[unisog] Determining local servers and banners
hhoffman at ip-solutions.net
Tue Apr 5 00:02:00 GMT 2005
We do indeed have ingress filtering on the border router, as far as I
know the amount of spoof attempts aren't too high.
I suppose that my hope was that once realizing that "something" was
listening (at least a TCP something) that we would dramatically cut down
on the number of ports scanned.
If we get a banner returned, or nmap says there is something there but
it can't make out what, then, hopefully we've at least lessened the
system load by trying to get everything. Or worse yet missing some
significant bit hidden in all of the other traffic.
The thing that I could really see wasting time would be something like
portsentry, which I believe answers every request and logs it as a
portscan after N ports are hit by the same IP.
Yes, that's does make my brain hurt ;-)
Valdis.Kletnieks at vt.edu wrote:
> I'm presuming that you're doing sane ingress filtering at your border router,
> so spoofed packets from outside *stay* outside. :)
> To really make your brain hurt, consider this text from RFC793:
> Simultaneous initiation is only slightly more complex, as is shown in
> figure 8. Each TCP cycles from CLOSED to SYN-SENT to SYN-RECEIVED to
> TCP A TCP B
> 1. CLOSED CLOSED
> 2. SYN-SENT --> <SEQ=100><CTL=SYN> ...
> 3. SYN-RECEIVED <-- <SEQ=300><CTL=SYN> <-- SYN-SENT
> 4. ... <SEQ=100><CTL=SYN> --> SYN-RECEIVED
> 5. SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
> 6. ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
> 7. ... <SEQ=101><ACK=301><CTL=ACK> --> ESTABLISHED
> Simultaneous Connection Synchronization
> Figure 8.
> (http://www.ietf.org/rfcs/rfc793.txt - down on page 32). Yes, this is
> totally legal....
More information about the unisog