blob: b71c14bb779336cc106fcd0604cb0be0d51f2581 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
0002 2000/01/21 TCP stealth scan "Scan 64"
==== TESO Informational =======================================================
This piece of information is to be kept confidential.
===============================================================================
Description ..........: New TCP stealth-scans, aka "Scan 64"
Date .................: 2000/01/21 15:37
Author ...............: S. Krahmer
Publicity level ......: public after 25.1.2000
Affected .............: lots of network-based IDS's
Type of entity .......: Protocol-based
Type of discovery ....: implementation mistake
Severity/Importance ..: interesting
Exploit available ....: Y
URL ..................: http://www.cs.uni-potsdam.de/homepages/students/linuxer
Found by .............: S. Krahmer
Information ===================================================================
The general behavior of many IDS is 'black-list' based. You need to specify
for example the list of bad flags in a TCP-packet to detect so called
'stealth-scans'.
It is very difficult to get all the types black-listed. Instead one should list
all 'allowed' flags (i.e. SYN|ACK, RST, PUSH|ACK etc).
After notifying the maintainers of IDS's about the possibility of silent push-
scans and a fixed scan-detection engine, it was again possible to do un-noticed
scans by setting flags in TCP-headers that don't appear in usual traffic.
===============================================================================
|
