[unisog] Determining local servers and banners

Harry Hoffman hhoffman at ip-solutions.net
Tue Apr 5 00:02:00 GMT 2005


We do indeed have ingress filtering on the border router, as far as I 
know the amount of spoof attempts aren't too high.

I suppose that my hope was that once realizing that "something" was 
listening (at least a TCP something) that we would dramatically cut down 
on the number of ports scanned.
If we get a banner returned, or nmap says there is something there but 
it can't make out what, then, hopefully we've at least lessened the 
system load by trying to get everything. Or worse yet missing some 
significant bit hidden in all of the other traffic.

The thing that I could really see wasting time would be something like 
portsentry, which I believe answers every request and logs it as a 
portscan after N ports are hit by the same IP.

Yes, that's does make my brain hurt ;-)

Thanks,
Harry

Valdis.Kletnieks at vt.edu wrote:
...
> 
> I'm presuming that you're doing sane ingress filtering at your border router,
> so spoofed packets from outside *stay* outside. :)
> 
...
> 
> To really make your brain hurt, consider this text from RFC793:
> 
>   Simultaneous initiation is only slightly more complex, as is shown in
>   figure 8.  Each TCP cycles from CLOSED to SYN-SENT to SYN-RECEIVED to
>   ESTABLISHED. 
>   
>   
>   
>       TCP A                                            TCP B
>   
>   1.  CLOSED                                           CLOSED
>   
>   2.  SYN-SENT     --> <SEQ=100><CTL=SYN>              ...
> 
>   3.  SYN-RECEIVED <-- <SEQ=300><CTL=SYN>              <-- SYN-SENT
> 
>   4.               ... <SEQ=100><CTL=SYN>              --> SYN-RECEIVED
> 
>   5.  SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ... 
> 
>   6.  ESTABLISHED  <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
> 
>   7.               ... <SEQ=101><ACK=301><CTL=ACK>     --> ESTABLISHED
> 
>                 Simultaneous Connection Synchronization 
> 
>                                Figure 8.
> 
> (http://www.ietf.org/rfcs/rfc793.txt - down on page 32).  Yes, this is
> totally legal....


More information about the unisog mailing list