Which Software would give the ICMP "host unreachable" message to attackers (hackers).
You can use any packet filtering software, like linux IPtables or openbsd PF set up to drop or reject the specific requests (i.e. all types of icmp requests from every remote host). Still icmp requests are but one basic method for network mapping/diagnosis. It won't really discourage a serrious attacker, especially if he happens to target you specifically (you may just escape some mass scans).
What would port scans say if host is unreachable?
That depends on the tricks the scanner uses (just check the man page of nmap and do some research for each method to see how inventive they can be to draw the wanted information!). It also depends on your packet filtering configuration. i.e. if you choose to DROP packets, your software sillently drops the packet so some scanners might keep trying for ever till they time out, if you choose to REJECT packets there is an immediate reply "destination port unreachable". The result is the same, packet is blocked. Of course you can't block everything and you can improve your filtering script/rules for ever to fit your configuration needs (I believe Chris has scheduled a decent paper on the subject, particurarly iptables!). Thing is that you'll never be 100% stealthy.
Re: ICMP "host unreachable" message
14 years 8 months ago #4399
Well if you return an ICMP host unreachable message, nothing will work.. since it implies that there is no way to get to the remote machine.. however you can't just run around generating these messages..
What you need to do to be 'totally invisible', is to install a personal firewall such as zonealarm or sygate. What they will do will make sure your system does not respond to any probes initiated from the outside... it will not reply to pings, traceroutes (well.. technically unless its a packet forwarder that wont make much of a difference anyway).. etc etc.
This is the best way to stay totally invisible.
Your other option is to flood the scanner with confusing results.. you can whip up a quick script with nemesis that will send a SYN-ACK to any incoming SYN, regardless of what port.. this will make it look like you have every single port open.. something that is a total information overoad.. however the first approach is better.
Bear in mind that there are ways to always identify whether a machine is alive or not.. for example, you can block pings, but if an attacker on your LAN uses ARP to ping you.. there is no way you can block that..
Still, knowing a system is alive doesnt necessarily make life any easier.. just install a personal firewall and you'll be fine.