Date: Wed, 16 Sep 1998 23:43:55 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: john <john@unt.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Are we vulnerable to "stealth" port scans? Message-ID: <Pine.BSF.4.02A.9809162329390.28001-100000@shell6.ba.best.com> In-Reply-To: <199809170319.WAA18072@leonardo.cascss.unt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I wouldn't use the word "vulnerable", but yes, most TCP stacks will in one way or another respond to Steal scans. On my system I modifed kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN packets but all other packets. If someone would be to do this stealth scan on you, you could still notice: Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>RST<6> Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> Also, one can setup something like NFR to watch for port scans on the network. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org On Wed, 16 Sep 1998, john wrote: >See http://www.2600.com/phrack/p49-15.html >for a description of two "stealth" port >scan methods. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9809162329390.28001-100000>