"Fossies" - the Fresh Open Source Software Archive

Member "portsentry-2.0b1/README.stealth" (8 Apr 2002, 6765 Bytes) of package /linux/privat/old/portsentry-2.0b1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 $Id: README.stealth,v 1.11 2002/04/08 16:49:14 crowland Exp crowland $
    2 
    3 Stealth Scans
    4 =-=-=-=-=-=-=
    5 
    6 Right now PortSentry will detect the following:
    7 
    8 - Strobe-style scans (full connect() scans)
    9 - SYN/Half open scans.
   10 - FIN scans.
   11 - NULL scans.
   12 - XMAS scans.
   13 - UDP scans (not really stealth scans per se)
   14 - Any odd-ball packet with flags not matching the above.
   15 
   16 You can test out this functionality by grabbing "nmap" Which is a popular
   17 scanner. You can get it from:
   18 
   19 http://www.insecure.org
   20 
   21 
   22 A few notes on the implementation:
   23 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   24 
   25 Stealth scan detection mode [BETA]
   26 ---------------------------
   27 
   28 This mode will monitor ports just like the original version of PortSentry. The
   29 primary difference being that it does not bind to anything. An attacker
   30 still has to hit a tripwired port to activate the sensor though. 
   31 To prevent other issues, this scan mode will not react if the ACK flag of
   32 the TCP packet is set. This prevents causing alarms on "established"
   33 connections that happen to take one of your high ports temporarily.
   34 
   35 ** Advanced Logic Mode ** - PortSentry is intelligent about how it monitors   
   36 ports. For some protocols such as FTP the client actually opens up ports  
   37 in the ephemeral range (1024-65535) and the server then connects *back* to
   38 you. This would normally cause the port scanner to activate. PortSentry though
   39 will look at the incoming connection and determine if it is destined for  
   40 one of these "temporary" bindings. If it is, then the connection is
   41 ignored for that one time. As soon as the connection is torn down the
   42 window closes and full protection is back again. This is in fact a
   43 rudimentary stateful inspection engine.
   44 
   45 Trying it out:
   46 --------------
   47 
   48 1) Fire up PortSentry
   49 
   50 2) Take a program such as netcat and bind up to a protected port on the
   51 host (i.e. "nc -p 143 -l").
   52  
   53 3) Go to a remote machine and telnet to that port, you will now connect to
   54 netcat and can see the text you type on your host. 
   55 
   56 4) Now disconnect and shut down netcat. 
   57 
   58 5) Re-Connect to the same protected port again from the remote host and
   59 now PortSentry will block you normally.
   60 
   61 This logic is built into all of the stealth modes (UDP and TCP). 
   62 
   63 
   64 UDP "stealth" scan detection
   65 ----------------------------
   66 
   67 The UDP flags are not really "stealth" scan detection in the traditional
   68 sense, but acts like the other TCP stealth scan options. The same warnings apply.
   69 
   70 We don't suggest using large ranges for UDP stealth scan detection unless you
   71 know what you are doing. It is very good if you know enough to
   72 exclude broadcast traffic (you may want to run it in non-blocking mode
   73 to see what alarms are generated and then set this up). The ports that
   74 generally cause this are route (520), NetBIOS (137/138), and DHCP/BOOTP 
   75 (67/68).
   76 
   77 General WARNINGS and CAUTIONS
   78 -----------------------------
   79 
   80 As stated in several places, it is possible that an attacker can forge
   81 packets to appear from any host and can use this to trick PortSentry into
   82 activating against the forged host IP. This can cause a variety of
   83 problems in theory such as blocking gateways or name servers.
   84 
   85 Sometimes though theory and reality just don't mix. The reality is 
   86 that not many people are using this tactic. In fact recent
   87 versions of nmap even put in a "decoy" feature which we can only assume was
   88 prompted by the release of PortSentry. This feature uses a list of forged
   89 hosts to try to conceal the real culprit. The theory being that the
   90 attacker is hidden in a list of chaff and the port scan detector is
   91 blocking everyone thereby making it ineffective. 
   92 
   93 Well arguments can be made all day on the pluses and minuses of
   94 auto-blocking hosts. When the theory is examined, the reality
   95 sets in which shows through our own (informal) observations that your
   96 chances of someone doing this to you are small. In fact we think that
   97 it is small enough that if you are considering running the stealth
   98 scan detection on a small *not-well-known* host the benefits outweigh
   99 the risk. Why is this? Well:
  100 
  101 1) The person port scanning you doesn't want to be found, that is why they
  102 are "stealth" scanning you to begin with. It is kind of silly to spray
  103 false packets at a host during the scan as this only increases the
  104 chances of being spotted and no matter what gets your host blocked
  105 anyway.
  106 
  107 2) Spraying X number of additional packets slows your scan down by a
  108 similar amount. Most attackers are going for quantity, not quality. They
  109 want a scan to finish ASAP and with the least amount of noise. 
  110 
  111 3) Many networks now deploy anti-spoof filters which will prevent "decoy"
  112 packets from exiting the border routers due to a bogus source address not
  113 on the network. This means an attacker going through an ISP or similarly
  114 clueful network will cause many router log messages to be generated and
  115 will certainly grab attention of any aware admin from the originating
  116 network. This also means the decoy packets won't make it to your host and
  117 the real scanning host is revealed.
  118 
  119 4) Even if the intruder is smart and uses decoy addresses from the local
  120 subnet to allow them to exit the network it still raises a red flag that
  121 a network administrator will know where to start. Despite what people
  122 think, it's not *that* hard to find out which of 10 (or whatever) possible 
  123 hosts are compromised and doing a port scan.
  124 
  125 Does this mean you are risk free?? No. But we have not received a
  126 single complaint so far about people using forge scan tactics on
  127 a widespread basis (in fact we haven't received a *single* complaint
  128 of this tactic being used at all). So for the time being (as of
  129 this writing) you are probably OK if you look at all the facts.
  130 
  131 So where do we stand on the issue??
  132 
  133 We don't turn on auto-blocking for our higher-profile systems because we don't
  134 like having people play games with us. For internal hosts though we will use the 
  135 stealth mode blocking because we want to know immediately of a probe; forged or 
  136 not. 
  137 
  138 Now the conservative side would like to add a few things. We would like to
  139 say that the initial version of this tool only did full connect TCP scan
  140 detection. This was done deliberately to prevent such attacks from
  141 possibly occurring. 
  142 
  143 ...and the band played on...
  144 
  145 Over time we had many people write about UDP support and stealth scan
  146 support so we put them in because we thought they would be useful. 
  147 What this means is that our physical-world philosophy matches our 
  148 virtual-world philosophy. Basically, we accept the fact that people 
  149 are capable of making their own decisions when given adequate information. 
  150 Therefore, you are responsible for your own actions. We have given you 
  151 all the information you should need to decide what mode to use the tool. 
  152 So don't complain if something bad happens because it is your choice.