port scan identification

port scan identification

[Rakotomandimby Mihamina]

Hello

I try to set correctly up my firewall ans would need your help on one 
thing :

I have this rule :
[...]
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-j LOG --log-level debug --log-prefix 'p_scan_: '
[...]

and i see this when i tail the output file :

[...]
Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC= 
SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54 
ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
[...]

Well . According to me, a port scan is the action to scan _all_ the 
ports ... why is the port scan identified as only scaning the 80th port 
? I mean, a port scan should not be on one port only ... isn't it ?

-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: port scan identification

[Patrick Leslie Polzer]

On Wed, 09 Jun 2004 11:33:59 +0200
Rakotomandimby Mihamina <rktmb.list@wanadoo.fr> wrote:

> Well . According to me, a port scan is the action to scan _all_ the
> ports ... why is the port scan identified as only scaning the 80th port
> ? I mean, a port scan should not be on one port only ... isn't it ?
Well, if the attacker is only interested in web servers he might as well
scan only port 80. 

Leslie

port scan identification

[Rakotomandimby Mihamina]

Hello

I try to set correctly up my firewall ans would need your help on one
thing :

I have this rule :
[...]
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-j LOG --log-level debug --log-prefix 'p_scan_: '
[...]

and i see this when i tail the output file :

[...]
Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
[...]

Well . According to me, a port scan is the action to scan _all_ the
ports ... why is the port scan identified as only scaning the 80th port
? I mean, a port scan should not be on one port only ... isn't it ?

-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: port scan identification

[Raileanu Grigore]

On Wed, 09 Jun 2004 11:33:59 +0200
Rakotomandimby Mihamina <rktmb.list@wanadoo.fr> wrote:

> Hello
> 
> I try to set correctly up my firewall ans would need your help on one
> thing :
> 
> I have this rule :
> [...]
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -j LOG --log-level debug --log-prefix 'p_scan_: '
> [...]
> 
> and i see this when i tail the output file :
> 
> [...]
> Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
> SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> [...]
> 
> Well . According to me, a port scan is the action to scan _all_ the
> ports ... why is the port scan identified as only scaning the 80th port
> ? I mean, a port scan should not be on one port only ... isn't it ?
> 
> -- 
> Rakotomandimby Mihamina Andrianifaharana
> Tel : +33 2 38 76 43 65
> http://stko.dyndns.info/site_principal/Members/mihamina
> 
> 

Try to use psd , from patch-o-matic patches.

http://www.iptables.org/downloads.html#pomng-20040302

You can create a rule like this: 

iptables -A INPUT -p ALL -m psd -j LOG --log-level DEBUG --log-prefix "PORTSCAN:"

-- 
Best regards,
Raileanu Grigore
mail: grisha at unixro dot net
phone: +40 742759147

Re: port scan identification

[John A. Sullivan III]

On Wed, 2004-06-09 at 05:33, Rakotomandimby Mihamina wrote:
> Hello
> 
> I try to set correctly up my firewall ans would need your help on one
> thing :
> 
> I have this rule :
> [...]
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -j LOG --log-level debug --log-prefix 'p_scan_: '
> [...]
> 
> and i see this when i tail the output file :
> 
> [...]
> Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
> SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> [...]
> 
> Well . According to me, a port scan is the action to scan _all_ the
> ports ... why is the port scan identified as only scaning the 80th port
> ? I mean, a port scan should not be on one port only ... isn't it ?

It could be, as someone else has already pointed out, that they are only
interested in finding a web server.  But I believe there may be other
reasons.  I am not an expert in this but I believe some crackers will
use port 80 as a discovery technique if they feel ping may be blocked.  
In other words, before wasting their time finding all the ports on a
device, they want to know if the device is alive.  They could try a ping
but ping may be blocked so they will attempt to elicit some kind of
response on port 80.

Another reason may be that they are trying to use you to attack someone
else.  I believe the idle scan attempts to bounce a packet from a
predictable device to the real target and then examine the id numbers in
the next packet from you.  This is frequently done on port 80.

