Bugtraq mailing list archives
Re: sleath port scanning fix
From: shadows () whitefang com (Thamer Al-Herbish)
Date: Mon, 8 Sep 1997 17:35:44 +0000
On Sun, 7 Sep 1997, Superuser (Duncan Simpson) wrote:
- goto discard; + /* SECURITY FIX: stop port scanning with packets that do not + * set either ACK or SYN (e.g. just FIN). + */ + printk("Warning: possible attempt at \"sleath\" port scaning: port %d, source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr)); + return 1; break;
There's a problem here, this means every stray non (SYN|ACK) packet gets logged as bieng a possible "sleath" scan. From my previous experience at attempting to write scan loggers, you'd realy want to make sure this happens on more than one port before logging it. Or be prepared to have some huge log files on a busy network. For what its worth, you can pickup synlog, a tool that attempts to detect synscans/synfloods on a network at http://www.whitefang.com/synlog.html ( please dont all rush out at once) It does more than just keep track of syn packets, it watches each individual handshake and makes sure they finish, or it logs it. Even then, the log files can grow immensely on a busy network. For people who have seen the earlier version 0.1 (ancient and was barely functional). The newer 0.4 version is both enhanced and completely functional on a moderately busy network. Currently only supports 10mbit ethernet, and has been tested on Solaris,FreeBSD-2.2.1 and Linux. Thamer Al-Herbish shadows () whitefang com
Current thread:
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 05)
- promisc.c,v null: test devices for sniffers and device moniters. blind (Sep 03)
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable David J. Meltzer (Sep 05)
- procfs take II Brian Mitchell (Sep 05)
- Security hole in Linux TCP stack (2.1.53 and all the rest) Superuser (Sep 07)
- sleath port scanning fix Superuser (Sep 07)
- DOS vulnerability in Livingston portmasters (pre 3.7) Dave Andersen (Sep 07)
- Re: sleath port scanning fix Darren Reed (Sep 08)
- Re: sleath port scanning fix Thamer Al-Herbish (Sep 08)