[1681] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: New Program: Abacus Sentry - Port Scan Detector
daemon@ATHENA.MIT.EDU (Craig H. Rowland)
Wed Dec 10 14:38:41 1997
Date: Wed, 10 Dec 1997 08:57:26 -0600 (CST)
From: "Craig H. Rowland" <crowland@psionic.com>
To: linux-security@redhat.com
In-Reply-To: <199712091429.JAA04583@alcove.wittsend.com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 9 Dec 1997, Michael H. Warfield wrote:
> ther enscribed thusly:
> > On Fri, 5 Dec 1997, Craig H. Rowland wrote:
> >
> > > - Add the target host to the local Linux filter list using
> > > ipfwadm.
> > >
> > > - Drop the route to the target host via the route command.
> > abacus (as described) would kill all connections to a host which
> > portscans him. so an attacker would be able to kill any connection to
> > any host by spoofed UDP packages.
>
> Interesting point. Triggering any sort of defensive action based
> on UDP would open up a new class of denial of service attacks...
This unfortunately is true and is a known issue with the program. Version
0.09 (on the website now) has an option called DO_IGNORE_UDP that will
disable all actions (except reporting the connection) for all UDP sweeps.
> Then you can set up the kill by route action to be triggered
> only on TCP port scanning, which would then require fully connected
> sessions. Since Linux is NOT sequence number predictable, an attacker
> would play hell spoofing a port scan via TCP.
Also the program has two modes: -tcp and -udp. The program was split into
these two functions to provide for failures and to allow the end user to
only monitor for one type of port probing activity.
>
> However...
>
> Because accept behaves differently on Linux than on many other
> flavors of UNIX, you would have to be extremely careful not to let failed
> connections trigger the kill behavior though. On Linux, if someone does
> a "stealth scan" of the TCP ports by issuing a raw "SYN" packet but then
> resets the connection before a session is fully connected, the accept
> still returns a socket. You subsequently get a SIGPIPE when you try and
> access the socket. This caused some entertaining headaches with inetd
> crashing if the internal services such as "time" got stealth scanned.
> If this problem also exists in abacus, this would allow a knowledgable
> attacker to spoof a TCP steath scan and cause the same sort of denial
> of service as spoofing a UDP scan.
I should be catching SIGPIPE, if I'm not please let me know.
Stealth scanning brings in some other issues for a port scan detector.
This is one of the reasons I don't include this feature. Here are a few
points:
1) False alarm rates increase due to normal anomalies in network traffic
that may result in connections that appear to be "half-open" but really
resulted from some type of transient failure during initial negotiation.
2) A properly designed stealth port scan monitor should contain a state
engine to monitor when connections go into a fully-established state. For
a busy server this adds a resource expense that I think is not really
warranted compared to the relative rarity of a port sweep versus normal
network activity.
3) The inclusion of stealth scan detection will mostly likely require
non-portable code and this was counter to one of the design goals.
>
> This is worth checking out and specifically avoiding if the
> avoidance code does not already exist.
>
> I've downloaded abacus but have not had the time to look at the
> code as yet. The possibilities of creating denial of service attacks
> like this, open up some new interest though...
>
I have changed the documentation to state that UDP scan detection should
have automatic actions disabled if it is an Internet connected site.
Internal hosts should probably keep it enabled; if they have a host
spoofing packets internally you have a bigger problem to worry about.
This is very early release code and I am looking for code reviews. If
anyone would like to participate in this I would be happy to have you.
I've received a large number of comments to date and have acted/responded
to each. If anyone has any comments I'm happy to answer them.
> > bye,
> > therapy
> >
> > --
> > ----------------------------------------------------------------------
> > Please refere to the information about this list as well as general
> > information about Linux security at http://www.aoy.com/Linux/Security.
> > ----------------------------------------------------------------------
> >
> > To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
>
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
> (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
> --
>
- -- Craig
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBNI6t0K5kS8WYq/59AQHV3wP9HDPHmiMVWEUdKwBVeFpVd/sZtbpZNgfp
VG251lJAMxpnQa1BAoDTpdZDCGGBFYmh18ZSIBa5tSJaZiihhxq7b0G/aYz3GKGY
fSb5HuoIBss7+7bEWKNKJP7Y45SNbiiZ5T/ucUyDFep94+hIiEp/MApohONa4JaY
BwGHEtaBhuE=
=jNnt
-----END PGP SIGNATURE-----
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null