Home page logo

bugtraq logo Bugtraq mailing list archives

Re: TCP SYN probe detection tool available
From: avalon () coombs anu edu au (Darren Reed)
Date: Mon, 27 May 1996 15:14:30 +1000

In some mail from Brian Mitchell, sie said:

On Thu, 16 May 1996, Henri Karrenbeld wrote:

I am afraid I do not read other security lists besides this one (I glance at
Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like 
cert-advisory, but in none of these have I seen
what actually can be done with SYN packets... Could someone explain this?

Services can be probed for. Let's take 2 short examples:
The bad guy now knows there is something on the port, but because the
three way handshake has not been completed it is not logged, the bad guy
can then send a rst tearing down the connection, since he has the
information he is after.

I think some time ago a detailed post was made to this list describing
the various ways a stealth scanner could be implemented, although i'm not
100% sure.

There was, from myself and Chris Klaus.

A point to remember was that done right, you could use other packets and
not just SYN.

Because of this, I wrote a tool which captured all TCP traffic via BPF,
about what ports were trying to be accessed and analysed the results in
a very weak way to determine if any sort of attack was being launched.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]