Some day, I'll fire up NMAP and trace all the possible packet patterns
it uses to port scan but, not today.  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: port scan identification

[Hudson Delbert J Contr 61 CS/SCBN]

Why would one care about ho many ports get scanned as long as your rulesets
cover the ones you care about + other ports discovered as you go.
as long as you CYA, it wong get sunburned.

~piranha

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Raileanu
Grigore
Sent: Wednesday, June 09, 2004 3:32 AM
To: netfilter@lists.netfilter.org
Subject: Re: port scan identification


On Wed, 09 Jun 2004 11:33:59 +0200
Rakotomandimby Mihamina <rktmb.list@wanadoo.fr> wrote:

> Hello
> 
> I try to set correctly up my firewall ans would need your help on one
> thing :
> 
> I have this rule :
> [...]
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -j LOG --log-level debug --log-prefix 'p_scan_: '
> [...]
> 
> and i see this when i tail the output file :
> 
> [...]
> Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
> SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> [...]
> 
> Well . According to me, a port scan is the action to scan _all_ the
> ports ... why is the port scan identified as only scaning the 80th port
> ? I mean, a port scan should not be on one port only ... isn't it ?
> 
> -- 
> Rakotomandimby Mihamina Andrianifaharana
> Tel : +33 2 38 76 43 65
> http://stko.dyndns.info/site_principal/Members/mihamina
> 
> 

Try to use psd , from patch-o-matic patches.

http://www.iptables.org/downloads.html#pomng-20040302

You can create a rule like this: 

iptables -A INPUT -p ALL -m psd -j LOG --log-level DEBUG --log-prefix
"PORTSCAN:"

-- 
Best regards,
Raileanu Grigore
mail: grisha at unixro dot net
phone: +40 742759147

Re: port scan identification

[Raileanu Grigore]

On Wed, 9 Jun 2004 08:43:08 -0700 
Hudson Delbert J Contr 61 CS/SCBN <Delbert.Hudson@LOSANGELES.AF.MIL> wrote:

> Why would one care about ho many ports get scanned as long as your rulesets
> cover the ones you care about + other ports discovered as you go.
> as long as you CYA, it wong get sunburned.
> 
> ~piranha
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Raileanu
> Grigore
> Sent: Wednesday, June 09, 2004 3:32 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: port scan identification
> 
> 
> On Wed, 09 Jun 2004 11:33:59 +0200
> Rakotomandimby Mihamina <rktmb.list@wanadoo.fr> wrote:
> 
> > Hello
> > 
> > I try to set correctly up my firewall ans would need your help on one
> > thing :
> > 
> > I have this rule :
> > [...]
> > iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> > -j LOG --log-level debug --log-prefix 'p_scan_: '
> > [...]
> > 
> > and i see this when i tail the output file :
> > 
> > [...]
> > Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
> > SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
> > ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> > [...]
> > 
> > Well . According to me, a port scan is the action to scan _all_ the
> > ports ... why is the port scan identified as only scaning the 80th port
> > ? I mean, a port scan should not be on one port only ... isn't it ?
> > 
> > -- 
> > Rakotomandimby Mihamina Andrianifaharana
> > Tel : +33 2 38 76 43 65
> > http://stko.dyndns.info/site_principal/Members/mihamina
> > 
> > 
> 
> Try to use psd , from patch-o-matic patches.
> 
> http://www.iptables.org/downloads.html#pomng-20040302
> 
> You can create a rule like this: 
> 
> iptables -A INPUT -p ALL -m psd -j LOG --log-level DEBUG --log-prefix
> "PORTSCAN:"
> 



You can tune PSD accuracy, and other parameters.
Look at this: http://www.iptables.org/patch-o-matic/pom-base.html#pom-base-psd

-- 
Best regards,
Raileanu Grigore
mail: grisha at unixro dot net
phone: +40 742759147

Re: port scan identification

[Rakotomandimby Mihamina]

John A. Sullivan III wrote:
 > Hope this helps - John

it does !
but :

if i 'tail -f' my web server access log and the iptables log, I notice 
those "port_scan" are done when visitors are visiting my site : same 
time, same IP. I dont think each visitor would want to hack me.

