need to happen for TCP connections that are established internally.
  • joschi
    joschi over 14 years
    Your definition of a "stealth port" is wishful thinking. Actually an attacker knows that there is a computer if he doesn't receive any answer. If there was no computer on that particular IP address, the preceeding router would send a message about that. With "stealth ports" that does not happen...
  • Ilari Kajaste
    Ilari Kajaste over 14 years
    @joschi: Well, it's a concept that I've seen around the internet, so I think it's good to define it. You make a good point, though. I edited the answer to reflect your comment. At least it makes the target IP look like it's behind a NAT router, I guess. I've never been a fan of the concept myself: If you have open ports, you should make sure they're running a secure service. And if you have no open ports, there's no problem telling the net that you exist. Stealth smells like security hype to me.
  • Dentrasi
    Dentrasi over 14 years
    Do your doors and windows not insulate if they are only closed? Does the extra bolt really provide that much more insulation.
  • Ilari Kajaste
    Ilari Kajaste over 14 years
    Good point, but it's worth noting that not everyone locks their doors and windows at home. This could be "Not everyone wants to protect their property" or "Not everyone likes to live in a culture of fear", depending on your viewpoint.
  • MT.
    MT. over 14 years
    IIRC, Donald Knuth(?) just finished mathematically proving that one of the smaller programs he wrote was bug-free, and it took man-years
  • Arjan
    Arjan over 7 years
    Open ports are required to offer services. Just one out of a zillion possible examples: Gmail uses an open port (443 for their website using HTTPS). But it asks you to log in before showing anything.
  • Sebi2020
    Sebi2020 over 2 years
    "[...] you would also block that remote shell (although a hacker would still be able to do other nasty things to your computer, so don't be complacent!)" If the hacker already has root access to the computer, no firewall in the world will protect you from a remote shell. The hacker can simply turn it off if it is running on the same computer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the difference between UDP and TCP?
Proper way to calculate Link Throughput
Why am I getting "No route to host"?
UDP packet and firewall
Is ICMP port unreachable error generated by both TCP and UDP?
Send TCP with incorrect checksums
Capture TCP communication on a specific port using wireshark
What does this UDP Packet mean?
TCP header option: SACK-permitted (Selective Acknowledgments) negotiation
How to force a process transmit over UDP instead of TCP?