![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 12 May 1998 10:39:00 -0500
From: buhr@stat.wisc.edu (Kevin Buhr)
To: linux-security@redhat.com
Subject: [linux-security] Re: Re: Re: Lightning fast attacks?
> [Mod: Let me also make a statement that completely stealth attacks are
> impossible. Any attack *will* generate packets on a wire. In order for those
> packets to be delivered to the target, they must follow IP conventions.
> Granted, the source address can be spoofed (which should be impossible if
> ISPs/NSPs start filtering at the customer routers) but apart from that a
> real, trackable packet will be sent to the target. -- alex]
Bwah hah hah! This discussion will *never* be closed!
This was discussed on BUGTRAQ under the subject heading:
TCPwrappers race condition
late last year. The consensus there was much the same as here.
One thing I haven't seen mentioned is the IpLogger package by Mike
Edulla <medulla@infosoc.com>. It listens for TCP connects (and ICMP
packets) on a raw socket, so it *will* get the IP addresses of these
lightning fast scans. (It *won't* catch the "sleath port scanning"
described on BUGTRAQ which takes advantage of responses to a lone FIN
packet, but it could easily be modified to do so.)
It'll *also* let you detect scans on ports you don't even listen to,
without booby-trapping them a la tcp_wrappers. For example, I don't
have anything listening to the IMAP port, but I log plenty of tedious
imap2 scans, usually from hosts that have been cracked by... imap2
scans!
It's major drawback is that "tcplogd" logs *all* SYN packets, and
"icmplogd" logs *all* ICMP packets (except echo replies), so your logs
tend to fill up with legitimate connections you have to wade through
to find the "bad guys". It's great for a "client" machine, however,
that doesn't receive connections from many external sources.
A word of warning, though: the IpLogger package is far too trusting of
DNS lookups. I've patched my version to avoid possible buffer
overruns and always include the IP address (in case I get a bogus
hostname from a cracked DNS server). However, the hostnames aren't
filtered, character-by-character, as in tcp_wrappers, so it's possible
there's a vulnerability hidden somewhere in there. My patch (against
iplogger-1.00) is short, so I've included it.
Kevin <buhr@stat.wisc.edu>
* * *
--- icmplog.c 1998/04/23 17:04:16 1.1
+++ icmplog.c 1998/05/12 15:01:23
@@ -170,8 +170,9 @@
i.s_addr=in;
he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
- if(he == NULL) strcpy(blah, inet_ntoa(i));
- else strcpy(blah, he->h_name);
+ if(he)
+ sprintf(blah, "%.1000s [%.20s]", he->h_name, inet_ntoa(i));
+ else
+ sprintf(blah, "[%.20s]", inet_ntoa(i));
return blah;
}
-
--- tcplog.c 1998/04/23 16:38:54 1.1
+++ tcplog.c 1998/05/12 15:01:23
@@ -159,8 +159,10 @@
i.s_addr=in;
he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
- if(he == NULL) strcpy(blah, inet_ntoa(i));
- else strcpy(blah, he->h_name);
+ if(he)
+ sprintf(blah, "%.1000s [%.20s]", he->h_name, inet_ntoa(i));
+ else
+ sprintf(blah, "[%.20s]", inet_ntoa(i));
return blah;
}
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null