[13424] in bugtraq
Re: usual iploggers miss some variable stealth scans
daemon@ATHENA.MIT.EDU (David LeBlanc)
Wed Jan 19 12:59:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.20000118095732.04390100@mail.mindspring.com>
Date: Tue, 18 Jan 2000 09:57:32 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Simple Nomad <thegnome@NMRC.ORG>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001172310060.1084-100000@blackhole.nmrc.or g>
At 11:22 PM 1/17/00 -0600, Simple Nomad wrote:
>This and all other TCP stealth scans can be eliminated by modification to
>most open source kernels. By adding code to the parts of the kernel that
>handle TCP input, you can look to see if a packet is a part of an existing
>conversation. If not, drop it (and perhaps log it). Allow the regular SYN
>packets to be handled by other methods, such as TCP wrappers, firewall
>code (ipfwadm, ipchains), etc.
Win2k has an interesting couple of new APIs listed in the DDK under
networking that enable one to construct packet filters that do arbitrary
things. It wouldn't be much trouble to build something that would maintain
state and deal with this sort of thing appropriately. The only gotcha is
that it is above the reassembly layer - but you can inspect or drop
everything that passes through that point.
Another fun thing to do to an attacker is to send them back host or network
unreachables instead of RST - some stacks will drop all connections to a
host if it sends them one of those, which is why you're supposed to send
the RSTs in the first place. Standard warnings about allowing denial of
service attacks due to spoofed packets assumed, so YMMV, and play at your
own risk.
I keep meaning to write myself one just for fun, but haven't had time.
You'd need the Win2k release DDK to play with it - it didn't show up in
public until just before RTM, so if you've got beta DDKs, it won't be there.
David LeBlanc
dleblanc@mindspring.com
