[ubuntu-hardened] NULL scan.
sidetripping at gmail.com
Wed Jan 30 19:33:50 UTC 2013
I've added a rule to my iptables script, which is responsible for
filtering --tcp-flags. After addition of this rule, I've noticed that many
IP addresses are trying to... scan(?) my computer. This rule contains
-m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG
Also, I've added the ability to log this rule e.g. -j LOG --log-prefix
"NULL SCAN: " etc.
But something is not as it should be. As we know an attacker uses a TCP
to determine if ports are closed on the target machine by sending TCP
*no flags* in the packet header. I wonder if the above rule is good,
because if NULL scan
does not use flags, so iptables rule should look this way: ALL NONE
(instead of all these flags),
Some information from e.g. /var/log/kern.log file:
Jan 30 20:06:03 X kernel: [ 4749.200324] NULL SCAN: IN=eth0 OUT= MAC=
SRC=188.8.131.52 DST=192.168.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=45
ID=39243 PROTO=TCP SPT=443 DPT=48903 WINDOW=0 RES=0x00 RST URGP=0
and many more similar entries and IP address... What should I do with this?
I'm so confused.
Maybe, It is a normal behavior, because of the INALID options? I ask for a
This computer (with Xubuntu 12.04.1) is used for the various tests, there
are no running
services running, for now.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened