[Dshield] Tracking and Reporting Probes
bmccarty at apu.edu
Thu Mar 28 00:55:51 GMT 2002
Running nmap-2.54BETA22-3 with options "-v -v -d -d -sF -O -p 80" against a
LaBrea host yields the result "No OS matches for host (test conditions
I conjecture this is due to all ports testing open. nmap generated the
message "Warning: OS detection will be MUCH less reliable because we did
not find at least 1 open and 1 closed TCP port."
--On Wednesday, March 27, 2002 11:56 AM -0800 Clint Byrum <cbyrum at erp.com>
> On Wed, 2002-03-27 at 00:18, Bill McCarty wrote:
>> Oops! I just realized that I failed to make explicit an important
>> assumption underlying one of my comments.
>> If someone uses nmap's TCP scan (-sT) against a LaBrea host, the scan
>> WILL be tarpitted. However, if another of nmap's scans is used
>> (specifically -sS, -sX, -sF, or -sN), the scan DOESN'T get tarpitted,
>> as no three-way handshake occurs. Since the latter types of scans are
>> considered more stealthy than a TCP scan, they're more likely to be
>> used. Thus, the very type of scan an attacker is likely to choose is
>> one that won't be tarpitted.
> I should have been more specific in my explanation also. The TCP Stealth
> scan is much more common than others, and doesn't get stalled. However,
> it is kinda funny that no matter what port they scan, it will show as
> open with this type of scan. If nothing else, its a nice way to confuse
> Also, eventually, this will waste a little of their time, as the kiddie
> who gets back 2000 hits on their, say, port 515 scan, spends a few
> minutes on each of your hosts as LaBrea just sits there keeping their
> tcp connection open for as long as they're willing to wait. Though, most
> of them probably have a litte ADD and will quickly loose patience. ;-)
> I wonder though, since LaBrea uses a raw socket and makes its own
> packets, what nmap's OS detection shows. I know Nessus detects LaBrea
> ... I wonder if the kiddiez/blackhats have caught on to the same
> approach yet.
> Oh dear, I've started rambling...
> Clint Byrum
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University
More information about the list