Bugtraq mailing list archives
Re: usual iploggers miss some variable stealth scans
From: hlein () PROGRESSIVE-COMP COM (Hank Leininger)
Date: Tue, 18 Jan 2000 14:10:02 -0500
On 2000-01-18, Simple Nomad <thegnome () NMRC ORG> said on bugtraq:
On Mon, 17 Jan 2000, vecna wrote: the five type of packets that can be used for stealth scanning, and isn't logged from the normal tcplogd/scanlogger have this flag:
This and all other TCP stealth scans can be eliminated by modification to most open source kernels. By adding code to the parts of the kernel that handle TCP input, you can look to see if a packet is a part of an existing conversation. If not, drop it (and perhaps log it).
[ snip - note that it is often exactly bugs in the is-this-an-existing- connection lookup that os detection code exploits. ]
This is basically taking advantage of a kernel's state table.
Hm, that sounds mighty familiar ;) I've been maintaing a set of Linux kernel patches for a while now that do exactly this, among other things: http://www.progressive-comp.com/~hlein/hap-linux/ Documentation is guaranteed to be out of date; the curious should read the code. Basically: before incoming packets are checked against the kernel's state table looking for an active connection or a listening socket, the flagset is sanity-checked and the packet is dropped & logged on failure. Then, if the state-table-lookup fails, where normally an RST would be silently sent, a rate-limited log message is generated along with the RST. Something similar is done for unsolicited UDP traffic. The patches need Solar Designer's Openwall patches to be applied first; they rely on and add to some of his code as well. They do things besides breaking the TCP stack, like enable some other additional logging, enforce some protections from chroot(2)'ed processes, etc. I'd be interested in comments on the ideas and/or code quality (which is guaranteed to be lacking -- I'm a shitty coder). Various flavors of this patch have been in use on a number of high-volume sites for some time but of course YMMV. I've wanted to port this (or the appropriate parts) to a couple of the BSDs as well but lack sufficient (time|clue|motivation). Hank Leininger <hlein () progressive-comp com>
Current thread:
- Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
- Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
- Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
- Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
- Security Bulletins Digest Aleph One (Jan 24)
- majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)