[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Stealth Scan Detection
From:       Simon Edwards <simon () simonzone ! com>
Date:       2001-09-28 16:11:32
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all,

First, I read from the book of nmap:

"
- -sS 
TCP SYN scan: This technique is often referred to as "half-open" scanning, 
because you don't open a full TCP connection. You send a SYN packet, as if 
you are going to open a real connection and you wait for a response. A 
SYN|ACK indicates the port is listening. A RST is indicative of a 
non-listener. If a SYN|ACK is received, a RST is immediately sent to tear 
down the connection (actually our OS kernel does this for us). 
"

Anyone here know anything about detecting this kind of scan using iptables?

The best I've come up with is:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST 
RST -j LOG --log-prefix "ABORTED "

which, I think, basically logs TCP connections that are aborted using a RST 
packet (which should not be often). Can any one do better? I'm no TCP expert. 
Are there any draw backs with detection half-open scans like this?

TIA,

- -- 
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands       "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAju0oTQACgkQuIuDmTrvhSathACbB/SIpE2qFzjte7V+Fwh5hO6H
v6oAnj16bavH9lugBanc0YxixWZXZ/68
=JAY4
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]