David,
depending on the target OS, a FIN scan can reveal open ports.
Basically an unsolliceted FIN packet will be:

- ignored on an open port (RFC 793)

- while on a closed port that will trigger a RST/ACK back

In turn that will give to the attacker a way to understand what ports
are actually available on the target.

Things is, a FIN scan is not likelly to be seen and logged by a
firewall which si not stateful.

Andrea

On Wed, Aug 20, 2008 at 6:15 PM, David Gillett <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
> Statefulness doesn't help with SYN port scans -- that much is correct.
>
> However, some attacks may depend on violating the normal state transitions
> or sequencing of TCP traffic, or on scanning with other sorts of packets --
> I see unsolicited SYN-ACK packets all the time. (Those are probably just
> responses to spoofed SYNs, but I can't know that for certain. I'm not sure
> what a scan with RST or FIN packets would reveal.)
>
> Most of the stateful firewalls I've seen also do inspection of FTP control
>
> traffic, so that FTP data sessions on negotiated ports can be allowed
> without
> leaving masses of high-numbered ports open all the time. An awful lot of
> junk/noise can be filtered out by that.
>
> David Gillett
>
>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Juan B
>> Sent: Tuesday, August 19, 2008 10:05 PM
>> To: security basics
>> Subject: statefull inspection FW and hackers
>>
>>
>>
>> Hi,
>>
>> Can someone please explain why statefull inspection Fw helps
>> against hackers? I know that those FW keep track of the
>> sessions but I dont understand how the feature might help
>> against a port scan from the internet or other ways to
>> mitigate hackers attacks.
>>
>> Thanks
>>
>> Juan
>>
>>
>>
>>
>>
>>
>>
>>
>
>

[ reply ]