Section 11.4 Captain, We re Being Scanned (Stealth Scans)

11.4 Captain, We're Being Scanned! (Stealth Scans)

Just as you start to win the rat race they come up with smarter rats. A stealth scanner is such an example of a smarter rat. The "higher level" intrusion detection systems (IDSs) such as the Deception Tool Kit and Adaptive TCP Wrappers listen on particular ports with an ordinary TCP open (for TCP services).

This TCP open relies on its three-way open sequence completing properly. That is, three packets are exchanged between the two systems. On the server (the system not initiating the connection), information present in the first packet is buffered until the third packet is received by the initiator.

In the half-open attack described in "SYN Flood Attack Explained" on page 245, that third packet never comes. Although all modern Linux kernels are immune to this attack causing a DoS, normally they do allow this stealth scan to go undetected.

However, IP Chains may be used to block these attacks because IP Chains operates on the packet level. It will block the first packet regardless of whether there is any subsequent packet to complete the three-way TCP open.

See also "Defeating SYN Flood Attacks" on page 245.