My conclusion is my rule is not very good, as well as the logged packet 
is dropped, it would decrease accuracy of the website. What should i do 
to make it better ? I still want to keep port scan prevention, but want 
to avoid dropping non-offending packets ... but if you think the website 
accuracy wouldnt be down for that reason, i will keep it as it is ...
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: port scan identification

[John A. Sullivan III]

On Wed, 2004-06-09 at 12:37, Rakotomandimby Mihamina wrote:
> John A. Sullivan III wrote:
>  > Hope this helps - John
> 
> it does !
> but :
> 
> if i 'tail -f' my web server access log and the iptables log, I notice 
> those "port_scan" are done when visitors are visiting my site : same 
> time, same IP. I dont think each visitor would want to hack me.
> 
> My conclusion is my rule is not very good, as well as the logged packet 
> is dropped, it would decrease accuracy of the website. What should i do 
> to make it better ? I still want to keep port scan prevention, but want 
> to avoid dropping non-offending packets ... but if you think the website 
> accuracy wouldnt be down for that reason, i will keep it as it is ...
Hmmm . . . I assume what you are trying to do is pick up all packets
with the RST flag on that are not part of a current session, such as
those used to probe a site.

I'm a little rusty on when RSTs are sent.  If they are part of the
packet stream, then I would think conntrack will pick it up and the
legitimate RSTs would never hit your rule.  I assume you are using
conntrack.  However, are RSTs sent when a stream is broken and thus sent
as a separate data stream? I'd have to pull out an IP book to review the
RST flag and why it would not be matched in conntrack.  Does anyone else
know off the top of their head?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: port scan identification

[Antony Stone]

On Wednesday 09 June 2004 5:51 pm, John A. Sullivan III wrote:

> Hmmm . . . I assume what you are trying to do is pick up all packets
> with the RST flag on that are not part of a current session, such as
> those used to probe a site.
>
> I'm a little rusty on when RSTs are sent.  If they are part of the
> packet stream, then I would think conntrack will pick it up and the
> legitimate RSTs would never hit your rule.  I assume you are using
> conntrack.  However, are RSTs sent when a stream is broken and thus sent
> as a separate data stream? I'd have to pull out an IP book to review the
> RST flag and why it would not be matched in conntrack.  Does anyone else
> know off the top of their head?

A RST packet *is* part of a data stream, in the sense that it contains a 
correct acknowledgement number in response to a previously-seen sequence 
number (otherwise anybody could send a RST with a spoofed source address and 
cut off your connections).

RST packets can be sent by either end of the connection (or for that matter by 
any router in between, which has access to the sequence numbers) at any time, 
and are intended to cut off the data flow abruptly, without going through the 
"FIN/ACK - ACK - FIN/ACK - ACK" which is defined for the normal end of a TCP 
connection.

Netfilter understands RST packets and will remove an entry from the connection 
tracking table as soon as it sees one, therefore any further packets which 
are seen between that client and server will no longer be regarded as part of 
an ESTABLISHED connection.

The reason it is common to see RST packets in logfile output from port scan 
detectors etc (or anything else which logs packets not part of established 
connections) is because many systems send three RST packets in a row, just to 
make sure at least one gets through to the other end.   The first one seen by 
netfilter will remove the conntrack table entry, so either of the other two, 
if seen, will be recorded as invalid packets.

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port scan identification

[Antony Stone]

On Tuesday 08 June 2004 10:55 pm, Rakotomandimby Mihamina wrote:

> I have this rule :
>
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -j LOG --log-level debug --log-prefix 'p_scan_: '
>
> and i see this when i tail the output file :
>
> Jun  8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC=
> SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
>
> Well . According to me, a port scan is the action to scan _all_ the
> ports ... why is the port scan identified as only scaning the 80th port
> ? I mean, a port scan should not be on one port only ... isn't it ?

A packet can only be sent to one address and one port.   You cannot send a 
single packet to multiple ports.   Therefore what is commonly called a "port 
scan" is a series of packets, each addressed to a different port, which 
between them result in lots of ports being scanned.

You are seeing someone sending a packet to port 80.   Maybe they'll send one 
to port 110 tomorrow, or next week, or five seconds later, or whenever they 
feel like it....

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell 
more burgers than any other company, and I think the other similarities are 
obvious...

                                                     Please reply to the list;
                                                           please don't CC me.