On Sun, 7 Sep 1997, Superuser (Duncan Simpson) wrote:
> I discovered another bug. If you send a packet with FIN but not ACK set
> then Linux will disgard the packet if the port is listening and send RST
> if not.
Actually I discussed this (and provided code to implement it) in my Phrack
51 article. To quote it:
The idea is that closed ports tend to reply to your FIN packet with the
proper RST. Open ports, on the other hand, tend to ignore the packet in
question. This is a bug in TCP implementations [...]
Also, there seems to be a problem with your "patch". It basically adds
the following line to tcp_input.c:
printk("Warning: possible attempt at \"sleath\" port scaning: port %d,
source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr));
^^^^^
Don't you mean 'ntohs'?? Also, you wrote:
> When you see all the open ports from one IP address you have grounds for
> writing to the ISP and watch the cracker's account disappearing (in a
> puff of greasy green smoke, perhaps).
I don't think this is a good idea, for the same reason the SYN flood
detecting code doesn't give IP addresses. It could easily be forged. In
fact, nmap (my Phrack code) includes this as a feature. Suppose I don't
like someone at 192.88.209.5. I could then do:
payfonez~# ./nmap -US 192.88.209.5 target.com
And your detectors will all go off blaming the wrong person. So if the
ISP is ignorant, it might be an innocent person whose account dissappears
"in a puff of greasy green smoke".
Cheers,
Fyodor
- --
Fyodor 'finger fyodor@dhp.com | pgp -fka'
Frustrated by firewalls? Try nmap: http://www.dhp.com/~fyodor/nmap/
"Hacking is perceived by hackers as a "game." This is not an entirely
unreasonable or sociopatic perception." --Bruce Sterling
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNBPQBBLa2GWS3jg1AQFTiwP8DfKndBdxsvmrD3eCqJClwLx/e2YglKx4
Mb3o5KN1+8GHpMcLNgLnuA55bYstX0k72RIi1gS24Qw+dFMlBA+WgxF9+aEJlAbG
DwoChTig4yYiVzOMDDzv+N7GQ5SOUoYtKZa9uF8b6z3gAIhZEmxOxuTGgZ6t1cv1
RgsdQDneJC0=
=bXkD
-----END PGP SIGNATURE-----