[1681] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Re: New Program: Abacus Sentry - Port Scan Detector

daemon@ATHENA.MIT.EDU (Craig H. Rowland)
Wed Dec 10 14:38:41 1997

Date: Wed, 10 Dec 1997 08:57:26 -0600 (CST)
From: "Craig H. Rowland" <crowland@psionic.com>
To: linux-security@redhat.com
In-Reply-To: <199712091429.JAA04583@alcove.wittsend.com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 9 Dec 1997, Michael H. Warfield wrote:

> ther enscribed thusly:
> > On Fri, 5 Dec 1997, Craig H. Rowland wrote:
> > 
> > > 	- Add the target host to the local Linux filter list using
> > > 	  ipfwadm.
> > > 
> > > 	- Drop the route to the target host via the route command.
> > abacus (as described) would kill all connections to a host which
> > portscans him. so an attacker would be able to kill any connection to
> > any host by spoofed UDP packages. 
> 
> 	Interesting point.  Triggering any sort of defensive action based
> on UDP would open up a new class of denial of service attacks...

This unfortunately is true and is a known issue with the program. Version
0.09 (on the website now) has an option called DO_IGNORE_UDP that will
disable all actions (except reporting the connection) for all UDP sweeps.

 
> 	Then you can set up the kill by route action to be triggered
> only on TCP port scanning, which would then require fully connected
> sessions.  Since Linux is NOT sequence number predictable, an attacker
> would play hell spoofing a port scan via TCP.

Also the program has two modes: -tcp and -udp. The program was split into
these two functions to provide for failures and to allow the end user to
only monitor for one type of port probing activity.

> 
> 	However...
> 
> 	Because accept behaves differently on Linux than on many other
> flavors of UNIX, you would have to be extremely careful not to let failed
> connections trigger the kill behavior though.  On Linux, if someone does
> a "stealth scan" of the TCP ports by issuing a raw "SYN" packet but then
> resets the connection before a session is fully connected, the accept
> still returns a socket.  You subsequently get a SIGPIPE when you try and
> access the socket.  This caused some entertaining headaches with inetd
> crashing if the internal services such as "time" got stealth scanned.
> If this problem also exists in abacus, this would allow a knowledgable
> attacker to spoof a TCP steath scan and cause the same sort of denial
> of service as spoofing a UDP scan.

I should be catching SIGPIPE, if I'm not please let me know.

Stealth scanning brings in some other issues for a port scan detector.
This is one of the reasons I don't include this feature. Here are a few
points:

1) False alarm rates increase due to normal anomalies in network traffic
that may result in connections that appear to be "half-open" but really
resulted from some type of transient failure during initial negotiation.

2) A properly designed stealth port scan monitor should contain a state
engine to monitor when connections go into a fully-established state. For
a busy server this adds a resource expense that I think is not really
warranted compared to the relative rarity of a port sweep versus normal
network activity. 

3) The inclusion of stealth scan detection will mostly likely require
non-portable code and this was counter to one of the design goals. 

> 
> 	This is worth checking out and specifically avoiding if the
> avoidance code does not already exist.
> 
> 	I've downloaded abacus but have not had the time to look at the
> code as yet.  The possibilities of creating denial of service attacks
> like this, open up some new interest though...
> 

I have changed the documentation to state that UDP scan detection should
have automatic actions disabled if it is an Internet connected site.
Internal hosts should probably keep it enabled; if they have a host
spoofing packets internally you have a bigger problem to worry about. 

This is very early release code and I am looking for code reviews. If
anyone would like to participate in this I would be happy to have you.
I've received a large number of comments to date and have acted/responded
to each. If anyone has any comments I'm happy to answer them. 


> > bye,
> > 	therapy
> > 
> > -- 
> > ----------------------------------------------------------------------
> > Please refere to the information about this list as well as general
> > information about Linux security at http://www.aoy.com/Linux/Security.
> > ----------------------------------------------------------------------
> > 
> > To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
> 
> 	Mike
> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
>   (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
> 
> -- 
> 

- -- Craig

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBNI6t0K5kS8WYq/59AQHV3wP9HDPHmiMVWEUdKwBVeFpVd/sZtbpZNgfp
VG251lJAMxpnQa1BAoDTpdZDCGGBFYmh18ZSIBa5tSJaZiihhxq7b0G/aYz3GKGY
fSb5HuoIBss7+7bEWKNKJP7Y45SNbiiZ5T/ucUyDFep94+hIiEp/MApohONa4JaY
BwGHEtaBhuE=
=jNnt
-----END PGP SIGNATURE-----

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post