[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Thu Mar 28 00:55:51 GMT 2002


Hi Client,

Running nmap-2.54BETA22-3 with options "-v -v -d -d -sF -O -p 80" against a 
LaBrea host yields the result "No OS matches for host (test conditions 
non-ideal)."

I conjecture this is due to all ports testing open. nmap generated the 
message "Warning:  OS detection will be MUCH less reliable because we did 
not find at least 1 open and 1 closed TCP port."

Cheers,

--On Wednesday, March 27, 2002 11:56 AM -0800 Clint Byrum <cbyrum at erp.com> 
wrote:

> On Wed, 2002-03-27 at 00:18, Bill McCarty wrote:
>> Oops! I just realized that I failed to make explicit an important
>> assumption underlying one of my comments.
>>
>> If someone uses nmap's TCP scan (-sT) against a LaBrea host, the scan
>> WILL  be tarpitted. However, if another of nmap's scans is used
>> (specifically  -sS, -sX, -sF, or -sN), the scan DOESN'T get tarpitted,
>> as no three-way  handshake occurs. Since the latter types of scans are
>> considered more  stealthy than a TCP scan, they're more likely to be
>> used. Thus, the very  type of scan an attacker is likely to choose is
>> one that won't be tarpitted.
>>
>
> I should have been more specific in my explanation also. The TCP Stealth
> scan is much more common than others, and doesn't get stalled. However,
> it is kinda funny that no matter what port they scan, it will show as
> open with this type of scan. If nothing else, its a nice way to confuse
> them.
>
> Also, eventually, this will waste a little of their time, as the kiddie
> who gets back 2000 hits on their, say, port 515 scan, spends a few
> minutes on each of your hosts as LaBrea just sits there keeping their
> tcp connection open for as long as they're willing to wait. Though, most
> of them probably have a litte ADD and will quickly loose patience. ;-)
>
> I wonder though, since LaBrea uses a raw socket and makes its own
> packets, what nmap's OS detection shows. I know Nessus detects LaBrea
> ... I wonder if the kiddiez/blackhats have caught on to the same
> approach yet.
>
> Oh dear, I've started rambling...
>
> --
>
> ------------------------------
> Clint Byrum
> ERP.COM
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>



---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University




More information about the list mailing list