Xmas scans

Tom Marshall tommy@home.tig-grr.com
Sat, 19 Jan 2002 11:21:41 -0800 

> >>My firewall let nmap Xmas  and  Rpc snans through. What are the
> >>tcp-flags I should match for Xmas, what about Rpc ...
> 
> A typical XMAS scan will most likely show the following flag sequenze:
> This can also easily be extraced from the nmap source code:
> 
> --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG
> 
> However, nmap also utilizes the folkowing pattern for an XMAS scan and 
> is more inclined to use the latter:
> --tcp-flags SYN,RST SYN,RST
> 
> A usual NULL scan should show the following pattern:
> 
> --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
> 
> and a common FIN, URG, PSH scan the following pattern:
> 
>  --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
> 
> I have not looked intot he RPC issue yet, but I will as soon as I have 
> the time. I hope this helps you and others

I am not an expert on the subject of TCP flags, but I have developed some
rules that may be useful.  I developed these rules after seeing normal
looking HTTP packets in my logs.  I realized that these are probably just
stray resends received after netfilter had closed the connection tracking
entry.  If anyone with more experience could comment on their effectiveness,
I would be grateful.  In particular, I am wondering if examining the three
flags SYN,RST,ACK are enough to categorize a packet.

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

# Any TCP packet which is not a part of an established connection falls into
# one of three categories: (1) connection handshake, (2) stray resend, or
# (3) invalid.  Here we discard stray resends and log obvious hack attempts.
# See table below:
#
# SYN RST ACK  What it means  Action
# ===========  =============  =======
#  0   0   0   invalid        logdrop
#  0   0   1   stray resend   DROP
#  0   1   0   stray resend   DROP
#  0   1   1   stray resend   DROP
#  1   0   0   conn attempt   ok
#  1   0   1   conn response  ok
#  1   1   0   invalid        logdrop
#  1   1   1   invalid        logdrop

iptables -A INPUT   -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
iptables -A INPUT   -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST     RST     -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop

iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST     RST     -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop

iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     RST     -j DROP
iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop

-- 
http://www.latimes.com/business/la-000003463jan14.story