[2636] in bugtraq
Re: TCP SYN probe detection tool available
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon May 27 11:00:13 1996
Date: Mon, 27 May 1996 15:14:30 +1000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Darren Reed <avalon@coombs.anu.edu.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960516124545.514C-100000@devnull.saturn.net> from
"Brian Mitchell" at May 16, 96 12:49:50 pm
In some mail from Brian Mitchell, sie said:
>
> On Thu, 16 May 1996, Henri Karrenbeld wrote:
>
> > I am afraid I do not read other security lists besides this one (I glance at
> > Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen
> > what actually can be done with SYN packets... Could someone explain this?
>
> Services can be probed for. Let's take 2 short examples:
[...]
> The bad guy now knows there is something on the port, but because the
> three way handshake has not been completed it is not logged, the bad guy
> can then send a rst tearing down the connection, since he has the
> information he is after.
>
> I think some time ago a detailed post was made to this list describing
> the various ways a stealth scanner could be implemented, although i'm not
> 100% sure.
There was, from myself and Chris Klaus.
A point to remember was that done right, you could use other packets and
not just SYN.
Because of this, I wrote a tool which captured all TCP traffic via BPF,
about what ports were trying to be accessed and analysed the results in
a very weak way to determine if any sort of attack was being launched.
darren
