Re: sleath port scanning fix

Darren Reed (avalon@COOMBS.ANU.EDU.AU)
Mon, 08 Sep 1997 22:11:10 +1000

In some mail from Superuser, sie said:
>
> Hi, as I said in a previous message linux 2.1.53, and probably all other
> versions,
> allows port scanning by sending FIN-only (no ACK) packets and seeing if one
> gets an RST packet. IF one does not then the port is listenning. Here is a
> patch
> to linux/net/ipv4/tcp_input.c that stops that working and gives you a message
> in the log telling you the port number and source IP address. When you see
> all the open ports from one IP address you have grounds for writing to the ISP
> and watch the cracker's account disappearing (in a puff of greasy green
> smoke, perhaps).

Page 65, RFC 793:

SEGMENT ARRIVES

If the state is CLOSED (i.e., TCB does not exist) then

all data in the incoming segment is discarded. An incoming
segment containing a RST is discarded. An incoming segment not
containing a RST causes a RST to be sent in response. The
acknowledgment and sequence field values are selected to make the
reset sequence acceptable to the TCP that sent the offending
segment.
...
If the state is LISTEN then

...
[Page 66]
fourth other text or control

Any other control or text-bearing segment (not containing SYN)
must have an ACK and thus would be discarded by the ACK
processing. An incoming RST segment could not be valid, since
it could not have been sent in response to anything sent by this
incarnation of the connection. So you are unlikely to get here,
but if you do, drop the segment, and return.

Cheers,
Darren