Stealth Scan Detection
Thu, 4 Oct 2001 10:09:31 +0200
You could use the psd match (patch-o-matic), it detects such kind of
Dennis Koslowski <firstname.lastname@example.org> | Product Development
Astaro AG | http://www.astaro.de | +49-721-490069-0 | Fax -55
> -----Original Message-----
> From: Simon Edwards [mailto:email@example.com]
> Sent: Friday, September 28, 2001 6:12 PM
> To: firstname.lastname@example.org
> Subject: Stealth Scan Detection
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi all,
> First, I read from the book of nmap:
> - -sS
> TCP SYN scan: This technique is often referred to as
> "half-open" scanning,
> because you don't open a full TCP connection. You send a SYN
> packet, as if
> you are going to open a real connection and you wait for a
> response. A
> SYN|ACK indicates the port is listening. A RST is indicative of a
> non-listener. If a SYN|ACK is received, a RST is immediately
> sent to tear
> down the connection (actually our OS kernel does this for us).
> Anyone here know anything about detecting this kind of scan
> using iptables?
> The best I've come up with is:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp
> --tcp-flags RST
> RST -j LOG --log-prefix "ABORTED "
> which, I think, basically logs TCP connections that are
> aborted using a RST
> packet (which should not be often). Can any one do better?
> I'm no TCP expert.
> Are there any draw backs with detection half-open scans like this?
> - --
> Simon Edwards
> Nijmegen, The Netherlands "ZooTV? You made the right choice."
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----