From owner-freebsd-security  Wed Sep 16 23:44:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA02044
          for freebsd-security-outgoing; Wed, 16 Sep 1998 23:44:27 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02012
          for <freebsd-security@FreeBSD.ORG>; Wed, 16 Sep 1998 23:44:22 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id XAA06109;
	Wed, 16 Sep 1998 23:43:57 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Wed, 16 Sep 1998 23:43:55 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: john <john@unt.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Are we vulnerable to "stealth" port scans?
In-Reply-To: <199809170319.WAA18072@leonardo.cascss.unt.edu>
Message-ID: <Pine.BSF.4.02A.9809162329390.28001-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


	I wouldn't use the word "vulnerable", but yes, most TCP stacks
will in one way or another respond to Steal scans. On my system I modifed
kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN
packets but all other packets. If someone would be to do this stealth scan
on you, you could still notice:

Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6>

Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
199.51.61.23:1 from 199.51.61.22:1<6>RST<6>

Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6>

	Also, one can setup something like NFR to watch for port scans on
the network.

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

On Wed, 16 Sep 1998, john wrote:

>See http://www.2600.com/phrack/p49-15.html
>for a description of two "stealth" port
>scan methods.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message