FIN Flags, Fragment Block

Discussion in 'LnS English Forum' started by Patrice, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hello everyone!

    During the last time there have been several questions about the rules IP: Fragment Block, TCP: FIN Flags,... These rules are not enabled by default in enhanced mode. I would like to show you why such rules should be enabled all the time. For further information about the questions see:

    https://www.wilderssecurity.com/showthread.php?t=8613

    https://www.wilderssecurity.com/showthread.php?t=8690

    On of my principles still is:

    YOU SHALL KNOW HOW HACKERS ATTACK, SO THAT YOU CAN DEFEND YOURSELF!

    Now let's see, what this means in reality. First of all, hackers use so called port scanners to find open ports and unprotected computers. Examples of such tools are:

    Superscan:
    http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

    Nmap:
    http://www.insecure.org/nmap/index.html

    Let's look especially at the latter one, which is of more importance. If you scan an IP-range you'll find a lot of open, unprotected computers, sigh... Yes, unfortunately this is true! :'(

    With the Nmap tool you can do special port scans, as you see in the following image:

    http://www.insecure.org/nmap/images/nmapfe.gif

    As you see you are able to use the SYN Stealth, FIN Stealth,... method to find open ports. Most popular firewalls/routers answer to such packets. And this means that you're system has been compromised!! Yes, you aren't stealth anymore! Now they know that your computer is up and running! :eek:

    If you enable the rules IP: Fragment Block, TCP: FIN Flags,... you will be safe of such attacks (even though there's no 100% security). If you don't enable them you aren't safe at all!!!

    If you wanna know how hackers attack systems, read the following posts of a hacker (translated into several different languages):

    http://www.insecure.org/nmap/nmap-fingerprinting-article.html

    So, when you have read this article and you still don't think security is important, I can't help you! If you say to yourself, please help me to make my system more secure you are at the right place and at the right forum. :cool:

    First I suggest that you enable the above mentioned rules (you use enhanced mode, don't you) and secondly that you consider putting a good router in front your computer (if you have more than one computer accessing the net).

    There are certainly more methods of making your computer more secure, but if you read this, you are already at the right place. Go ahead and read in the other forums (TDS-3,...). If you wanna test your own system and its security go for example to PC Flank and GRC (ShieldsUP) and test it thoroughly:

    http://www.pcflank.com/

    http://grc.com/default.htm

    If you have further questions, don't hesitate to ask! ;)

    Best regards!

    Patrice
     
  2. Ph33r

    Ph33r Guest

    Hey Patrice

    Congratulations not bad…

    One can use numerous invalid TCP Flags combinations (not absolutely sure how many Frederic had said over on Becky’s about 66? Different invalid TCP Flags Combinations?…) to bypass an everyday Software Firewall, and today’s Routers with Software Firewall capabilities should contain Filtering System of a lot of these)… Right off hand I know of 16 Different invalid TCP Flags Combinations not including Invalid Packets in General whether or not it’s over TCP, UDP or ICMP and so forth…

    By Default of EnhancedRulesSet.rls it contains possible 3/4 Invalid TCP Flags possibilities to prevent Leaks which pcFlank clearly points out on its site… However, due to ACK being used Look ‘n’ Stop will still Leak unless you use “TCP – Stateful Packet Inspection” Feature, and of course that alone will fix many situations… ;)
     
  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Ph33r!

    Thanks for your answer! I don't know as much as you do about the technical stuff of IP/UDP packets, but just the basics. But I completely agree to what you said about TCP - Stateful Packet Inspection. Even though I use a good router (NAT,...) some packets are still blocked by Look'n'Stop! That means, that some packets get through.

    Best regards!

    Patrice
     
  4. Ph33r

    Ph33r Guest

    Hey Patrice

    Encase you like to know I know exactly how many possibilities Frederic had mentioned on a post over on Becky’s Board December sometime 2002, he mentioned 64 possibilities but I’m not sure how he came up with that calculations as I cannot even calculate more then 16 possibilities.

    I’ll be quite surprise to see someone come on here poster more then 16 possibilities… o_O
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Ph33r,

    I suppose I simply said 64 because there are 6 different TCP flags.
    2^6 = 64.

    Ï don't think that for a standard use of the TCP Protocol all the 64 possibilities are effectively possible.
    But by manually creating raw packets, it is possible to build any of the 64 possibilities.

    Frederic
     
  6. Ph33r

    Ph33r Guest

    Now that’s what I call clarity! Thanks Frederic :D
     
  7. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    Hi all guys. This is my first post to this forum. First of all i advise you: my english is fair, so please be patient with me. :) I were searching the web for a list of Invalid tcp flags combinations, and i got a few matches on google, one of those was this one.
    Ph33r said: "Right off hand I know of 16 Different invalid TCP Flags Combinations..."
    Well, i know just 7!
    # All state bits zeroed
    # FIN set ACK cleared
    # PSH set ACK cleared
    # URG set ACK cleared
    # SYN and FIN set
    # SYN and RST set
    # FIN and RST set

    I would like to know other combinations Ph33r was talking in his reply.

