In some mail from Brian Mitchell, sie said: > > On Thu, 16 May 1996, Henri Karrenbeld wrote: > > > I am afraid I do not read other security lists besides this one (I glance at > > Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen > > what actually can be done with SYN packets... Could someone explain this? > > Services can be probed for. Let's take 2 short examples: [...] > The bad guy now knows there is something on the port, but because the > three way handshake has not been completed it is not logged, the bad guy > can then send a rst tearing down the connection, since he has the > information he is after. > > I think some time ago a detailed post was made to this list describing > the various ways a stealth scanner could be implemented, although i'm not > 100% sure. There was, from myself and Chris Klaus. A point to remember was that done right, you could use other packets and not just SYN. Because of this, I wrote a tool which captured all TCP traffic via BPF, about what ports were trying to be accessed and analysed the results in a very weak way to determine if any sort of attack was being launched. darren