Re: how to know scan is correct?

[Justin <jguyett () andrew cmu edu>]

On Thu, 10 Feb 2000, Bennett Todd wrote:

> 2000-02-10-01:09:22 Justin:
> > That's why you have a iptables/whatever module that listens looks
> > for syns to non-open ports, logs once, then filters the offending
> > ip/netmask for 30 minutes or a few days if you're particularly
> > fascist.
>
> If you're going to do any such reactive firewall stuff as this, make
> very sure nobody knows you're doing it; if they know you're doing
> that, it's amazingly easy for them to cut you off from any or all of
> the internet. Lessee, how long would it take to send SYN packets to
> closed ports with source addrs forged from all the root nameservers.

The people who need to block portscans because they're worried about being
rooted need to upgrade their daemons.  The people who think they need to
block them are either people who are doing it for their personal systems,
or people like the government who have this bizarre idea that having 50
gigs of logs each day somehow makes their systems more secure.

spoofed scan:
 first check to make sure no current connection exists from source IP
[03:21:05.27] syn->300 (ignore next 2 packets)
[03:21:06.27] syn->599 (reset timeout set to 2 seconds)
[03:21:07.27] syn->22 (dropped)
[03:21:08.28] syn->914 (reset timeout set to 2.02 seconds)
[now Joe Employee tries to connect from home, and his IP is being used]
[03:21:09.82] syn->23 (dropped)
[03:21:10:49] syn->23 (is logged and gets fired for trying to telnet in)

Now this degenerates into trying to 1) anticipate people connecting and
then flooding or 2) flooding all the time.

These are problems.  If someone is that motivated to screw over your
business or network, perhaps you should upgrade your daemons and just log
"scans".  With a short timeout, I can't think how someone would guess this
scheme was being used.  The target network could just have heavy packet
loss.

On the bright side, if someone wants to DoS your network, this provides a
method (provided they know what's going on) for them to do it without a
flood, which means at least for all open connections and connections to
addresses that aren't being spoofed, you have good connectivity.

There is no good "security through obscurity" approach.  Filtering with
temporary firewall rules is not a security measure.  It's a proof of
concept kind of thing.  You can generate fake replies on closed ports, but
the people you don't want scanning you are just looking for specific
daemons, and it doesn't matter to them that you have honeypots on all
privledged closed ports.  As was pointed out, syn scans leave a log trail,
but spoofed syn floods are a good way to cover up real syn scans.  Still,
you could probably detect them.  The NSA probably does a statistical
analysis on source addresses every time they get flooded.


Justin