ACK, SYN, FIN, RST, PSH - all flags/parts of TCP session setup/teardown etc.
Read the book TCP/IP Illustrated from Stevens/Wright, it's recommended and well worth
it.
setup:SYN->
setup:<-SYN-ACK
setup:ACK->
data:<-ACK
data:ACK->
teardown:FIN-ACK-> (okay, I am done...lets close this session)
teardown:<-ACK (must first acknowledge receipt of the fin-ack)
teardown:<-FIN-ACK (then it agrees the session is broken)
(of course you also have sequencing/acknowledge numbers as well as window sizing
too...)
If you send a packet with a FIN set, but not having first established a session thru
the threeway handshake....the firewall will see
this as a packet belonging to a session that was not established properly and drop it
under rule 0. Some tcp/ip stacks might
actually respond to the FIN and thus allow scanners like nmap to see what services are
available, but the logging software on that
same box may only look at the SYN/ACK or FIN/ACK portion to determine if someone is
making a connection and this way they can scan
somewhat under the radar and not be logged.
Anyone want to correct me, I am sure I have oversimplified this....
Has anyone seen a brute force IKE tool of any sort? perhaps as part of a trojan
package like subseven?
I have been getting a LARGE number of packets coming from a group of around 10
addresses over a period of
the last 6 weeks and they are all UDP port 500 (IKE). These same hosts are sending
these packets to all the
hosts in my subnet and not just my firewall. They are all being dropped, but it seems
odd to me that this would
continue for a period of over a 6weeks. I receive several packets every minute and the
level has not been
high enough to constitue a DoS attack....looks more to me like someone is trying to
brute force a session.
----- Original Message -----
From: "Eliyah Lovkoff" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 05, 2001 3:53 PM
Subject: FIN_WAIT_2
> I have some guy that scans my firewall and his packets are dropped by rule 0 as
>unknown established tcp packet.On the opther hand
I receive e-mail alerts from CPMAD that states that there is a port scanning atack
from this address.
>
> In the output of fwinfo command I see the address of this guy listed and in the
>state column it appears as FIN_WAIT_2
> I know that using nmap you can initiate FIN scan....
> Questions:
> 1.What is FIN?
> 2. Does FIN_WAIT_2 indicates that it was a FIN port scanning?
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
