Re: statefull inspection FW and hackers

["Andrea Gatta" <andrea.gatta () gmail com>]

David,
depending on the target OS, a FIN scan can reveal open ports.
Basically an unsolliceted FIN packet will be:

- ignored on an open port (RFC 793)

- while on a closed port that will trigger a RST/ACK back

In turn that will give to the attacker a way to understand what ports
are actually available on the target.

Things is, a FIN scan is not likelly to be seen and logged by a
firewall which si not stateful.

Andrea

On Wed, Aug 20, 2008 at 6:15 PM, David Gillett <gillettdavid () fhda edu> wrote:
>  Statefulness doesn't help with SYN port scans -- that much is correct.
>
>  However, some attacks may depend on violating the normal state transitions
> or sequencing of TCP traffic, or on scanning with other sorts of packets --
> I see unsolicited SYN-ACK packets all the time.  (Those are probably just
> responses to spoofed SYNs, but I can't know that for certain.  I'm not sure
> what a scan with RST or FIN packets would reveal.)
>
>  Most of the stateful firewalls I've seen also do inspection of FTP control
>
> traffic, so that FTP data sessions on negotiated ports can be allowed
> without
> leaving masses of high-numbered ports open all the time. An awful lot of
> junk/noise can be filtered out by that.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of Juan B
> > Sent: Tuesday, August 19, 2008 10:05 PM
> > To: security basics
> > Subject: statefull inspection FW and hackers
> >
> >
> >
> > Hi,
> >
> > Can someone please explain why statefull  inspection Fw helps
> > against hackers? I know that those FW keep track of the
> > sessions but I dont understand how the feature might help
> > against a port scan from the internet or other ways to
> > mitigate hackers attacks.
> >
> > Thanks
> >
> > Juan