mailing list archives
Re: TCP SYN probe detection tool available
From: brian () saturn net (Brian Mitchell)
Date: Thu, 16 May 1996 12:49:50 -0400
On Thu, 16 May 1996, Henri Karrenbeld wrote:
I am afraid I do not read other security lists besides this one (I glance at
Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like
cert-advisory, but in none of these have I seen
what actually can be done with SYN packets... Could someone explain this?
Services can be probed for. Let's take 2 short examples:
Attacker sends a syn packet to port 23 (telnet)
There is no server on that port, so the server sends back a rst|syn
sequence (acknowledging the syn, and tearing down the connection).
In this case, nothing was listening, no logs will generally be generated.
Now, an attacker does the same thing, but to say port 25 (smtp)
There is a server on this port, the server sends back a ack|syn sequence
The bad guy now knows there is something on the port, but because the
three way handshake has not been completed it is not logged, the bad guy
can then send a rst tearing down the connection, since he has the
information he is after.
I think some time ago a detailed post was made to this list describing
the various ways a stealth scanner could be implemented, although i'm not
Brian Mitchell brian () saturn net
World Wide Web http://www.saturn.net/~brian
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
Re: TCP SYN probe detection tool available James W. Abendschan (May 16)
Re: TCP SYN probe detection tool available J.R.Valverde (May 27)