From owner-freebsd-security  Thu Sep 17 00:44:18 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA13907
          for freebsd-security-outgoing; Thu, 17 Sep 1998 00:44:18 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13844
          for <freebsd-security@FreeBSD.ORG>; Thu, 17 Sep 1998 00:43:53 -0700 (PDT)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id JAA08633;
	Thu, 17 Sep 1998 09:38:06 +0200 (CEST)
To: "Jan B. Koum " <jkb@best.com>
cc: john <john@unt.edu>, freebsd-security@FreeBSD.ORG
Subject: Re: Are we vulnerable to "stealth" port scans? 
In-reply-to: Your message of "Wed, 16 Sep 1998 23:43:55 PDT."
             <Pine.BSF.4.02A.9809162329390.28001-100000@shell6.ba.best.com> 
Date: Thu, 17 Sep 1998 09:38:05 +0200
Message-ID: <8631.906017885@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


patches ?

In message <Pine.BSF.4.02A.9809162329390.28001-100000@shell6.ba.best.com>, "Jan
 B. Koum " writes:
>
>	I wouldn't use the word "vulnerable", but yes, most TCP stacks
>will in one way or another respond to Steal scans. On my system I modifed
>kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN
>packets but all other packets. If someone would be to do this stealth scan
>on you, you could still notice:
>
>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6>
>
>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>199.51.61.23:1 from 199.51.61.22:1<6>RST<6>
>
>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6>
>
>	Also, one can setup something like NFR to watch for port scans on
>the network.
>
>-- Yan
>
>I don't have the password .... + Jan Koum 
>But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
>So if you've got the time .... | Web: http://www.best.com/~jkb
>Set the tone to sync ......... + OS: http://www.FreeBSD.org
>
>On Wed, 16 Sep 1998, john wrote:
>
>>See http://www.2600.com/phrack/p49-15.html
>>for a description of two "stealth" port
>>scan methods.
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-security" in the body of the message
>>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message