COMMAND

    tcp

PROBLEM

    Administrators need tools  to find out  what is going  on in their
    network.  Maybe an internal employee has installed a  unauthorized
    web server and put proprietary information online allowing  anyone
    to access  it, how  does an  administrator find  out that there is
    even a web server running  on their network?  Many  administrators
    use tools called TCP Port  scanners.  These programs which  try to
    connect to  all possible  ports on  a machine  find which services
    are  running.   This  information  gives  a  network administrator
    better  ability  to  understand  and  be  aware  of how his or her
    network  is  configured.   Unfortunately,  this  technology  is  a
    double-edge sword  because intruders  can scan  other networks and
    be able to gather information  that helps better mount an  attack.
    The  intruder  now  knows  which  machines  are  running  and what
    services are available.  TCP port scanning is built into shareware
    auditing tools, such as ISS (Internet Security Scanner) and SATAN.
    These tools were intended to help administrators correct  security
    risks in their network, but unfortunately they are just as  useful
    to the bad guys.

    Because TCP  port scanning  is like  knocking on  the door of many
    services, people  have written  tools like  SATAN detectors  which
    notify administrators  when outside  people are  knocking on their
    network.   This  has  made  the  administrator  feel like they are
    getting a good  alarm notice if  a hacker decides  to attack their
    network.

    Most  of  the  TCP  port  scanning  technology relies on making an
    established connection with  a port to  determine if it  is active
    or not.   Many of the  SATAN/Port Scanning Detectors  rely on this
    fact.  They record the connections and if a connection happens  to
    a wrong port  or the number  of connections within  a certian time
    reaches a threshhold, an alarm  goes off.  TCP_wrappers will  also
    keep  a   record  of   any  estblished   connection  which   helps
    administrators find where an intruder came from.

    One  problem  which  exists  is  that  intruders  can scan without
    establishing  a  connection.   There  is  a  technique for doing a
    half-open scan.  The intruder can send a SYN packet that starts  a
    connection, and  if the  port is  active, it  will respond  with a
    SYN|ACK and the intruder records these packets, determining  which
    ports were active now.   In a typical established connection,  the
    host responds to the SYN|ACK to finish completing the  connection.
    The intruder can now send a reset packet removing from the  kernel
    that a connection was half open.

    Here's the  interesting information.   ----   We do  not even need
    to  use  a  SYN  packet  to  scan.   Many  firewalls block outside
    networks from sending in a SYN packet and that stops initiating  a
    connection.   So  even  the  half-open  scan  won't  work  past  a
    firewall.  But we have tried other TCP flags and found many  other
    packets will do the trick just as good, and if not better.

    Here's a  table of  the packets  and response  types to  determine
    active ports.

    Flag        Active Port Response    Non-active Port Response

    SYN         SYN|ACK                 Reset or Nothing
    SYN|FIN     ACK or SYN|ACK*         Reset
    ACK         Nothing                 Reset
    0 flag      Nothing                 Reset

    *  Depends  on  the  TCP  implementation.   Windows  95   returned
    SYN|ACK while most Unix platforms return an ACK.

    We have picked the most interesting  flags.  You can also add  URG
    and  PUSH  flags  to  any  of  the  above  flags  and get the same
    response.   The  SYN|FIN  is   an  illegal  type  of  flags   that
    contradict themselves, but a few router based firewalls that  were
    blocking the  other type  packets allow  this one  through.  The 0
    flag packets  are packets  that designate  the packet  type as  0,
    which some packet filter based firewalls may allow through.

    Some  firewalls  allow  ACK  packets  through as well. Using these
    type  of  packets,  we  called  this  a  "stealth  scan"   because
    typically most TCP port scan  detectors do not catch this  type of
    activity and  the scan  enables you  to bypass  a firewall and see
    what services are running on the inside machines.

    In  coming  up  with  developing  this  code,  we are able to do 2
    types of denial of service attacks that people should be aware  of
    and at some point, we need to have vendors fix the problems.

    1)  By  scanning  with  all  these  different types of packets, we
    were  able  to  crash  a  few  popular type routers that could not
    handle  these  packets.   We  reported  the  problem  back  to the
    vendors.

    2)  By  scanning  with  half-opens  and  not  sending a RESET, the
    kernel's  cache  of  half-open  connections  get  full and will no
    longer accept  any more  connection.   This would  be a  quick and
    easy way  to cause  a high  connection rate  machine to  no longer
    provide  any  more  connections,  denying  anyone from access to a
    machine, including a Web server.