FIN Flags, Fragment Block

Hello everyone!

During the last time there have been several questions about the rules IP: Fragment Block, TCP: FIN Flags,... These rules are not enabled by default in enhanced mode. I would like to show you why such rules should be enabled all the time. For further information about the questions see:

https://www.wilderssecurity.com/showthread.php?t=8613

https://www.wilderssecurity.com/showthread.php?t=8690

On of my principles still is:

YOU SHALL KNOW HOW HACKERS ATTACK, SO THAT YOU CAN DEFEND YOURSELF!

Now let's see, what this means in reality. First of all, hackers use so called port scanners to find open ports and unprotected computers. Examples of such tools are:

Superscan:
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

Nmap:
http://www.insecure.org/nmap/index.html

Let's look especially at the latter one, which is of more importance. If you scan an IP-range you'll find a lot of open, unprotected computers, sigh... Yes, unfortunately this is true!

With the Nmap tool you can do special port scans, as you see in the following image:

http://www.insecure.org/nmap/images/nmapfe.gif

As you see you are able to use the SYN Stealth, FIN Stealth,... method to find open ports. Most popular firewalls/routers answer to such packets. And this means that you're system has been compromised!! Yes, you aren't stealth anymore! Now they know that your computer is up and running!

If you enable the rules IP: Fragment Block, TCP: FIN Flags,... you will be safe of such attacks (even though there's no 100% security). If you don't enable them you aren't safe at all!!!

If you wanna know how hackers attack systems, read the following posts of a hacker (translated into several different languages):

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

So, when you have read this article and you still don't think security is important, I can't help you! If you say to yourself, please help me to make my system more secure you are at the right place and at the right forum.

First I suggest that you enable the above mentioned rules (you use enhanced mode, don't you) and secondly that you consider putting a good router in front your computer (if you have more than one computer accessing the net).

There are certainly more methods of making your computer more secure, but if you read this, you are already at the right place. Go ahead and read in the other forums (TDS-3,...). If you wanna test your own system and its security go for example to PC Flank and GRC (ShieldsUP) and test it thoroughly:

http://www.pcflank.com/

http://grc.com/default.htm

If you have further questions, don't hesitate to ask!

Best regards!

Patrice

 

Hey Patrice

Congratulations not bad…

One can use numerous invalid TCP Flags combinations (not absolutely sure how many Frederic had said over on Becky’s about 66? Different invalid TCP Flags Combinations?…) to bypass an everyday Software Firewall, and today’s Routers with Software Firewall capabilities should contain Filtering System of a lot of these)… Right off hand I know of 16 Different invalid TCP Flags Combinations not including Invalid Packets in General whether or not it’s over TCP, UDP or ICMP and so forth…

By Default of EnhancedRulesSet.rls it contains possible 3/4 Invalid TCP Flags possibilities to prevent Leaks which pcFlank clearly points out on its site… However, due to ACK being used Look ‘n’ Stop will still Leak unless you use “TCP – Stateful Packet Inspection” Feature, and of course that alone will fix many situations…

 

Hi Ph33r!

Thanks for your answer! I don't know as much as you do about the technical stuff of IP/UDP packets, but just the basics. But I completely agree to what you said about TCP - Stateful Packet Inspection. Even though I use a good router (NAT,...) some packets are still blocked by Look'n'Stop! That means, that some packets get through.

Best regards!

Patrice

 

Hey Patrice

Encase you like to know I know exactly how many possibilities Frederic had mentioned on a post over on Becky’s Board December sometime 2002, he mentioned 64 possibilities but I’m not sure how he came up with that calculations as I cannot even calculate more then 16 possibilities.

I’ll be quite surprise to see someone come on here poster more then 16 possibilities…

 

Hi Ph33r,

I suppose I simply said 64 because there are 6 different TCP flags.
2^6 = 64.

Ï don't think that for a standard use of the TCP Protocol all the 64 possibilities are effectively possible.
But by manually creating raw packets, it is possible to build any of the 64 possibilities.

