Bugtraq mailing list archives
Re: usual iploggers miss some variable stealth scans
From: thegnome () NMRC ORG (Simple Nomad)
Date: Mon, 17 Jan 2000 23:22:27 -0600
On Mon, 17 Jan 2000, vecna wrote:
in November`99 more or less... i've discovered 5 type of new stealth scan, with the modification of flags used normally on XMAS stealth scan. the five type of packets that can be used for stealth scanning, and isn't logged from the normal tcplogd/scanlogger have this flag: URG PUSH URG+FIN PUSH+FIN URG+PUSH this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one flag set) cause the reply RST+ACK if port is closed, and no reply if port is open. this is efective only against *nix system
This and all other TCP stealth scans can be eliminated by modification to most open source kernels. By adding code to the parts of the kernel that handle TCP input, you can look to see if a packet is a part of an existing conversation. If not, drop it (and perhaps log it). Allow the regular SYN packets to be handled by other methods, such as TCP wrappers, firewall code (ipfwadm, ipchains), etc. This is basically taking advantage of a kernel's state table. Any open source kernel that supports firewalling software should be capable of handling this mod. The only real negative side effect I've noticed is "push" technology gets blocked, so you get fewer web ads ;-) - Simple Nomad - - - thegnome () nmrc org - No rest for the Wicca'd - - www.nmrc.org - -
Current thread:
- Re: IIS still revealing paths for web directories, (continued)
- Re: IIS still revealing paths for web directories Henrik Nordstrom (Jan 15)
- Re: IIS still revealing paths for web directories Antonio Ropero (Jan 15)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 18)
- SRS Addendum Matt Conover (Jan 12)
- Re: IIS still revealing paths for web directories Georgi Guninski (Jan 13)
- Re: IIS still revealing paths for web directories Scott Buchanan (Jan 13)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)