On Tue, 23 Mar 1999, Jesus Gonzalez wrote:
:If I understand it correctly, the FIN bit basically states that "this is the
:end of transmission", then the host sends an RST bit. If this is the case,
:then how can this be considered stealth since the scanner sending the FIN
:bit is a) awaiting the RST response, and b) must have it's IP address in the
:packet?
There are a few reasons that this is 'stealthy'.
1) the daemon listening on the port won't log anything as the tcp session
hasn't been established.
2) afaik according to the rfc, tcp should just drop any FIN packets that
aren't a part of an existing session or have an incorrect serial num.
It is a mostly a problem of different implementations defecting from
the standard. You can configure most firewalls to look for different
tcp header flags. In most cases, if a socket is listening, and
it responds to an out of sequnce FIN, it won't log it unless there
is something accurately keeping track of state information.
:Are there other methods of scanning which truly are stealth, or is it
:currently not possible to port scan in stealth mode?
Yes, but it requires that you use decoy hosts to obfuscate the true
origin of the scan. There are also some other ways of detecting
which host is the origin of the scan, depending on whether the
decoys are reachable, and I have been speculating that you could
also compare the real rtt's and ttl's of of the decoy hosts against those found
in some of the packets that were involved in the scans. I think
that's a whole lot of research in itself.
Theoreticly, it is impossible to have 100% assurance that a
packet is coming from where it says it does so yes, there are
truely stealthy methods of scanning. But from what we have
seen, and from the discussion above, most of the time you
should be able to detect the origin of a scan with a bit
of effort.
-j
--
jamie.reid
Chief Reverse Engineer
Superficial Intelligence Research Division
Defective Technologies
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
