Nmap Announce mailing list archives
RE: Detected NMAP scan
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 6 Jan 1999 17:42:54 -0600 (CST)
I've had Jesse's patch in my kernels for quite a while, so I don't know if there is a different or newer version from the one I picked up off of BigMama a while back. I have a couple of comments. Several of the NMAP scanning options still detected ports, so I added stuff in to look for the specific scans, and then threw in a check for an ftp bounce attack. This is mainly for logging, although it does stop the scan from "working". This way you can say "fin scan from x.x.x.x" or "possible ftp bounce via x.x.x.x" in your logs and be aware of it. At the top of Jesse's routine I altered the code to look at all packets that are not SYNs, addressed to my machine, are not a part of an existing connection, and then do the Jesse thing with the extra port detection stuff added, for logging. Then simply drop everything else. This gives you the ability to see what types of scans you get hit with. I also have code in there to log successful and unsuccessful tcp connections. Jesse's patch keeps your logs from being filled with 65K lines of connection rejected messages, and you still get the odd onetime attempts logged, like the scans for a particular service. This of course does NOT prevent fingerprinting ;-) as the port unreachable part clearly identifies you as Linux, although the kernel version is unknown. I also didn't look at udp. This is also intended as host security, _not_ firewall security. It isn't perfect - I can think of a half dozen concept flaws - but it is better than nothing. I mean shit, is anything perfect? I've been doing this on 2.0.36, and I'll post a link to a patch when I'm done with the other stuff (added in Solar Designer's secure-linux, a few other tidbits like the connection successful/rejected logging) if anyone is interested. Simple Nomad // "When viewed as a metaphor for the human thegnome () nmrc org // condition, the humble GNU C compiler www.nmrc.org // becomes an endless enigma." On Wed, 6 Jan 1999, Lamont Granquist wrote:
On Wed, 6 Jan 1999, David G. Andersen wrote:Would it perhaps be impolite to suggest that if you detect a SYN port scan, and start refusing all connections from that IP, that your tool opens up a beautiful DOS attack against the host system?[...snip...] Also, I've been noticing that while the script kiddies tend to use something like mscan and really pound on your machine that there are some more sophisticated people out there who are portscanning for specific services and are not scanning over a range. Therefore any of these detection methods that rely on X number of hits to closed ports in Y time units is going to fail to stop them. -- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)