Date: Sun, 20 Sep 1998 12:23:41 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: freebsd-security@FreeBSD.ORG Cc: john <john@unt.edu> Subject: Re: Are we vulnerable to "stealth" port scans? Message-ID: <Pine.BSF.4.02A.9809201216330.1204-100000@shell6.ba.best.com> In-Reply-To: <8631.906017885@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 17 Sep 1998, Poul-Henning Kamp wrote:
>
>patches ?
>
>In message <Pine.BSF.4.02A.9809162329390.28001-100000@shell6.ba.best.com>, "Jan
> B. Koum " writes:
>>
>> I wouldn't use the word "vulnerable", but yes, most TCP stacks
>>will in one way or another respond to Steal scans. On my system I modifed
>>kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN
>>packets but all other packets. If someone would be to do this stealth scan
>>on you, you could still notice:
>>
>>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>>199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6>
>>
>>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>>199.51.61.23:1 from 199.51.61.22:1<6>RST<6>
>>
>>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP
>>199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6>
>>
>> Also, one can setup something like NFR to watch for port scans on
>>the network.
>>
>>-- Yan
>>
Had to modify the hack.. Here is what the log looks like now:
Connection attempt to TCP 199.51.61.23:138 from 0.255.0.255:31337
flags=0xc<RST,PUSH>
onnection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0
flags=0x32<SYN,ACK,URG>
Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0
flags=0xa<SYN,PUSH>
Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0
flags=0x3f<FIN,SYN,RST,PUSH,ACK,URG>
And here is diff -p against -CURRENT of a few days ago:
twentythree# diff -p tcp_input.c.orig tcp_input.c
*** tcp_input.c.orig Sat Sep 19 23:13:02 1998
--- tcp_input.c Sat Sep 19 23:16:17 1998
*************** findpcb:
*** 388,401 ****
* but should either do a listen or a connect soon.
*/
if (inp == NULL) {
! if (log_in_vain && tiflags & TH_SYN) {
char buf[4*sizeof "123"];
strcpy(buf, inet_ntoa(ti->ti_dst));
log(LOG_INFO,
! "Connection attempt to TCP %s:%d from %s:%d\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
}
goto dropwithreset;
}
--- 388,417 ----
* but should either do a listen or a connect soon.
*/
if (inp == NULL) {
! if (log_in_vain && tiflags & (TH_FLAGS)) {
char buf[4*sizeof "123"];
strcpy(buf, inet_ntoa(ti->ti_dst));
log(LOG_INFO,
! "Connection attempt to TCP %s:%d from %s:%d ",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
+
+ /*
+ * Code below added by Jan Koum <jkb@freebsd.org> to log flags
+ * of tcp packets via net.inet.tcp.log_in_vain - "man sysctl"
+ */
+
+ printf("flags=0x%b\n", ti->ti_flags,
+ "\020"
+ "\001FIN"
+ "\002SYN"
+ "\003RST"
+ "\004PUSH"
+ "\005ACK"
+ "\006URG"
+ );
+
}
goto dropwithreset;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9809201216330.1204-100000>