Re: stealth port scanning

Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Mon, 08 Sep 1997 19:16:44 +0100

> The idea is that closed ports tend to reply to your FIN packet with the
> proper RST. Open ports, on the other hand, tend to ignore the packet in
> question. This is a bug in TCP implementations [...]

Which is not quite right. Its the way the protocol is defined. Worse still
a FIN to a listening port in itself is legitimate for some TCP close down
paths. You have to ignore the out of sequence FIN for the protocol to work
and you have to RST it for connection close down to work.

Its perhaps about time people worked harder on secure machines so scanning
doesn't matter. With a good grasp of tcp and a lot of paper I think you could
formally prove a scanner has to work.

BTW bored folks might be interested in the other stuff I've been playing with,
"Good Times" is alive and well and works even better on usenet. Using the
netscape and ie3/4 bugs and news articles Content-type: text/html you can
it turns out replicate all the attacks across usenet. Next question to be
resolved - can you run java applets fro news:<articleid> urls, if so has
anyone got a java applet to do the inn hack ... ?