From owner-freebsd-security Sun Sep 20 12:24:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19829 for freebsd-security-outgoing; Sun, 20 Sep 1998 12:24:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19812 for ; Sun, 20 Sep 1998 12:24:08 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id MAA01841; Sun, 20 Sep 1998 12:23:41 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 20 Sep 1998 12:23:41 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: freebsd-security@FreeBSD.ORG cc: john Subject: Re: Are we vulnerable to "stealth" port scans? In-Reply-To: <8631.906017885@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Sep 1998, Poul-Henning Kamp wrote: > >patches ? > >In message , "Jan > B. Koum " writes: >> >> I wouldn't use the word "vulnerable", but yes, most TCP stacks >>will in one way or another respond to Steal scans. On my system I modifed >>kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN >>packets but all other packets. If someone would be to do this stealth scan >>on you, you could still notice: >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>RST<6> >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> >> >> Also, one can setup something like NFR to watch for port scans on >>the network. >> >>-- Yan >> Had to modify the hack.. Here is what the log looks like now: Connection attempt to TCP 199.51.61.23:138 from 0.255.0.255:31337 flags=0xc onnection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0x32 Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0xa Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0x3f And here is diff -p against -CURRENT of a few days ago: twentythree# diff -p tcp_input.c.orig tcp_input.c *** tcp_input.c.orig Sat Sep 19 23:13:02 1998 --- tcp_input.c Sat Sep 19 23:16:17 1998 *************** findpcb: *** 388,401 **** * but should either do a listen or a connect soon. */ if (inp == NULL) { ! if (log_in_vain && tiflags & TH_SYN) { char buf[4*sizeof "123"]; strcpy(buf, inet_ntoa(ti->ti_dst)); log(LOG_INFO, ! "Connection attempt to TCP %s:%d from %s:%d\n", buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); } goto dropwithreset; } --- 388,417 ---- * but should either do a listen or a connect soon. */ if (inp == NULL) { ! if (log_in_vain && tiflags & (TH_FLAGS)) { char buf[4*sizeof "123"]; strcpy(buf, inet_ntoa(ti->ti_dst)); log(LOG_INFO, ! "Connection attempt to TCP %s:%d from %s:%d ", buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); + + /* + * Code below added by Jan Koum to log flags + * of tcp packets via net.inet.tcp.log_in_vain - "man sysctl" + */ + + printf("flags=0x%b\n", ti->ti_flags, + "\020" + "\001FIN" + "\002SYN" + "\003RST" + "\004PUSH" + "\005ACK" + "\006URG" + ); + } goto dropwithreset; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message