Many of you probably know about port scanning. It's a very simple process, where essentially you attempt to to make a connection on several ports of several machines. If the port is closed, a reset is returned. If the port is open, a SYN+ACK is returned.
Now, there are some other types of scans, such as a FIN scan, Xmas Tree scan, and a NULL scan. These basically work on the same principals of a SYN (normal) scan, but using some different TCP flags (ones that should never be seen in valid TCP connections).
If you'd like, read up on the different types of scans here, which is also a good site to determine what type of reply you want to give the scanning host. It also shows how to perform the scans using NMap.
So, most of the time, you want to just drop invalid packets, since the easiest way to deal with them is not to. However, you may wish to use REJECT here, since what the host does and does not return is part of the data collected. Being able to decide what to return could give you an edge over an attacker. If you return tcp-resets, then you can make an attacker (or more likely a bot) think that all the ports on the host are closed. Different operating systems also respond differently to the various stealth scans, so be mindful of that as well.
I wrote some simple firewall rules to detect, log, and block (either with a tcp-reset or just dropping the packet entirly. This script was made to run on top of an existng firewall.
## IPTables rules for detecting and blocking several different scans
## By Drew Tingen GlimpseIntoEntropy.Blogspot.com
## NOTE: Please understand the use of REJECT/DROP
## NOTE2: You may want to mirror the FORWARD rules to INPUT
## Note on Rule Order - since these are Inserts (designed to be easily plugged into
## an existing iptables config), the packet actions are above the logging action.
## If you put these at the top of a config, and change the -I to -A, reverse the order
## of the rules for logging to work properly
## TCP Null Scan
### Action for packets
### use REJECT option to make port look closed. Use drop for open/stealth
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
#iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
### Detect and log
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "TCP Null Scan"
## TCP Fin Scan
### Action for packets
iptables -I FORWARD -p tcp --tcp-flags FIN,SYN FIN -m state --state NEW,INVALID -j REJECT --reject-with tcp-reset
#iptables -I FORWARD -p tcp --tcp-flags FIN,SYN FIN -m state --state NEW,INVALID -j DROP
### Detect and Log
iptables -I FORWARD -p tcp --tcp-flags FIN,SYN FIN -m state --state NEW,INVALID -j LOG --log-prefix "TCP FIN Scan"
## TCP Xmas Tree Scan
### Action for packets
iptables -I FORWARD -p tcp --tcp-flags ALL URG,PSH,FIN -j REJECT --reject-with tcp-reset
#iptables -I FORWARD -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
### Detect and Log
iptalbes -I FORWARD -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "Xmas Tree Scan"
Also - if someone wants these rules for OpenBSD's pf, those can be easily created.
Subscribe to:
Post Comments (Atom)
hum, interesting, thanks!
ReplyDelete> Please prove you're not a robot
(robotic voice) im-not a-ro-bot