From owner-freebsd-isp  Wed Jan  6 19:22:17 1999
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA22578
          for freebsd-isp-outgoing; Wed, 6 Jan 1999 19:22:17 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22565
          for <freebsd-isp@freebsd.org>; Wed, 6 Jan 1999 19:22:12 -0800 (PST)
          (envelope-from rowan@sensation.net.au)
Received: from localhost (rowan@localhost)
	by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id OAA03012;
	Thu, 7 Jan 1999 14:16:24 +1100 (EST)
	(envelope-from rowan@sensation.net.au)
X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs
Date: Thu, 7 Jan 1999 14:16:23 +1100 (EST)
From: Rowan Crowe <rowan@sensation.net.au>
To: aussie-isp@aussie.net
cc: freebsd-isp@FreeBSD.ORG
Subject: drop first SYN packet of a TCP connection to help prevent port
 scans
Message-ID: <Pine.BSF.4.01.9901071405210.2996-100000@velvet.sensation.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi all,

Crazy idea time - but it's a crazy time of year.

I've just been emailed a portion of YAPS (Yet Another Port Scan) by my
firewall, which was caught because I run a closed firewall on my home
network.

An interesting idea occurred to me. All of the portscans I've seen seem to
send only a single packet per IP or port scanned, rather than trying for
several seconds and sending a few packets before giving up. Solution(?):
drop the first inbound SYN packet, which will effectively null all "single
packet per port or IP" style scans. More "legitimate" connections will
continue to send SYN packets and thus the second packet received will
initiate the connection normally.

What sort of performance hit would the first packet being dropped/lost on
a new connection initiation have?

[freebsd specific] could ipfw be hacked to do this so it could be done on
a rule basis and 'trusted hosts' could bypass this first packet drop, plus
common ports could also be bypassed? eg...

100 allow tcp from <trusted_host_ip> to <mail_server_ip> 25 in via ppp*
200 allow tcp from any to <www_server_ip> 80 in via ppp*
...
4000 allow tcp from any to <customer_network>/24 in via ppp*
# customer who doesn't want this 'service', so lets bypass it.
...
5000 dropfirst tcp from any to any in via ppp*
# catch-all, anything which gets here gets the first SYN packet dropped.

Cheers.

(At home for a couple of hours then back to a lovely place in the country
with a running stream on the property, and NO computers!)


--
Rowan Crowe                     Sensation Internet Services, Melbourne Aust
fidonet: 3:635/728                                          +61-3-9388-9260
http://www.rowan.sensation.net.au/             http://www.sensation.net.au/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message