RE: Detected NMAP scan

["David G. Andersen" <danderse () cs utah edu>]

Would it perhaps be impolite to suggest that if you detect a SYN port
scan, and start refusing all connections from that IP, that your tool
opens up a beautiful DOS attack against the host system?  Since
there's no three-way handshake to verify that the remote computer
really is who they say they are, you can shut down connectivity to
just about anyone with a few forged SYNs.

I think there are a few other problems with your patch.  The
relatively small number of IP addresses, means that I could still scan 
your host if it started exhibiting this behavior - I'd simply need to
scan it with 64 other addresses as well.  Nmap already has this mode
to disguise itself.  The logging would be nice, but you'd still have
to track down 65 source addresses.

The former problem, obviously, is a bit more pertinent.

   -Dave

Lo and Behold, joff () newmonics com said:
> I've written a small (~30) line patch to the linux 2.0 kernel that
> detects and masq's all scans, (stealth, half-open, etc) and blocks them
> in mid scan so the attacker does not see any ports open.  Take a look:
> http://www.geek-girl.com/bugtraq/1998_3/0008.html.
>
> //Jesse Off
>
> On Wed, 6 Jan 1999, Frank W. Keeney wrote:
>
> > I get scanned at least ten times a week!
> >
> > With the 1.x versions of nmap, Linux ipfwadm successfully logged all
> > stealth scans in my lab.
> >
> >     ----------
> >     From:  Lamont Granquist
> > [SMTP:lamontg () raven genome washington edu]
> >     Sent:  Wednesday, January 06, 1999 12:40 PM
> >     To:  nmap-hackers () insecure org
> >     Subject:  Detected NMAP scan
> >
> >
> >     So, on Jan 3rd a machine that I admin got scanned, and with the
> > ipfw.c
> >     hack that I posted previously, I recorded the following packets,
> >     suggesting that it was someone with nmap2.  I thought I'd post
> > it here as
> >     a sighting of nmap "in the wild":
> >
> >     Jan  3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> > 148.81.145.199:62233 192.168.0.1:80
> >     Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> > 148.81.145.199 192.168.0.1
> >     Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> > 148.81.145.199 192.168.0.1
> >     Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> > 148.81.145.199 192.168.0.1
> >     Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> > 148.81.145.199:62234 192.168.0.1:80
> >     Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> > 148.81.145.199:62235 192.168.0.1:80
> >
> >     I've also identified people doing SYN scans of port 635 which is
> > where
> >     mountd often/normally resides on a linux system.
> >     

-- 
Dave Andersen
work: danderse () cs utah edu                     me:  angio () pobox com
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group