[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: ipf and nmap
From:       Sean Mathias <SeanM () prosolve ! com>
Date:       2000-06-30 23:27:50
[Download RAW message or body]

Also please note that many of the newer OS IP stacks are beginning to
implement Rate Limiting as described in subsection 4.3.2.8 of RFC1812,
which reads in part as...

'A router which sends ICMP Source Quench messages MUST be able to limit
the rate at which the messages can be generated.  A router SHOULD also
be able to limit the rate at which it sends other sorts of ICMP error
messages (Destination Unreachable, Redirect, Time Exceeded, Parameter
Problems).'

This is mentioned in the source code for NMAP as well.  In the RFC, the
term router is used but this technique is applicable to an IP
implementation at the discretion of its author.  This is intended to
mitigate resource (CPU) consumption on busy routers by relatively
unimportant traffic.  It also has the side benefit of causing problems
for UDP scanners...

Thus far I have found the following operating systems to implement this
functionality; RedHat Linux 6.1, FreeBSD 4.0 (kernel option, previous
versions do not) and Solaris 2.6.  Some Bay VPN switches simply drop the
packets on the floor and now Windows system seems to implement this
functionality at all.

Sean Mathias
Prosolve

-----Original Message-----
From: Brandin L Claar [mailto:claar@arl.psu.edu]
Sent: Friday, June 30, 2000 4:08 PM
To: ipfilter@coombs.anu.edu.au
Subject: Re: ipf and nmap


> I use the below ipf.conf/ipnat.conf file and 
> to me everything should be blocked coming in 
> but if i let nmap take a shot at the firewall 
> (nmap -P0 -sU -v firewall) it comes back with 
> a lot of open udp ports.....(1 - 47557)
> 
> so i guess i did something wrong
> 

I believe, technically, the only mistake you have made is in
misinterpreting your nmap output.  The UDP scan on nmap actually
reports an open port if it DOES NOT receive a response.  The only
condition that will cause nmap to report a closed UDP port is when
it receives an icmp port unreachable message back from
the target.  I assume this is because open UDP ports don't
have to respond to connection attempts like TCP ports (with a
syn/ack packet).  They are, however, supposed to respond if the 
port isn't open.  So the scan ends up working counter to your 
intuitions.  

I originally noticed this behavior while scanning some
DEC networking hardware which just dropped UDP packets to unused
ports instead of responding properly.  Of course, nmap reported
every port open.


-- 
Brandin Claar
Network Coordinator
Penn State Applied Research Lab

[prev in list] [next in list] [prev in thread] [next in thread]