RE: Detected NMAP scan

[Simple Nomad <thegnome () nmrc org>]

I've had Jesse's patch in my kernels for quite a while, so I don't know if
there is a different or newer version from the one I picked up off of
BigMama a while back. I have a couple of comments.

Several of the NMAP scanning options still detected ports, so I added
stuff in to look for the specific scans, and then threw in a check for an
ftp bounce attack. This is mainly for logging, although it does stop the
scan from "working". This way you can say "fin scan from x.x.x.x" or
"possible ftp bounce via x.x.x.x" in your logs and be aware of it.

At the top of Jesse's routine I altered the code to look at all packets
that are not SYNs, addressed to my machine, are not a part of an existing 
connection, and then do the Jesse thing with the extra port detection
stuff added, for logging. Then simply drop everything else. This gives you
the ability to see what types of scans you get hit with.

I also have code in there to log successful and unsuccessful tcp
connections. Jesse's patch keeps your logs from being filled with 65K
lines of connection rejected messages, and you still get the odd onetime
attempts logged, like the scans for a particular service.

This of course does NOT prevent fingerprinting ;-) as the port unreachable
part clearly identifies you as Linux, although the kernel version is
unknown. I also didn't look at udp. This is also intended as host
security, _not_ firewall security. It isn't perfect - I can think of a
half dozen concept flaws - but it is better than nothing. I mean shit, is
anything perfect?

I've been doing this on 2.0.36, and I'll post a link to a patch when I'm
done with the other stuff (added in Solar Designer's secure-linux, a few
other tidbits like the connection successful/rejected logging) if anyone
is interested.

    Simple Nomad    //  "When viewed as a metaphor for the human
 thegnome () nmrc org  //    condition, the humble GNU C compiler
    www.nmrc.org    //         becomes an endless enigma."

On Wed, 6 Jan 1999, Lamont Granquist wrote:

> On Wed, 6 Jan 1999, David G. Andersen wrote:
> > Would it perhaps be impolite to suggest that if you detect a SYN port
> > scan, and start refusing all connections from that IP, that your tool
> > opens up a beautiful DOS attack against the host system?  
> [...snip...]
>
> Also, I've been noticing that while the script kiddies tend to use
> something like mscan and really pound on your machine that there are some
> more sophisticated people out there who are portscanning for specific
> services and are not scanning over a range.  Therefore any of these
> detection methods that rely on X number of hits to closed ports in Y time
> units is going to fail to stop them. 
>
> -- 
> Lamont Granquist                       lamontg () raven genome washington edu
> Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
> Box 352145 / University of Washington / Seattle, WA 98195
> PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka