Re: new tcp connections, without SYN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le jeu 10/04/2003 à 19:53, Rahul Jadhav a écrit :
> I have been following your messages for a  while now and I tried the '! 
> --syn' and '--state NEW, RELATED' rule without much success. I am trying 
> to completely block the nmap -P0 and -PS probes.

man nmap :
[...]
       -P0    Do not try and ping hosts at all before scanning
	      them. This allows the scanning of networks that don't
	      allow ICMP echo requests (or responses) through their
	      firewall. microsoft.com is an example of such a network,
	      and thus you should always use -P0 or -PT80 when
	      portscanning microsoft.com.
[...]
       -PS    This option uses SYN (connection request) packets instead
	      of ACK packets for root users.  Hosts that are up should
	      respond with a RST (or, rarely, a SYN|ACK). You can set
	      the destination ports in the same manner as -PT above.
[...]

-PT is a TCP scan using ACK.

So, there's nothing to do to avoid a scan using -P0 for it does not
probe before scanning. You have to concentrate on detecting the scan
itself, using POM psd match or any userland tool that achieve this, and
then block it before its end.

It is about the same for -PS. You are able to block -PT scans blocking
NEW TCP packets that would not be SYN ones, but as -PS uses a SYN
packet, it uses a valid packet that is to be answered. So, if you're
probed against an opened port, you can't do anything, and as for -P0,
you have to concentrate on port scan itself.

Imho, port scanning blocking is a very tough feature to implement, as
there is a lot scanning technics, with various parameters such as
timing, multiple sources usage, decoys, etc. I prefer concentrate on a
good filtering ruleset, and let others scan. They will discover what
services they're allowed to access ;)

> And, also someone please write back rules to block port scans (do I HAVE 
> to block ICMP completely for that?).

Netfilter's conntrack achieves ICMP errors handling very well.. When an
ICMP error is recieved, it is labeled RELATED if conntrack can associate
it to an existing IP flow. If not, it's RELATED. So, you can safely drop
all ICMPs that are not RELATED (INVALID packets should be droped
anyway).

ICMP echos, timestamp, netmask and info are treated with NEW/ESTABLISH
states, as they implies requests and responses. It is harmless to drop
them all.

-- 
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux