Bugtraq mailing list archives
Re: sleath port scanning fix
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Mon, 8 Sep 1997 22:11:10 +1000
In some mail from Superuser, sie said:
Hi, as I said in a previous message linux 2.1.53, and probably all other versions, allows port scanning by sending FIN-only (no ACK) packets and seeing if one gets an RST packet. IF one does not then the port is listenning. Here is a patch to linux/net/ipv4/tcp_input.c that stops that working and gives you a message in the log telling you the port number and source IP address. When you see all the open ports from one IP address you have grounds for writing to the ISP and watch the cracker's account disappearing (in a puff of greasy green smoke, perhaps).
Page 65, RFC 793: SEGMENT ARRIVES If the state is CLOSED (i.e., TCB does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RST is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment. ... If the state is LISTEN then ... [Page 66] fourth other text or control Any other control or text-bearing segment (not containing SYN) must have an ACK and thus would be discarded by the ACK processing. An incoming RST segment could not be valid, since it could not have been sent in response to anything sent by this incarnation of the connection. So you are unlikely to get here, but if you do, drop the segment, and return. Cheers, Darren
Current thread:
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 05)
- promisc.c,v null: test devices for sniffers and device moniters. blind (Sep 03)
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable David J. Meltzer (Sep 05)
- procfs take II Brian Mitchell (Sep 05)
- Security hole in Linux TCP stack (2.1.53 and all the rest) Superuser (Sep 07)
- sleath port scanning fix Superuser (Sep 07)
- DOS vulnerability in Livingston portmasters (pre 3.7) Dave Andersen (Sep 07)
- Re: sleath port scanning fix Darren Reed (Sep 08)
- Re: sleath port scanning fix Thamer Al-Herbish (Sep 08)