NULL Scan issues or something else?
Hi
I've added a rule to my iptables script, which is responsible for
filtering --tcp-flags and INVALID state. After addition of this rule,
I've noticed , that many IP addresses are trying to scan(?) my
computer, but it is not so obvious, because, for me, from iptables
rule point of view, NULL Scan is something different (see below).
This rule looks this way and is related to the incoming connections:
... -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,
ACK,FIN, PSH,URG, SYN,RST,ACK, FIN,PSH,URG -j DROP
Also, I've added the ability to log this rule with -j LOG --log-prefix
"NULL Scan ". But something is not as it should be. As we know an
attacker uses a TCP NULL Scan to determine if ports are closed on
the target machine by sending a TCP segments with no flag in
the packet header, right?
So, I wonder if the above rule is okay, because if NULL Scan does not
use flags, iptables rule should/could look this way: --tcp-flags ALL NONE
instead of all these flags mentioned above. So, for what is responsible
the above rule?
What should I do with this issue? I'm so confused. Maybe it is a normal
behavior, because of INVALID option? I would like to get some advice
from You. Generally, I would like to get some advices etc.
## Debian version:
Wheezy/Sid.
## Example logs entries:
kernel: [ 9973.043847] NULL SCAN:
IN=eth0 OUT= MAC=mac_addresses_
SRC="" DST=192.168.10.32
LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=27355 DF
PROTO=TCP SPT=80 DPT=41464
WINDOW=6432 RES=0x00 ACK URGP=0
Mostly all of the log entries related to the NULL Scan are the same - the same
SPT, TTL and PROTO values. Of course, sometimes IP addresses were changed.
Best regards!
Reply to: