From owner-freebsd-security Thu Sep 17 00:44:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13907 for freebsd-security-outgoing; Thu, 17 Sep 1998 00:44:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13844 for ; Thu, 17 Sep 1998 00:43:53 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id JAA08633; Thu, 17 Sep 1998 09:38:06 +0200 (CEST) To: "Jan B. Koum " cc: john , freebsd-security@FreeBSD.ORG Subject: Re: Are we vulnerable to "stealth" port scans? In-reply-to: Your message of "Wed, 16 Sep 1998 23:43:55 PDT." Date: Thu, 17 Sep 1998 09:38:05 +0200 Message-ID: <8631.906017885@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org patches ? In message , "Jan B. Koum " writes: > > I wouldn't use the word "vulnerable", but yes, most TCP stacks >will in one way or another respond to Steal scans. On my system I modifed >kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN >packets but all other packets. If someone would be to do this stealth scan >on you, you could still notice: > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>RST<6> > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> > > Also, one can setup something like NFR to watch for port scans on >the network. > >-- Yan > >I don't have the password .... + Jan Koum >But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. >So if you've got the time .... | Web: http://www.best.com/~jkb >Set the tone to sync ......... + OS: http://www.FreeBSD.org > >On Wed, 16 Sep 1998, john wrote: > >>See http://www.2600.com/phrack/p49-15.html >>for a description of two "stealth" port >>scan methods. >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message