OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: usual iploggers miss some variable stealt

Re: usual iploggers miss some variable stealth scans

Subject: Re: usual iploggers miss some variable stealth scans
From: Simple Nomad (thegnomeNMRC.ORG)
Date: Mon Jan 17 2000 - 23:22:27 CST

On Mon, 17 Jan 2000, vecna wrote:

> in November`99 more or less... i've discovered 5 type of new stealth scan,
> with the modification of flags used normally on XMAS stealth scan.
>
> the five type of packets that can be used for stealth scanning, and isn't
> logged from the normal tcplogd/scanlogger have this flag:
> URG
> PUSH
> URG+FIN
> PUSH+FIN
> URG+PUSH
>
> this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
> flag set) cause the reply RST+ACK if port is closed, and no reply if
> port is open. this is efective only against *nix system

This and all other TCP stealth scans can be eliminated by modification to
most open source kernels. By adding code to the parts of the kernel that
handle TCP input, you can look to see if a packet is a part of an existing
conversation. If not, drop it (and perhaps log it). Allow the regular SYN
packets to be handled by other methods, such as TCP wrappers, firewall
code (ipfwadm, ipchains), etc.

This is basically taking advantage of a kernel's state table. Any open
source kernel that supports firewalling software should be capable of
handling this mod. The only real negative side effect I've noticed is
"push" technology gets blocked, so you get fewer web ads ;-)

- Simple Nomad - -
- thegnomenmrc.org - No rest for the Wicca'd -
- www.nmrc.org - -

This archive was generated by hypermail 2b27 : Tue Jan 18 2000 - 12:18:13 CST