[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: NULL Scan issues or something else?

Hello Daniel,

As far as I understand well, an INVALID state is applied on packet that shouldn’t exist according to the conntrack engine.

Null scan packets should look like --tcp-flags ALL NONE.

Your rule will match with packets that are invalid AND that are not full flag, which seem to me almost all invalid packets !

My advice is that you should consider 3 rules :

One that drop every INVALID packets (... -m conntrack --ctstate INVALID … -j DROP)

One that log every NULL SCAN (…--tcp-flags ALL NONE … -j LOG --log-prefix "NULL Scan ")       

One that drop every NULL SCAN (…--tcp-flags ALL NONE … -j DROP)

I hope that this will help you.

 

OB

 

De : Daniel Curtis [mailto:sidetripping@gmail.com]
Envoyé : mardi 5 février 2013 18:52
À : debian-security@lists.debian.org
Objet : NULL Scan issues or something else?

 

Hi

I've added a rule to my iptables script, which is responsible for
filtering --tcp-flags and INVALID state. After addition of this rule,
I've noticed , that many IP addresses are trying to scan(?) my
computer, but it is not so obvious, because, for me, from iptables
rule point of view, NULL Scan is something different (see below).
This rule looks this way and is related to the incoming connections:

... -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,
ACK,FIN, PSH,URG, SYN,RST,ACK, FIN,PSH,URG -j DROP

Also, I've added the ability to log this rule with -j LOG --log-prefix
"NULL Scan ". But something is not as it should be. As we know an
attacker uses a TCP NULL Scan to determine if ports are closed on
the target machine by sending a TCP segments with no flag in
the packet header, right?
So, I wonder if the above rule is okay, because if NULL Scan does not
use flags, iptables rule should/could look this way: --tcp-flags ALL NONE
instead of all these flags mentioned above. So, for what is responsible
the above rule?

What should I do with this issue? I'm so confused. Maybe it is a normal
behavior, because of INVALID option? I would like to get some advice
from You. Generally, I would like to get some advices etc.

## Debian version:
Wheezy/Sid.

## Example logs entries:
kernel: [ 9973.043847] NULL SCAN:
IN=eth0 OUT= MAC=mac_addresses_
SRC="" DST=192.168.10.32
LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=27355 DF
PROTO=TCP SPT=80 DPT=41464
WINDOW=6432 RES=0x00 ACK URGP=0

Mostly all of the log entries related to the NULL Scan are the same - the same
SPT, TTL and PROTO values. Of course, sometimes IP addresses were changed.

Best regards!

Reply to: