Bugtraq mailing list archives
Re: usual iploggers miss some variable stealth scans
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 18 Jan 2000 09:57:32 -0800
At 11:22 PM 1/17/00 -0600, Simple Nomad wrote:
This and all other TCP stealth scans can be eliminated by modification to most open source kernels. By adding code to the parts of the kernel that handle TCP input, you can look to see if a packet is a part of an existing conversation. If not, drop it (and perhaps log it). Allow the regular SYN packets to be handled by other methods, such as TCP wrappers, firewall code (ipfwadm, ipchains), etc.
Win2k has an interesting couple of new APIs listed in the DDK under networking that enable one to construct packet filters that do arbitrary things. It wouldn't be much trouble to build something that would maintain state and deal with this sort of thing appropriately. The only gotcha is that it is above the reassembly layer - but you can inspect or drop everything that passes through that point. Another fun thing to do to an attacker is to send them back host or network unreachables instead of RST - some stacks will drop all connections to a host if it sends them one of those, which is why you're supposed to send the RSTs in the first place. Standard warnings about allowing denial of service attacks due to spoofed packets assumed, so YMMV, and play at your own risk. I keep meaning to write myself one just for fun, but haven't had time. You'd need the Win2k release DDK to play with it - it didn't show up in public until just before RTM, so if you've got beta DDKs, it won't be there. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
- Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
- Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
- Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
- Security Bulletins Digest Aleph One (Jan 24)
- majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)