From: "curby ." <curby.public@gmail.com>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: Defeating NMAP Null scans (and Nessus scans).
Date: Wed, 6 Jul 2005 13:54:55 -0600 [thread overview]
Message-ID: <5d2f37910507061254293f83de@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0506231301530.26133@yvahk01.tjqt.qr>
On 6/23/05, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> Read closely. It uses -m random to switch between REJECT/DROP.
> Try that rulesets and then nmap yourself with "nmap -r localhost -p 1-2500".
> Count the time, and compare to a pure DROP based approach.
> (iptables -F; iptables -P INPUT DROP; nothing more)
There's a good chance that TARPIT and not REJECT is the thing slowing
down scans. You might want to check replacing TARPIT with
DROP/REJECT; I think you'll see nonTARPIT scans take the same amount
of time regardless of whether the firewall uses DROP or REJECT. I
didn't test this though.
Here are some rules I've used when testing out ways to catch nmap
scans. If anyone knows what the SYN,RST SYN,RST match is for, please
let me know.
# Xmas scan, caught nmap v3.00
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j
DROP || die 05 81
# Generic Xmas scan, haven't checked if nmap triggers this
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j
DROP || die 05 83
# Null scan, nmap v3.00 Null scan is caught by INVALID match above, so
this is commented out
#$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j
DROP || die 05 85
# Misc scan - everyone tests for this, but what scan does it match?
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP || die 05 87
# FIN scan, nmap v3.0 sends ACK,FIN FIN
# SYN,FIN SYN,FIN does not match nmap
# FIN FIN gets false positives when using SSH TARPIT
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state
--state NEW -j DROP || die 05 89
next prev parent reply other threads:[~2005-07-06 19:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-22 12:28 Defeating NMAP Null scans (and Nessus scans) Jason Ziemba
2005-06-22 12:52 ` Jan Engelhardt
2005-06-22 16:47 ` R. DuFresne
2005-06-22 16:59 ` Jan Engelhardt
2005-06-22 19:26 ` R. DuFresne
2005-06-23 11:07 ` Jan Engelhardt
2005-06-24 15:17 ` R. DuFresne
2005-06-29 19:37 ` Kirk
2005-06-30 9:47 ` Kirk
2005-07-06 19:54 ` curby . [this message]
2005-07-07 7:13 ` Jörg Harmuth
2005-07-09 10:30 ` Jan Engelhardt
2005-06-22 20:26 ` Taylor, Grant
2005-06-22 20:37 ` Alexey Toptygin
2005-06-22 20:47 ` R. DuFresne
2005-06-22 21:18 ` Alexey Toptygin
2005-06-23 11:01 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-07-11 21:59 Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5d2f37910507061254293f83de@mail.gmail.com \
--to=curby.public@gmail.com \
--cc=jengelh@linux01.gwdg.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.