Stealth port scanning
Stealth scanning involves searching for open ports,
but without actually creating a connection.
Half-open scanning only performs the first part of TCP/IP handshake.
It sends a SYN flag and awaits a reply -
a reply with the SYN flag set reports an open port,
with the RST flag set reports an inactive port.
Half-open scanning is favoured by potential attackers
because (by default) nothing is logged.
Stealth scanning determines a port's status by sending different
combinations of TCP options.
For example,
according to RFC-793 a conforming TCP/IP stack should:
- send back a RST packet
when they receive a FIN packet for a specific closed port
(the TCP FIN Scan),
- send back a RST packet
when they receive a FIN/URG/PUSH packet
(TCP Xmas Scan), and
- send back a RST packet for all TCP ports closed when
they receive a packet without any IP flags set
(TCP Null Scan).
Implementing a stealth scan detector requires kernel-level programming.
We need to detect obvious signatures such as:
- several packets from the same source address to different destination
ports within a short period of time,
- connection attempts that are not completed
with a certain timeout, or
- a SYN to a non-listening port.
Even with IP spoofing, naive attacks may themselves leak information,
such as a correct TTL field indicating the distance to the attacker.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p6, 15th May 2024.
|
CITS3002