NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Protection Engine and Stealth ports
Hello,
Recently, I purchased a Nighthawk RS100 Router. After configuring it, I tested my setup using Shields Up . All my ports reported as Stealth and the router log was clean of anything serious.
This week I repeated the test and noticed many of my ports are no longer Stealth, but Closed! What's strange is that which ports are Closed or Stealth seems to change randomly every time I rerun the Shields Up test :
Green = Port is Stealth . Blue = Port is Closed
At the same time, my router's log now shows many entries of ports being scanned. I looked up the IPs scanning my ports and they're from around the world :
[DoS Attack: RST Scan] from source: 160.30.156.213, port 3389, Thursday, September 25, 2025 08:57:14
[DoS Attack: SYN/ACK Scan] from source: 160.30.156.213, port 3389, Thursday, September 25, 2025 08:57:02
Thanks to this forum, I've learned that disabling the Protection Engine will return my ports from Closed to Stealth. Side note, I suspect the Protection Engine is adaptive based on the changing test results over time.
Anyway, I'd really prefer to return my ports to Stealth without disabling the Protection Engine. Has anybody discovered a method for keeping the ports Stealth while simultaneously keeping the Protection Engine enabled?
Model: Nighthawk RS100
FW: V1.1.5.12.
Thank you!
4 Replies
My sense is that these are incompatible goals:
- Not responding to connection requests (stealth) is a method to prevent attacks. However,
- Netgear's Protection Engine cannot analyze internet activities unless it acknowledges connection requests.
Your choice as to which offers a better environment.
Personally, stealth is the "way to go". i.e. "nothing to see here. go look somewhere else."
Netgear's Protection Engine cannot analyze internet activities unless it acknowledges connection requests.Personally, stealth is the "way to go". i.e. "nothing to see here. go look somewhere else."
I'm not convinced your premise is correct.
Assuming it is, I believe that a scan can still distinguish a stealth ipv4 address from an unused ipv4 address. The ISP router should return a destination host unreachable response to a ping if the address isn't used, which is different from a response timeout. Additionally, many ISPs will also create a DNS entry for your router, which can be found with reverse DNS. So going stealth doesn't guarantee that your system can't be found (and is perhaps overrated).
If any ports are forwarded (or opened via upnp), it'd be better to keep the protection engine on. So maybe Netgear could engage the PE only on open ports by default.
If something is in the DMZ, then I think the router needs to assume all ports are open, and keep the PE on for all ports.
You'll need to either keep PE disabled if you want all stealth ports to be seen otherwise leave it as is. Something we've already passed on to NG for review. No idea IF or when they will make adjustments. All up to them. Nothing else we can do.
Thank you kindly for your replies!
I agree with you, CrmipOn, Stealth is the way to go!
My plan is to disable to PE for the time being and repeat the test after each release of the router firmware.
