From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: Defeating NMAP Null scans (and Nessus scans).
Date: Thu, 07 Jul 2005 09:13:35 +0200 [thread overview]
Message-ID: <42CCD61F.4000701@mnemon.de> (raw)
In-Reply-To: <5d2f37910507061254293f83de@mail.gmail.com>
curby . schrieb:
[SNIP]
> Here are some rules I've used when testing out ways to catch nmap
> scans. If anyone knows what the SYN,RST SYN,RST match is for, please
> let me know.
>
[SNIP]
> # Misc scan - everyone tests for this, but what scan does it match?
> $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j
> DROP || die 05 87
>
"--tcp-flags SYN,RST SYN,RST" means "watch TCP flags SYN and RST and
match if out of the watched flags SYN and RST are set". Ok you knew that
already :)
According to RFC793 sending a SYN means "hey guy, I wanna talk to to
you, let's SYNchronize our sequence numbers". The only flag that is
allowed to be sent along with a SYN is ACK, and this only in the 2nd
packet of the 3-way-handshake.
Sending RST means "oohps, there's something wrong, ReSeT the connection".
So, sending SYN in conjunction with RST means, that a connection shall
be opened and aborted at the same time. This is
1.) A violation of RFC793
2.) Absolutely senseless in terms of a real connection
Thus, chances are good that someone is scanning you. Hum, cold coffee too.
nmap doesn't generate this scan, and in fact I don't know which scanner
does. But it is possible to generate these packet with packet injection
tools like nemesis. So it is possible that these packets come to your
firewall (although they shouldn't) and you don't want them to pass.
That's why I probe for this.
Have a nice time,
Joerg
next prev parent reply other threads:[~2005-07-07 7:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-22 12:28 Defeating NMAP Null scans (and Nessus scans) Jason Ziemba
2005-06-22 12:52 ` Jan Engelhardt
2005-06-22 16:47 ` R. DuFresne
2005-06-22 16:59 ` Jan Engelhardt
2005-06-22 19:26 ` R. DuFresne
2005-06-23 11:07 ` Jan Engelhardt
2005-06-24 15:17 ` R. DuFresne
2005-06-29 19:37 ` Kirk
2005-06-30 9:47 ` Kirk
2005-07-06 19:54 ` curby .
2005-07-07 7:13 ` Jörg Harmuth [this message]
2005-07-09 10:30 ` Jan Engelhardt
2005-06-22 20:26 ` Taylor, Grant
2005-06-22 20:37 ` Alexey Toptygin
2005-06-22 20:47 ` R. DuFresne
2005-06-22 21:18 ` Alexey Toptygin
2005-06-23 11:01 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-07-11 21:59 Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42CCD61F.4000701@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.