    And then, the last reply by Frederic says: "I suppose I simply said 64 because there are 6 different TCP flags.
    2^6 = 64"
    But if there are 6 (SYN,FIN,RST,ACK,PSH,URG) flags, by creating RAW packets with a packet forger software i think you can make much more combinations! 6^6, not 2^6.. is this true? Or not?
    I'm sorry for replyng to a 1yr old thread, but i wish u will take a moment to help me solving my doubts.
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    _ - (NULL: Stealth Scan)
    ACK-URG
    FIN (FIN: Stealth Scan)
    FIN-PSH
    FIN-RST
    FIN-URG
    FIN-PSH-URG (XMAS: Stealth Scan)
    FIN-RST-URG
    FIN-RST-PSH-URG
    SYN-RST
    SYN-FIN
    SYN-FIN-RST
    SYN-FIN-PSH
    SYN-FIN-RST-PSH
    SYN-FIN-RST-PSH-ACK
    SYN-FIN-RST-PSH-ACK-URG

    ;)
     
    Last edited: Sep 2, 2004
  9. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    well Phant0m, first of all tnx a lot for answering quickly! :D
    take a look at the first quoted line, i think u wanted to write FIN-PSH, right?

    and with the last two lines of the quote u confirmed me the second question of my first post: there are much more than 2^6=64 combinations of tcp flags! But.. are they really 6^6=46656?? :eek: And if they are so much, why should we ignore most of them and add just 16 to netfilter?

    tnx a lot 4 beeing patient with me!
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi ZiGZaG,

    It's definitely 2^64.

    You have only 2 possibilities per bit: 0 or 1, so for six bits 2*2*2*2*2*2.

    Frederic
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If I can re-call, Look 'n' Stop doesn't identify and control TCP packets containing CWR, ECE flags... ;)
     
  12. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    2^64=18446744073709551616 ?? :eek:
    i really wish it was a type error! :D
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think Frederic meant 2^6 = 64, which written quickly gives 2^64 :D

    gkweb.
     
  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, of course. Sorry for the confusion :oops:

    Frédéric
     
  15. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    well, finally i got the whole ruleset to filter any kind of invalid tcp/ip based packet: i post it in wish it may be useful for ppl, and also because i'd like very much my rules to be discussed in such a forum.

    Code:
    ###########################################################################
    ###New not syn###
    $IPT -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
    $IPT -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP #--->TARPIT
    ###State invalid###
    $IPT -A bad_tcp -m state --state INVALID -j DROP
    ###Invalid flag combos###
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags ALL NONE -j DROP #(NULL Stealth Scan, nmap -sN) #---->TARPIT
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP #(XMAS Stealth Scan, nmap -sX)#---->TARPIT
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP #(FIN Stealth Scan, nmap -sF, and  other invalid combos) #---->TARPIT
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #(invalid combos)
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP #(invalid combos)
    $IPT -A bad_tcp -p tcp -m tcp --tcp-flags ACK,URG ACK,URG -j DROP #(invalid combos)
    #
    #
    All rules are commented to explain what kind of packets are they filtering. Of course IPT is set to the full path of the iptables binary!

    For someone intrested in a ready for use script, i give the link to the workstation one. Just one public interface and no forwarding enabled here.
    Of course it must be modified because of different needs and programs locations. Feel free to mail me 4 any kind of help on my netfilter script!

    www.buonanottebuongiorno.com/marco/netfilter.txt

    marco.longoni@email.it
     
  16. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    No, it doesn't.

    They're not "attacks".

    Nonsense.
     
  17. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    namless,

    Although your reply might be a kind of rough :rolleyes: , I completely agree with you!

    Thomas :)
     
  18. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    ok guys.. but what about MY post? :)
     
  19. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    An RIE file would be great. :)
     
  20. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    what is a RIE file?
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Are you an LNS user? An RIE file is a "rules import/export" file, and can be created and used by LNS. Go to the Internet Filtering tab, and click the Import or Export button. (Obiously, you want Export to create an RIE file.)
     
  22. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    no, i am not. and i'm proud to use just an iptables script as firewall
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    That makes sense. Silly me, I didn't realize this was a "proud to do things the hard way" forum.
     
  24. ZiGZaG

    ZiGZaG Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    8
    Location:
    Naples - Italy
    the easy way is rarely the stealth way, nameless.....
     
Thread Status:
Not open for further replies.