Re: TCP SYN probe detection tool available

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: J.R.Valverde: "(no subject)"
• Previous message: Tim Evans: "Re: Is _your_ Netscape under remote control"
• In reply to: Brian Mitchell: "Re: TCP SYN probe detection tool available"
• Next in thread: JaDe: "Re: TCP SYN probe detection tool available"

In some mail from Brian Mitchell, sie said:
>
> On Thu, 16 May 1996, Henri Karrenbeld wrote:
>
> > I am afraid I do not read other security lists besides this one (I glance at
> > Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen
> > what actually can be done with SYN packets... Could someone explain this?
>
> Services can be probed for. Let's take 2 short examples:
[...]
> The bad guy now knows there is something on the port, but because the
> three way handshake has not been completed it is not logged, the bad guy
> can then send a rst tearing down the connection, since he has the
> information he is after.
>
> I think some time ago a detailed post was made to this list describing
> the various ways a stealth scanner could be implemented, although i'm not
> 100% sure.

There was, from myself and Chris Klaus.

A point to remember was that done right, you could use other packets and
not just SYN.

Because of this, I wrote a tool which captured all TCP traffic via BPF,
about what ports were trying to be accessed and analysed the results in
a very weak way to determine if any sort of attack was being launched.

darren

• Next message: J.R.Valverde: "(no subject)"
• Previous message: Tim Evans: "Re: Is _your_ Netscape under remote control"
• In reply to: Brian Mitchell: "Re: TCP SYN probe detection tool available"
• Next in thread: JaDe: "Re: TCP SYN probe detection tool available"