Re: NULL Scan issues or something else?

To: Daniel Curtis <sidetripping@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: NULL Scan issues or something else?
From: Mike Mestnik <cheako+debian-security@mikemestnik.net>
Date: Tue, 05 Feb 2013 16:32:21 -0600
Message-id: <[🔎] 51118875.2000908@mikemestnik.net>
In-reply-to: <[🔎] CAASvXNsFvKq53aAAZsj4uKt6XVbLTg2z_RTjdUdq=i=PF_QE5g@mail.gmail.com>
References: <[🔎] CAASvXNsFvKq53aAAZsj4uKt6XVbLTg2z_RTjdUdq=i=PF_QE5g@mail.gmail.com>

This is exactly why a higher level interface should be considered.  If
you go about setting your own low level iptables rules then you would
also have the task of testing those rules.

I use shorewall and I've used firhol, both are good.  Please consult
there results(the tables they generate) for stable/widely used examples.
 Plus if you find that they are open to (insert your fav attack here)
then it's much more helpful for the community to get these tools fixed
then would be to fix up your mind enough so that you understand the
implications of iptable rules.

On 02/05/13 11:51, Daniel Curtis wrote:
> Hi
> 
> I've added a rule to my iptables script, which is responsible for
> filtering /--tcp-flags/ and /INVALID/ state. After addition of this rule,
> I've noticed , that many IP addresses are trying to scan(?) my
> computer, but it is not so obvious, because, for me, from iptables
> rule point of view, NULL Scan is something different (see below).
> This rule looks this way and is related to the incoming connections:
> 
> ... -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,
> ACK,FIN, PSH,URG, SYN,RST,ACK, FIN,PSH,URG -j DROP
> 
> Also, I've added the ability to log this rule with/-j LOG --log-prefix
> "NULL Scan /". But something is not as it should be. As we know an
> attacker uses a TCP NULL Scan to determine if ports are closed on
> the target machine by sending a TCP segments with *no flag* in
> the packet header, right?
> So, I wonder if the above rule is okay, because if NULL Scan does not
> use flags, iptables rule should/could look this way: /--tcp-flags ALL NONE/
> instead of all these flags mentioned above. So, for what is responsible
> the above rule?
> 
> What should I do with this issue? I'm so confused. Maybe it is a normal
> behavior, because of /INVALID/ option? I would like to get some advice
> from You. Generally, I would like to get some advices etc.
> 
> *## Debian version:*
> Wheezy/Sid.
> *
> ## Example logs entries: *
> kernel: [ 9973.043847] NULL SCAN:
> IN=eth0 OUT= MAC=mac_addresses_
> SRC=82.195.75.100 DST=192.168.10.32
> LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=27355 DF
> PROTO=TCP SPT=80 DPT=41464
> WINDOW=6432 RES=0x00 ACK URGP=0
> 
> Mostly all of the log entries related to the NULL Scan are the same -
> the same /
> SPT/, /TTL/ and /PROTO/ values. Of course, sometimes IP addresses were
> changed.
> 
> Best regards!

Reply to:

References:
- NULL Scan issues or something else?
  - From: Daniel Curtis <sidetripping@gmail.com>

Prev by Date: NULL Scan issues or something else?
Next by Date: Re: NULL Scan issues or something else?
Previous by thread: NULL Scan issues or something else?
Next by thread: Re: NULL Scan issues or something else?
Index(es):
- Date
- Thread