Re: Bigger bug than expected?

[Maciej Soltysiak <solt () dns toxicfilms tv>]

Hello,

to understand why nmap shows these result I have been tcpdumping the scans
and looking what is going on. I found that, if you simply DROP the Xmas,
Null, etc. scans (not Syn scan) you are going to get 'filtered' answer.

Unfortunatelly all my rules went to hell, while toying with lvm, i have
just set up this computer.

But in my opinion the best way to handle scanning is to apply rules in
this order:
1. check if it is URG,PSH,FIN if so REJECT with TCP Reset
2. the same goes for Null and FIN scans
3. some other rules for an invalid combination goes here :)
3. use the PSD module (REJECT/DROP your choice),
   but at this step, this rule applies only to Syn scans and UDP scans
   and everything you are not checking in previous steps.
4. use Unclean to DROP the packets

This way, nmap will show closed for all ports using xmas scans
It will react to Syn scans later on
It will react to other sort of invalid traffic.

eg. using only unclean, can give this sort of result you are getting,
which are the result of improper handling of the scans.

note, that hping2 has its own interpretation of Xmas and Ymas, it uses
reserved bits AFAIK.

I hope this answer clears your doubts.

Remember, the scanning tool, sends some stuff and then looks for
everything that would suggest that someone is trying to defend himself.

One last note. I remember that nmap acts strange. Before nmap issues his
Scans, he ALWAYS pings, and then sends an ACK to port 80.

I think that if you could use the recent module to check for and ACK dport
80 after a ping, you could easily catch all nmap scans.
But i say catch, they way you should answer may depend on the type of
scan.

Have a nice day,
Maciej Soltysiak