Date: Thu, 7 Jan 1999 14:16:23 +1100 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: aussie-isp@aussie.net Cc: freebsd-isp@FreeBSD.ORG Subject: drop first SYN packet of a TCP connection to help prevent port scans Message-ID: <Pine.BSF.4.01.9901071405210.2996-100000@velvet.sensation.net.au>
next in thread | raw e-mail | index | archive | help
Hi all, Crazy idea time - but it's a crazy time of year. I've just been emailed a portion of YAPS (Yet Another Port Scan) by my firewall, which was caught because I run a closed firewall on my home network. An interesting idea occurred to me. All of the portscans I've seen seem to send only a single packet per IP or port scanned, rather than trying for several seconds and sending a few packets before giving up. Solution(?): drop the first inbound SYN packet, which will effectively null all "single packet per port or IP" style scans. More "legitimate" connections will continue to send SYN packets and thus the second packet received will initiate the connection normally. What sort of performance hit would the first packet being dropped/lost on a new connection initiation have? [freebsd specific] could ipfw be hacked to do this so it could be done on a rule basis and 'trusted hosts' could bypass this first packet drop, plus common ports could also be bypassed? eg... 100 allow tcp from <trusted_host_ip> to <mail_server_ip> 25 in via ppp* 200 allow tcp from any to <www_server_ip> 80 in via ppp* ... 4000 allow tcp from any to <customer_network>/24 in via ppp* # customer who doesn't want this 'service', so lets bypass it. ... 5000 dropfirst tcp from any to any in via ppp* # catch-all, anything which gets here gets the first SYN packet dropped. Cheers. (At home for a couple of hours then back to a lovely place in the country with a running stream on the property, and NO computers!) -- Rowan Crowe Sensation Internet Services, Melbourne Aust fidonet: 3:635/728 +61-3-9388-9260 http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9901071405210.2996-100000>