OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: UDP port scanning...
From: Simple Nomad (thegnomenmrc.org)
Date: Thu Feb 10 2000 - 09:43:35 CST

Jesus Christ.....

Okay, I'll let the script kiddie comment slide, but I was just
interpreting the terms "good" and "bad" differently. At any point any
scanner that detects all open UDP ports is what I would consider a bad
thing, as this is almost certainly a false positive, unless there is a
seriously misconfigured packet filtering device in place.

As far as my comments about state tables, I had pulled together a series
of security patches written by others for Linux 2.0.36 kernels and
included some of my own tweaks that did very basic state table stuff. See
http://www.nmrc.org/files/sunix/nmrcOS.patch.tar.gz for details. And
before someone asks, yes I'll probably update this to a 2.2 kernel for
mass consumption, but I have been rather busy and am unsure when this will
happen. Hopefully the new job will allow it.

For those not wishing to pick through the kernel patch, let me explain
what I was refering to:

  - Kernel receives packet.
  - Kernel checks to see if packet is a SYN, if so it allows other
existing items (such as ipfw, ipchains, tcp wrappers etc) to deal with it.
  - If not a SYN, it checks to see if it is a part of an existing
conversation, and if it is, allows the packet (the state table).
  - If not a part of an existing conversation, drop the packet (and
alternately log it).

The point is that most of the stealthly scans will not show up in most
logs, hence this is why they are stealthly and why they are being used. By
using the above scenario you force the only TCP scanning method that will
work to be the one guaranteed to make itself known in logs.

I don't understand why the above four steps are not standard in all
networked systems anyway -- they make sense, and prevent a LOT of extra
crap from coming in. Granted it kills "push" technologies, but big deal, I
don't see as many web banner ads....

- Simple Nomad - No rest for the Wicca'd -
- thegnomenmrc.org - www.nmrc.org -
- thegnomerazor.bindview.com - www.bindview.com -

On Thu, 10 Feb 2000, Joe Hacker wrote:

> Er, wasn't that just what Reed said? ;)
>
> -joe
>
> At 09:36 09/02/00 -0600, Simple Nomad wrote:
> >Yes but if the firewall or router is simply dropping the packets (common
> >with filter-based rules) then all UDP ports will show up as open, when in
> >fact they are not.
> >
> >- Simple Nomad - No rest for the Wicca'd -
> >- thegnomenmrc.org - www.nmrc.org -
> >- thegnomerazor.bindview.com - www.bindview.com -
> >
> >On Wed, 9 Feb 2000, Darren Reed wrote:
> >
> >>
> >> It maybe worthwhile putting in a note when doing UDP scan that the
> >> "open ports" are generated when no packets are received back. Too
> >> many lay people seem to assume that "all UDP ports open" as reported
> >> by nmap is a `bad thing' when in fact it's a good thing(tm).
> >>
> >> Darren
> >>
> >
> >
>