Frederic

 

Now that’s what I call clarity! Thanks Frederic

 

Hi all guys. This is my first post to this forum. First of all i advise you: my english is fair, so please be patient with me. I were searching the web for a list of Invalid tcp flags combinations, and i got a few matches on google, one of those was this one.
Ph33r said: "Right off hand I know of 16 Different invalid TCP Flags Combinations..."
Well, i know just 7!
# All state bits zeroed
# FIN set ACK cleared
# PSH set ACK cleared
# URG set ACK cleared
# SYN and FIN set
# SYN and RST set
# FIN and RST set

I would like to know other combinations Ph33r was talking in his reply.

And then, the last reply by Frederic says: "I suppose I simply said 64 because there are 6 different TCP flags.
2^6 = 64"
But if there are 6 (SYN,FIN,RST,ACK,PSH,URG) flags, by creating RAW packets with a packet forger software i think you can make much more combinations! 6^6, not 2^6.. is this true? Or not?
I'm sorry for replyng to a 1yr old thread, but i wish u will take a moment to help me solving my doubts.

 

_ - (NULL: Stealth Scan)
ACK-URG
FIN (FIN: Stealth Scan)
FIN-PSH
FIN-RST
FIN-URG
FIN-PSH-URG (XMAS: Stealth Scan)
FIN-RST-URG
FIN-RST-PSH-URG
SYN-RST
SYN-FIN
SYN-FIN-RST
SYN-FIN-PSH
SYN-FIN-RST-PSH
SYN-FIN-RST-PSH-ACK
SYN-FIN-RST-PSH-ACK-URG

 

well Phant0m, first of all tnx a lot for answering quickly!
take a look at the first quoted line, i think u wanted to write FIN-PSH, right?

and with the last two lines of the quote u confirmed me the second question of my first post: there are much more than 2^6=64 combinations of tcp flags! But.. are they really 6^6=46656?? And if they are so much, why should we ignore most of them and add just 16 to netfilter?

tnx a lot 4 beeing patient with me!

 

Hi ZiGZaG,

It's definitely 2^64.

You have only 2 possibilities per bit: 0 or 1, so for six bits 2*2*2*2*2*2.

Frederic

 

If I can re-call, Look 'n' Stop doesn't identify and control TCP packets containing CWR, ECE flags...

 

2^64=18446744073709551616 ??
i really wish it was a type error!

 

I think Frederic meant 2^6 = 64, which written quickly gives 2^64

gkweb.

 

Yes, of course. Sorry for the confusion

Frédéric

 

well, finally i got the whole ruleset to filter any kind of invalid tcp/ip based packet: i post it in wish it may be useful for ppl, and also because i'd like very much my rules to be discussed in such a forum.

Code:

###########################################################################
###New not syn###
$IPT -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPT -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP #--->TARPIT
###State invalid###
$IPT -A bad_tcp -m state --state INVALID -j DROP
###Invalid flag combos###
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags ALL NONE -j DROP #(NULL Stealth Scan, nmap -sN) #---->TARPIT
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP #(XMAS Stealth Scan, nmap -sX)#---->TARPIT
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP #(FIN Stealth Scan, nmap -sF, and  other invalid combos) #---->TARPIT
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #(invalid combos)
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP #(invalid combos)
$IPT -A bad_tcp -p tcp -m tcp --tcp-flags ACK,URG ACK,URG -j DROP #(invalid combos)
#
#

All rules are commented to explain what kind of packets are they filtering. Of course IPT is set to the full path of the iptables binary!

For someone intrested in a ready for use script, i give the link to the workstation one. Just one public interface and no forwarding enabled here.
Of course it must be modified because of different needs and programs locations. Feel free to mail me 4 any kind of help on my netfilter script!

www.buonanottebuongiorno.com/marco/netfilter.txt

marco.longoni@email.it

 

No, it doesn't.

They're not "attacks".

Nonsense.

 

namless,

Although your reply might be a kind of rough , I completely agree with you!

Thomas

 

ok guys.. but what about MY post?

 

An RIE file would be great.

 

what is a RIE file?

 

Are you an LNS user? An RIE file is a "rules import/export" file, and can be created and used by LNS. Go to the Internet Filtering tab, and click the Import or Export button. (Obiously, you want Export to create an RIE file.)

 

no, i am not. and i'm proud to use just an iptables script as firewall

 

That makes sense. Silly me, I didn't realize this was a "proud to do things the hard way" forum.

 

the easy way is rarely the stealth way, nameless.....